Working with the Distribution Mode

The Quantum Maestro OrchestratorClosed A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. uses the Distribution Mode to assign incoming traffic to Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members in each Security Group.

By default, the Quantum Maestro OrchestratorClosed See "Maestro Orchestrator". automatically configures the Distribution Mode.

Supported Distribution Modes

Mode

Description

User
(Internal)

Packets are assigned to a Security Group Member based on the packet's Destination IP address.

If Layer 4 distribution is enabled, packets are assigned to a Security Group Member based on the packet's Source port and the Destination IP address.

Network
(External)

Packets are assigned to a Security Group Member based on the packet's Source IP address.

If Layer 4 distribution is enabled, packets are assigned to a Security Group Member based on the packet's Source IP address and Destination port.

General

Packets are assigned to a Security Group Member based on both the packet's Source IP address and the Destination IP address.

If Layer 4 distribution is enabled, packets are assigned to a Security Group Member based on the packet's Source IP address, Source port, Destination IP address, and Destination port.

Auto-Topology
(Per-Port)

Each port for a Security Group Member is configured separately in the User Mode or Network Mode.

Notes:

  • The default distribution mode is Auto-Topology with Layer 4 distribution enabled.

  • The User Mode and Network Mode can work together. These combinations are supported:

    • User Mode and User Mode

    • User Mode and Network Mode

    • Network Mode and Network Mode

    In many scenarios, the User Mode and Network Mode combination could be optimized to pass traffic on same Security Group Member from both sides.

Automatic Distribution Configuration (Auto-Topology)

By default, Security Groups work in General Mode. The best Distribution Mode is selected based on the Security Group topology as defined in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

The Distribution Mode is automatically based on these interface types:

  • Physical interfaces, except for management and synchronization interfaces

  • VLAN

  • Bond

  • VLAN over Bond

Manual Distribution Configuration (Manual-General)

In some deployments, you must manually configure a Distribution Mode on the Security Group to the General. In other cases, it may be necessary to force the Security Group to work in General Mode.

When the Distribution Mode is manually configured (Manual-General Mode), the Distribution Mode of the Security Group is General. In this configuration, the topology of the interfaces is irrelevant.

Best Practice - Do not change manually the Distribution Mode of a Virtual System. This can cause performance degradation.

Setting and Showing the Distribution Configuration (set distribution configuration)

Use these Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. commands to set and show the distribution configuration on the Security Group.

Important - If the Security Group runs in a VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, run the commands in the context of VS0 only. The commands apply immediately across all Virtual Systems.

Syntax to show the Distribution Configuration

> show distribution configuration

Syntax to set the Distribution Configuration

> set distribution configuration {auto-topology | manual-general} ip-version {ipv4 | ipv6 | all} ip-mask <mask>

Parameters

Parameter

Notes

auto-topology

Configures the distribution mode to Auto-Topology (Per-Port).

manual-general

Configures the distribution mode to Manual General.

ipv4

Configures the distribution mode for IPv4 traffic only.

ipv6

Configures the distribution mode for IPv6 traffic only.

all

Configures the distribution mode for IPv4 and IPv6 traffic.

ip-mask <mask>

Must be the same as the distribution matrix size.

Must be specified in the Hex format.

Follow these steps:

  1. Examine the distribution matrix size:

    > show distribution verification verbose

    Examine the Matrix Size line.

    Example:

    ...
    Matrix Size 512
    ...

  2. Exit from the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish to the Expert mode.

  3. Convert the matrix size from the decimal to the hexadecimal format:

    # printf '%x\n' <Matrix Size>

    Example:

    [Expert@MyChassis-ch01-01:0]# printf '%x\n' 512
    200
    [Expert@MyChassis-ch01-01:0]#

  4. Go to the Gaia gClish:

    # gclish

  5. Configure the distribution mode with the required mask:

    > set distribution ... ip-mask <Matrix Size in HEX>

    Example:

    > set distribution ... ip-mask 200

Configuring the Interface Distribution Mode (set distribution interface)

Description

Use these commands to:

  • Set the interface Distribution Mode - For an interface when the system is not working in the General Mode

  • Show the interface Distribution Mode - If it is assigned by Auto-Topology, or is manually configured

Notes:

  • You must run these commands in the Gaia gClish of the Security Group.

  • In VSX mode, you must go to the context of the applicable Virtual System before you can change the interface Distribution Mode. Run the set virtual-system <VS_ID> command.

Syntax to set the interface Distribution Mode

> set distribution interface <if_name> configuration {user | network | policy}

Syntax to show the interface Distribution Mode

> show distribution interface <if_name> configuration

Parameters

Parameter

Description

<if_name>

Interface name as assigned by the operating system.

user

Manually assign the User (Internal) Distribution Mode - based on Destination IP address.

network

Manually assign the Network (External) Distribution Mode - based on Source IP address.

policy

Use Auto-Topology to automatically assign the Distribution Mode according to the policy.

Below are some examples:

> set distribution interface eth1-01 configuration network

/bin/distutil set_ifn_dist_mode eth1-01 external

> set distribution interface eth1-01 configuration policy

/bin/distutil set_ifn_dist_mode eth1-01 policy

> set distribution interface eth1-01 configuration user

/bin/distutil set_ifn_dist_mode eth1-01 internal

Showing Distribution Status (show distribution status)

Description

Use this command to show the status report of the Distribution Mode.

Syntax

> show distribution status [verbose]

Below are some examples:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01> show distribution status
Verification passed successfully
[Global] MyChassis-ch01-01> 
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01> show distribution verification verbose
Test:               Configuration:      Verification:       Result:
Mode                per-port            per-port            Passed
L4 Mode             on                  on                  Passed
Matrix Size         512                 512                 Passed
eth2-08             policy-external     policy-external     Passed
eth1-08             policy-internal     policy-internal     Passed
eth2-07             policy-internal     policy-internal     Passed
eth2-06             policy-internal     policy-internal     Passed
eth1-05             manual-internal     manual-internal     Passed
eth1-06             policy-internal     policy-internal     Passed
eth1-07             policy-internal     policy-internal     Passed
 
Verification passed successfully
[Global] MyChassis-ch01-01>

Explanation about the output:

Field

Description

L4 Mode

Shows if Layer 4 distribution is enabled.

Mode

Shows the distribution mode.

Matrix Size

Shows the size of the Distribution Mode matrix.

Ports

Shows the Distribution Mode assignment for each interface.

Running a Verification Test (show distribution verification)

Description

Use the show distribution verification command to run a verification test of the Distribution Mode configuration.

This test compares the Security Group Member and SSMClosed Role of the Quantum Maestro Orchestrator (SSM) that manages the flow of network traffic to and from the Security Groups. configurations with the actual results.

You can see a summary or a verbose report of the test results.

Syntax

> show distribution verification [verbose]

Below are some examples:

> show distribution verification verbose
Test:               Configuration:      Verification:       Result:
Mode                per-port            per-port            Passed
L4 Mode             off                 off                 Passed
Matrix Size         512                 512                 Passed
eth2-16             policy-internal     policy-internal     Passed
eth1-16             policy-internal     policy-internal     Passed
eth1-15             policy-external     policy-external     Passed
>
 
> show distribution verification verbose
Test:               Configuration:      Verification:       Result:
Mode                per-port            per-port            Passed
L4 Mode             on                  off                 Failed
Matrix Size         512                 0                   Failed
eth1-05             policy-internal     policy-internal     Passed
eth1-06             policy-internal     policy-internal     Passed
eth2-05             policy-external     policy-external     Passed
eth2-06             manual-internal     policy-external     Failed
 
Verification failed with above errors
>

Configuring the Layer 4 Distribution Mode and Masks (set distribution l4-mode)

Description

Use these commands in Gaia gClish to:

  • Enable Layer 4 distribution and set new masks for the IP address and the port

  • Disable Layer 4 distribution

  • Show Layer 4 Distribution Mode and masks

Note - When working with a Virtual System, you must go to the context of the applicable Virtual System context before you can change the Distribution Mode. Run the set virtual-system <VS_ID> command.

Syntax

> set distribution l4-mode enabled

> set distribution l4-mode disabled

> show distribution l4-mode

Below are some examples:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01> set distribution l4-mode enabled
1_01:
success
 
1_02:
success
[Global] MyChassis-ch01-01>
 
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01> set distribution l4-mode disabled
1_01:
success
 
1_02:
success
[Global] MyChassis-ch01-01>
 
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01> show distribution l4-mode
1_01:
L4 Distribution: Enabled
 
1_02:
L4 Distribution: Enabled
[Global] MyChassis-ch01-01>