Configuring a Maestro Security Group for SD-WAN

Supported Security Gateways

  • R82.10 and higher

Prerequisites

For information about Maestro, see the:

Configuration

Follow Step 3 - Configuration on Security Gateways with these changes:

  • Part 2 - Configuration of SD-WAN interfaces on the Security Gateway >

    Procedure for a Security Gateway that runs Gaia OS

    You must configure the required interface settings in one of these ways:

    • In Gaia Portal on the Security Group.

    • In Gaia gClish on the Security Group.

  • Part 3 - Installation of the Nano-Agent on the Security Gateway >

    Procedure for manual onboarding of a Security Gateway

    You must install the Nano-Agent on all Security Group Members:

    1. Get the Authentication Token you copied earlier from your Quantum Profile in Infinity Portal.

    2. Connect to the command line on the Security Group.

    3. Log in.

    4. If your default shell is Gaia gClish, go to the Expert mode:

      expert

    5. Install the Nano-Agent on all Security Group Members:

      nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile> --run-all-members

    6. Examine the status of the required Nano-Services:

      g_allc cpnano -s

      The section "Service settings" in the output must show "Status: Running" for these services:

      • Check Point Orchestration Nano Service

      • Check Point Messaging Proxy Nano Service

      • Check Point SDWan Nano Service

      • Check Point Cpview Metric Provider Nano Service

      • Check Point SD-WAN Logger Nano Service

    7. In Infinity Portal > Quantum SD-WAN, navigate to the Network view > Agents page.

      This page must show each Security Group Member.

      Example:

      Host

      Name

      IP Address

      Quantum version

      Hardware

      SD-WAN applicable

      SD-WAN active

      Policy version

      Profiles

      MySG-s01-01

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s01-02

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s01-03

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s02-01

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s02-02

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s02-03

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

Notes:

  • Do not install the Nano-Agent on Maestro Orchestrators.

  • If you add a new Security Group Member later, then you must manually install the Nano-Agent on that new Security Group Member:

    1. Get the ID of the new Security Group Member in this Security Group.

    2. Connect to the command line on the new Security Group Member using the "member" command on the Orchestrator or on the Security Group.

    3. Log in to the Expert mode.

    4. Install the Nano-Agent on the new Security Group Member:

      nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile>

    5. Examine the status of the required Nano-Services:

      cpnano -s

  • Infinity Portal > Quantum SD-WAN shows:

    • The Network view > Agents page shows only the object of each Security Group Member.

    • All other sections and fields show only the Security Group object.

  • The Security Group selects the Security Group Member that runs the SD-WAN probing to run the Maestro task called "SDWAN". This Security Group Member is considered the "SDWAN Task Owner (STO)".

    Run this command on the Security Group to see which Security Group Member runs which Maestro task:

    asg stat -i tasks

  • In a normal state, all Security Group Members must run the same SD-WAN Policy (with the same "Policy ID" values).

    If the Policy ID on a Security Group Member (Local Policy) differs from the Policy ID on the STO Security Group Member (Global Policy), then the non-STO Security Group Member begins to perform its own SD-WAN probing.

    The non-STO Security Group Member stops performing its own SD-WAN probing only when its Policy ID (Local Policy) is the same as the Policy ID on the STO Security Group Member.

    Run this command to see the SD-WAN policy:

    • To see the outputs that differ between Security Group Members (the policy installation time may differ by several seconds):

      g_allc cpsdwan stat

    • To see the complete outputs from each Security Group Member:

      g_all cpsdwan stat

  • To see the probing status in CPView:

    1. Run on the Security Group:

      cpview

    2. From the top, click Advanced > SDWAN > Probing.

      The row Gateway Probing State shows one of these:

      • SD-WAN Task owner

        This Security Group Member is the STO - responsible for the Global probing for the entire Security Group.

      • Active probing member

        This Security Group Member is not the STO, but it is currently performing the probing.

        Probably because its SD-WAN Policy ID is different than that of the STO.

      • Active non probing member

        This Security Group Member is not the STO, but an active Security Group Member that is not performing the probing.

        This is a normal state, when all Security Group Members have the same SD-WAN Policy ID.

      • Standby on active site

        This Security Group Member is currently in the Standby mode and does not handle traffic in general.

      • Standby site member

        This Security Group Member is currently a member of a Standby Site.