EA Feature: SD-WAN with a Maestro Security Group

This section describes an SD-WAN feature in the Early Availability stage.

Important: Contact the SD-WAN team to get information about the new R82 SD-WAN Early Availability features before starting your journey. To get this feature, you must install the R82 Early Availability packages on the SD-WAN Security Gateway. See the "Downloads" section in sk180605.

For information about Maestro, see the:

• Quantum Maestro Getting Started Guide

• Maestro Administration Guide for your version.

Follow Step 3 - Configuration on Security Gateways with these changes:

• Part 2 - Configuration of SD-WAN interfaces on the Security Gateway >

  Procedure for a Security Gateway that runs Gaia OS

  You must configure the required interface settings in one of these ways:

  • In Gaia Portal on the Security Group.

  • In Gaia gClish on the Security Group.

• Part 3 - Installation of the Nano-Agent on the Security Gateway >

  Procedure for a Security Gateway that runs Gaia OS

  You must install the Nano-Agent on all Security Group Members:

  1. Get the Authentication Token you copied earlier from your Quantum Profile in Infinity Portal.

  2. Connect to the command line on the Security Group.

  3. Log in.

  4. If your default shell is Gaia gClish, go to the Expert mode:

     expert

  5. Install the Nano-Agent on all Security Group Members:

     nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile> --run-all-members

  6. Examine the status of the required Nano-Services:

     g_allc cpnano -s

     The section "Service settings" in the output must show "Status: Running" for these services:

     • Check Point Orchestration Nano Service

     • Check Point Messaging Proxy Nano Service

     • Check Point SDWan Nano Service

     • Check Point Cpview Metric Provider Nano Service

     • Check Point SD-WAN Logger Nano Service

  7. In Infinity Portal > Quantum SD-WAN, navigate to the Network view > Agents page.

     This page must show each Security Group Member.

     Example:

     Host	Name	IP Address	Quantum version	Hardware	SD-WAN applicable	SD-WAN active	Policy version	Profiles
     MySG-s01-01	Maestro	192.168.6.76	R82	Maestro			Multiple versions	Quantum Profile, SD-WAN Profile
     MySG-s01-02	Maestro	192.168.6.76	R82	Maestro			Multiple versions	Quantum Profile, SD-WAN Profile
     MySG-s01-03	Maestro	192.168.6.76	R82	Maestro			Multiple versions	Quantum Profile, SD-WAN Profile
     MySG-s02-01	Maestro	192.168.6.76	R82	Maestro			Multiple versions	Quantum Profile, SD-WAN Profile
     MySG-s02-02	Maestro	192.168.6.76	R82	Maestro			Multiple versions	Quantum Profile, SD-WAN Profile
     MySG-s02-03	Maestro	192.168.6.76	R82	Maestro			Multiple versions	Quantum Profile, SD-WAN Profile

Notes: Do not install the Nano-Agent on Maestro Orchestrators. If you add a new Security Group Member later, then you must manually install the Nano-Agent on that new Security Group Member: Get the ID of the new Security Group Member in this Security Group. Connect to the command line on the new Security Group Member using the "member" command on the Orchestrator or on the Security Group. Log in to the Expert mode. Install the Nano-Agent on the new Security Group Member: nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile> Examine the status of the required Nano-Services: cpnano -s Infinity Portal > Quantum SD-WAN shows: The Network view > Agents page shows only the object of each Security Group Member. All other sections and fields show only the Security Group object. The Security Group selects the Security Group Member that runs the SD-WAN probing to run the Maestro task called "SDWAN". This Security Group Member is considered the "SDWAN Task Owner (STO)". Run this command on the Security Group to see which Security Group Member runs which Maestro task: asg stat -i tasks In a normal state, all Security Group Members must run the same SD-WAN Policy (with the same "Policy ID" values). If the Policy ID on a Security Group Member (Local Policy) differs from the Policy ID on the STO Security Group Member (Global Policy), then the non-STO Security Group Member begins to perform its own SD-WAN probing. The non-STO Security Group Member stops performing its own SD-WAN probing only when its Policy ID (Local Policy) is the same as the Policy ID on the STO Security Group Member. Run this command to see the SD-WAN policy: To see the outputs that differ between Security Group Members (the policy installation time may differ by several seconds): g_allc cpsdwan stat To see the complete outputs from each Security Group Member: g_all cpsdwan stat To see the probing status in CPView: Run on the Security Group: cpview From the top, click Advanced > SDWAN > Probing. The row Gateway Probing State shows one of these: SD-WAN Task owner This Security Group Member is the STO - responsible for the Global probing for the entire Security Group. Active probing member This Security Group Member is not the STO, but it is currently performing the probing. Probably because its SD-WAN Policy ID is different than that of the STO. Active non probing member This Security Group Member is not the STO, but an active Security Group Member that is not performing the probing. This is a normal state, when all Security Group Members have the same SD-WAN Policy ID. Standby on active site This Security Group Member is currently in the Standby mode and does not handle traffic in general. Standby site member This Security Group Member is currently a member of a Standby Site.