Configuring Security Groups in Gaia Clish

This section provides the configuration instructions for Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

To start working in Gaia Clish on the Quantum Maestro Orchestrator:

Step

Instructions

1

Connect to the Command Line on the Quantum Maestro OrchestratorClosed A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. (over SSH, or through the Console Port).

2

Log in to the Gaia PortalClosed Web interface for the Check Point Gaia operating system. with these default credentials:

  • Username - admin

  • Password - admin

Best Practice - Change the default password as soon as possible. See the R81.10 Gaia Administration Guide > Chapter User Management > Section Change My Password.

These are the main commands in Gaia Clish on Quantum Maestro Orchestrators:

Task

Syntax

Viewing

the settings

show maestro

To see all available sub-commands:

  1. Enter:

    show maestro

  2. Press the Esc key two times.

Configuring

the settings

add maestro

To see all available sub-commands:

  1. Enter:

    add maestro

  2. Press the Esc key two times.

 

set maestro

To see all available sub-commands:

  1. Enter:

    set maestro

  2. Press the Esc key two times

Deleting

the settings

delete maestro

To see all available sub-commands:

  1. Enter:

    delete maestro

  2. Press the Esc key two times

Notes:

Applicable configuration procedures are provided below.

See Workflow for Configuring Security Groups.

Description

This command configures the number of Maestro sites - Single Site (value 1), or Dual Site (value 2).

Syntax

set maestro configuration orchestrator-site-amount {1 | 2}

Description

This command shows the configured number of Maestro sites.

Syntax

show maestro configuration orchestrator-site-amount

Example

MHO> show maestro configuration orchestrator-site-amount

Number of configured Orchestrators Sites in this Maestro deployment is 2.

MHO>

Description

This command configures the number of Orchestrators on a Maestro Site.

Syntax

set maestro configuration orchestrator-amount {1 | 2}

Description

This command shows the configured number of Orchestrators on a Maestro Site.

Syntax

show maestro configuration orchestrator-amount

Example

MHO> show maestro configuration orchestrator-amount

Number of configured Orchestrators in this Maestro deployment is 2.

MHO>

Description

This command configures the Site ID in Dual Site deployment.

The Quantum Maestro Orchestrators on a site that were installed earlier, must get the ID 1.

The Quantum Maestro Orchestrators on a site that were installed later, must get the ID 2.

Syntax

set maestro configuration orchestrator-site-id {1 | 2}

Description

This command shows the configured Site ID in Dual Site deployment.

Syntax

show maestro configuration orchestrator-site-id

Description

This command configures the Base Site Sync VLAN ID. Quantum Maestro Orchestrators of the same site use this value to calculate internal VLAN ID used for internal synchronization between Quantum Maestro Orchestrators.

Important:

  • The value of the Base Site Sync VLAN ID must be the same on all Quantum Maestro Orchestrators of the same site.

    The default value is 3600.

  • Configure a different Base Site Sync VLAN ID, if the default Site Sync VLAN IDs (3600 and 3601) conflict with the existing VLAN IDs in your environment.

Quantum Maestro Orchestrators use this Base Site Sync VLAN ID internally to calculate their Site Sync VLAN IDs based on these formulas:

  • For the first Quantum Maestro Orchestrator on the same Site (Orchestrator ID 1_1 and Orchestrator ID 2_1):

    <Site Sync VLAN ID> = <Base Site Sync VLAN ID> + 0

  • For the second Quantum Maestro Orchestrator on the same Site (Orchestrator ID 1_2 and Orchestrator ID 2_2):

    <Site Sync VLAN ID> = <Base Site Sync VLAN ID> + 1

Example for the internal Site Sync VLAN ID calculation based on the default value of 3600:

Site ID

Site Sync VLAN ID on

Orchestrator ID 1_1

and

Orchestrator ID 2_1

Site Sync VLAN ID on

Orchestrator ID 1_2

and

Orchestrator ID 2_2

Site #1

3600

3601

Site #2

3600

3601

Syntax

set maestro configuration orchestrator-site-vlan <Number>

Description

This command shows the configured Base Site Sync VLAN ID in Dual Site deployment.

Syntax

show maestro configuration orchestrator-site-vlan

Description

This command adds a Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. with the specified ID on the Quantum Maestro Orchestrator.

Important - You must assign Security Appliances and applicable interfaces. See the corresponding configuration procedures.

Syntax

add maestro security-group id <Security Group ID>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs and the available ID, press the Tab key.

Important - The largest shown ID is the next available ID.

Example - Security Groups with IDS 1 and 2 already exist, ID 3 is the next available ID

MHO> add maestro security-group id

1 2 3

MHO> add maestro security-group id 3

Successfully added security group 3

MHO>

Description

This command deletes a Security Group with the specified ID on the Quantum Maestro Orchestrator.

Important - There is no prompt to confirm.

Syntax

delete maestro security-group id <Security Group ID>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

Example

MHO> delete maestro security-group id

1 2 3

MHO> delete maestro security-group id 3

Successfully deleted security group 3

MHO>

Description

This command adds the Network Configuration in a Security Group with the specified ID.

Syntax

set maestro security-group id <Security Group ID> management-connectivity ipv4-address <Security Group IPv4 Address> mask-length <1-32> [default-gw <Default Gateway IPv4 Address>]

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

<Security Group IPv4 Address>

Specifies the IPv4 address for the Security Group.

<Default Gateway IPv4 Address>

Specifies the IPv4 address of the Default Gateway for the Security Group.

Example

MHO> set maestro security-group id 3 management-connectivity ipv4-address 192.168.30.40 mask-length 24 default-gw 192.168.30.1

Successfully set management connectivity configuration for security group 3

MHO>

Description

This command removes the Network Configuration from a Security Group with the specified ID.

Important - There is no prompt to confirm.

Syntax

delete maestro security-group id <Security Group ID> management-connectivity

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

Example

MHO> delete maestro security-group id[TAB]

1 2 3

MHO> delete maestro security-group id 3 management-connectivity

Successfully deleted management connectivity configuration for security group 3

MHO>

Description

This command configures the First Time Wizard settings in a Security Group with the specified ID.

These settings are used to perform initial configuration of Security Appliances assigned to this Security Group.

Warning - If you configure these settings in an existing Security Group (in which you already ran the First Time Configuration Wizard), then the change applies only after you reset each Security Appliance in that Security Group to factory defaults.

Syntax

set maestro security-group id <Security Group ID> ftw-configuration hostname <Hostname> sic <SIC Password> admin-password <Admin Password> is-vsx {yes | no}

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

ftw-configuration

Specifies the First Time Wizard settings for Security Appliances in the Security Group.

hostname <Hostname>

Specifies the hostname for Security Appliances.

sic <SIC Password>

Specifies the one-time activation key for Security Appliances.

You use this activation key in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. when you create the corresponding Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

The key is between 4 and 127 characters long.

admin-password <Admin Password>

Specifies the Expert mode password for the Security Group.

is-vsx {yes | no}

Specifies whether to configure the Security Appliances in VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode.

Example

MHO> set maestro security-group id 3 ftw-configuration hostname MyGwAppliance sic 123456 admin-password P@sswo4d is-vsx no

Successfully set FTW configuration to security group 3

MHO>

Description

This command removes the First Time Wizard settings from a Security Group with the specified ID.

Important - There is no prompt to confirm.

Syntax

delete maestro security-group id <Security Group ID> ftw-configuration

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

Example

MHO> delete maestro security-group id[TAB]

1 2 3

MHO> delete maestro security-group id 3 ftw-configuration

Successfully deleted FTW configuration for security group 3

MHO>

Best Practice:

  1. Before you add Security Appliances to an existing Security Group, enable the SMO Image Cloning feature in the Security Group.

    This feature automatically clones all the required software packages to the new Security Appliances.

    Run in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. on the Security Group:

    set smo image auto-clone state on

    show smo image auto-clone state

  2. After you added the Security Appliances, you must disable the SMO Image Cloning feature in the Security Group:

    set smo image auto-clone state off

    show smo image auto-clone state

Description

This command assigns a Security Appliance with the specified Serial Number to a Security Group with the specified ID.

Important:

  • You can assign only supported Security Appliances to the same Security Group - see sk162373.

  • You must disable SMO Image Cloning in the Security Group before you assign to this Security Group an appliance of a different model than the other assigned appliances (Known Limitation PMTR-71298).

  • Security Appliances assigned to the Security Group automatically reboot after you apply the configuration.

Best Practice for Dual Site - Assign the same number (as possible) of Security Appliances from each site to the Security Group. If a failover occurs between the sites, Security Appliances on the new Active site must be able to process all the traffic.

Syntax

add maestro security-group id <Security Group ID> serial <Serial Number>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

serial <Serial Number>

Assigns one Security Appliance specified by its Serial Number.

To see the available Serial Numbers, press the Tab key.

Important - You can assign only appliances of the same model to the same Security Group.

Example

MHO> add maestro security-group id 3 serial [TAB]

1234567890

MHO> add maestro security-group id 3 serial 1234567890

Successfully added gw 1234567890 to security group 7

MHO>

Description

This command removes a Security Appliance with the specified Member ID or Serial Number from a Security Group with the specified ID.

Important:

  • The Security Appliance must perform a reset to factory defaults and reboot after you remove it from a Security Group. This is to make sure that no security configuration is left behind.

  • There is no prompt to confirm.

Syntax to remove a Security Appliance with the specified Member ID

delete maestro security-group id <Security Group ID> member <Member ID>

Syntax to remove a Security Appliance with the specified Serial Number

delete maestro security-group id <Security Group ID> serial <Serial Number>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

member <Member ID>

Specifies the Security Appliance by its Member ID in the Security Group.

To see the available IDs, press the Tab key.

serial <Serial Number>

Specifies the Security Appliance by its Serial Number.

To see the available Serial Numbers, press the Tab key.

Example of removing a Security Appliance with the specified Member ID

MHO> delete maestro security-group id 3 member [TAB]

1 2 3 4

MHO> delete maestro security-group id 3 member 4

Successfully deleted member 4 from security group 3

MHO>

Example of removing a Security Appliance with the specified Serial Number

MHO> delete maestro security-group id 3 serial [TAB]

1234567890

MHO> delete maestro security-group id 3 serial 1234567890

Successfully deleted gw with 1322B01094 from security group 3

MHO>

Description

This command assigns an interface with the specified name to a Security Group with the specified ID.

Syntax

add maestro security-group id <Security Group ID> interface <Interface Name>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

interface <Interface Name>

Assigns one interface specified by its name.

To see the available interfaces, press the Tab key.

Example

MHO> add maestro security-group id 3 interface [TAB]

 

eth1-Mgmt2 eth1-Mgmt3 eth1-Mgmt4 eth1-Mgmt6 eth1-Mgmt7 eth1-Mgmt8

eth1-Mgmt9 eth1-10 eth1-11 eth1-12 eth1-13 eth1-14

eth1-15 eth1-16 eth1-17 eth1-18 eth1-19 eth1-20

eth1-21 eth1-22 eth1-23 eth1-24 eth1-25 eth1-26

eth1-48 eth1-49 eth1-51 eth1-53 eth1-55 eth1-57

eth1-59 eth1-61 eth1-63 eth2-Mgmt1 eth2-Mgmt2 eth2-Mgmt3

eth2-Mgmt4 eth2-06 eth2-07 eth2-08 eth2-09 eth2-10

eth2-11 eth2-12 eth2-13 eth2-14 eth2-15 eth2-16

eth2-17 eth2-18 eth2-19 eth2-20 eth2-21 eth2-22

eth2-23 eth2-24 eth2-25 eth2-26 eth2-48 eth2-49

eth2-51 eth2-53 eth2-55 eth2-57 eth2-59 eth2-61

eth2-63

MHO> add maestro security-group id 3 interface eth1-17

Successfully added interface eth1-17 to security group 3

MHO>

Description

This command removes an interface with the specified name from a Security Group with the specified ID.

Syntax

delete maestro security-group id <Security Group ID> interface <Interface Name>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

interface <Interface Name>

Removes one interface specified by its name.

To see the available interfaces, press the Tab key.

Example

MHO> delete maestro security-group id 3 interface [TAB]

 

eth1-Mgmt3 eth1-13 eth1-14 eth1-15 eth1-16 eth1-17

MHO> add maestro security-group id 3 interface eth1-17

Successfully deleted interface eth1-17 from security group 3

MHO>

See Configuring VLAN Interfaces on Uplink Ports.

Description

This command shows the Security Group configuration, including VLAN interfaces configured on the Uplink PortsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object..

Syntax

show maestro security-group id <Security Group ID>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the ID of the Security Group.

To see the existing IDs, press the Tab key.

Description

This command shows and verifies the validity of all the configuration changes you made, but did not apply yet to Security Groups or ports.

Best Practice - Run this command after all changes in the configuration of Security Groups or ports.

Syntax

show maestro security-group verify-new-config

Example 1 - No changes were made

MHO> show maestro security-group verify-new-config

The following changes will take place:

Temporary topology file not exists

MHO>

Example 2 - Some changes were made

MHO> add maestro security-group id 3

Successfully added security group 3

MHO>

MHO> show maestro security-group verify-new-config

The following changes will take place:

Security Group 1

   - No changes

Security Group 2

   - Removed Gateway 1_2 serial 1234567890. GW is rebooting.

Security Group 3

   - Security group created

   - Added Gateway 1_1 serial 1234567890

   - Added interface eth1-Mgmt4

MHO>

Description

This command applies all the configuration changes you made, but did not apply yet to Security Groups or ports.

Important - You must run this command after you make changes in the configuration of Security Groups or ports.

Syntax

set maestro security-group apply-new-config

Example

MHO> set maestro security-group apply-new-config

You are about to perform "set maestro security-group apply-new-config"

The following changes will take place:

Security Group 1

   - No changes

 

Are you sure? (Y - yes, any other key - no) y

 

"set maestro security-group apply-new-config" requires auditing

Enter your full name: johndoe

Enter reason for "set maestro security-group apply-new-config" [Configuration]: test

CRITICAL: "set maestro security-group apply-new-config", User: johndoe, Reason: test

Are you sure? (Y - yes, any other key - no) y

 

Action Summary

--------------

 

Security Group 1

   - No changes

MHO>

Description

This command deletes all the configuration changes you made, but did not apply yet to Security Groups or ports.

Important - There is no prompt to confirm.

Syntax

delete maestro security-group new-config

Example

MHO> delete maestro security-group new-config

Successfully deleted new topology configuration

MHO>

Description

These commands let you configure different settings on the Quantum Maestro Orchestrator's ports.

Syntax

set maestro port <Port ID>

      admin-state {up | down}

      mtu 68-10236

      qsfp-mode {1G | 10G | 4x10G | 4x25G | 25G | 40G | 100G}

      type {downlink | uplink | management | site_sync | ssm_sync} [no-confirmation]

Parameters

Parameter

Description

<Port ID>

Specifies the port to configure.

The format is three numbers separated with a slash:

<Quantum Maestro Orchestrator ID>/<Port Label>/<Port Split ID>

Examples:

  • 1/3/1

  • 2/20/1

Notes:

admin-state

Configures the port administrative state:

  • up - Enabled

  • down - Disabled

Important - This change does not survive reboot of the Orchestrator (Known Limitation MBS-11339).

mtu

Configures the port MTU.

Valid range: 68 - 10236 bytes.

Default: 10236 bytes.

qsfp-mode

Configures the QSFP mode:

  • 1G - Port works with the 1 GbE speed (only 10 GbE ports support this mode).

  • 10G - Port works with the 10 GbE speed.

  • 4x10G - Split of a 40 GbE port into four ports that work with the 10 GbE speed each.

  • 4x25G - Split of a 100 GbE port into four ports that work with the 25 GbE speed each.

    Note - Available in the R81.10 Jumbo Hotfix Accumulator Take 110 and above (MBS-14158).

  • 25G - Port works with the 25 GbE speed.

    Note - Available in the R81.10 Jumbo Hotfix Accumulator Take 110 and above (MBS-14158).

  • 40G - Port works with the 40 GbE speed.

  • 100G - Port works with the 100 GbE speed.

Important

  • On MHO-175 ports, you can configure only these modes:

    • 4x10G, 4x25G, 25G, 40G, or 100G

  • On MHO-170 ports, you can configure only these modes:

    • Ports with odd <Port Label> numbers (x/1/y, x/3/y, x/5/y, and so on):

      4x10G, 4x25G, 25G, 40G, or 100G

    • Ports with even <Port Label> numbers (x/2/y, x/4/y, x/6/y, and so on):

      25G, 40G, or 100G

  • On MHO-140 ports, you can configure only these port modes:

    • Ports with the <Port Label> from x/1/y to x/48/y:

      1G, 10G, or 25G

    • Ports with the <Port Label> x/49/y, x/51/y, x/53/y, and x/55/y:

      4x10G, 4x25G, 25G, 40G, or 100G

    • Ports with the <Port Label> x/50/y, x/52/y, x/54/y, and x/56/y:

      25G, 40G, or 100G

type

Configures the port type:

The parameter "no-confirmation" is optional. If specified, the command does not ask you for confirmation and audit information.

Important:

  • On MHO-175, you can configure only these port types:

    • Port 1:

      • management

      • downlink

    • Ports 2 and higher:

      • uplink

      • downlink

      • site_sync

      • ssm_sync

  • On MHO-170, you can configure only these port types:

    • Port 1 and Port 2:

      • management

      • downlink

    • Ports 3 and higher:

      • uplink

      • downlink

      • site_sync

      • ssm_sync

  • On MHO-140, you can configure only these port types:

    • Port 1, Port 2, Port 3, and Port 4:

      • management

      • downlink

    • Ports 5 and higher:

      • uplink

      • downlink

      • site_sync

      • ssm_sync

  • You cannot change the "ssm_sync" type of the dedicated Internal Synchronization port:

    • MHO-175 - Port 32

    • MHO-170 - Port 32

    • MHO-140 - Port 48

Example 1 - Viewing all available ports

MHO> set maestro port [press the TAB key]

1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

MHO>

Example 2 - Changing the port administrative state

MHO> set maestro port 1/20/1 admin-state down

You are about to perform "set maestro port 1/20/1 admin-state down"

Action might lead to traffic impact

 

Are you sure? (Y - yes, any other key - no) y

Successfully set port 20 admin-state to down

MHO>

Example 3 - Changing the port MTU

MHO> set maestro port 1/20/1 mtu 10236

You are about to perform "set maestro port 1/20/1 mtu 10236"

Action might lead to traffic impact

 

Are you sure? (Y - yes, any other key - no) y

Successfully set port 20 mtu to 10236

MHO>

Example 4 - Changing the port QSFP mode

MHO> set maestro port 1/20/1 qsfp-mode 10G

You are about to perform "set maestro port 1/20/1 qsfp-mode 10G"

Action might lead to traffic impact

 

Are you sure? (Y - yes, any other key - no) y

Successfully set port 20 qsfp-mode to 10G success

MHO>

Example 5 - Changing the port type

MHO> set maestro port 1/20/1 type uplink

You are about to perform "set maestro port 1/20/1 type uplink"

Are you sure? (Y - yes, any other key - no) y

 

"set maestro port 1/20/1 type uplink" requires auditing

Enter your full name: johndoe

Enter reason for "set maestro port 1/20/1 type uplink" [Maintenance]: test

WARNING: "set maestro port 1/20/1 type uplink", User: johndoe, Reason: test

Are you sure? (Y - yes, any other key - no) y

 

Successfully set port 1/20/1 type to uplink

MHO>

MHO> exit

[Expert@MHO:0]#

Example 6 - Changing the port type with automatic confirmation

MHO> set maestro port 1/20/1 type uplink no-confirmation

You are about to perform "set maestro port 1/20/1 type uplink no-confirmation"

Are you sure? (Y - yes, any other key - no) y

 

"set maestro port 1/20/1 type uplink no-confirmation" requires auditing

Enter your full name: johndoe

Enter reason for "set maestro port 1/20/1 type uplink no-confirmation" [Maintenance]: test

WARNING: "set maestro port 1/20/1 type uplink no-confirmation", User: johndoe, Reason: test

 

Successfully set port 1/20/1 type to uplink

MHO>

MHO> exit

[Expert@MHO:0]#

Description

These commands show the configured settings on the Quantum Maestro Orchestrator's ports.

Syntax

show maestro port <Port ID>

      admin-state

      mtu

      optic-info

      qsfp-mode

      type

      vlans

Parameters

Parameter

Description

<Port ID>

Specifies the port to configure.

The format is three numbers separated with a slash:

<Quantum Maestro Orchestrator ID>/<Port Label>/<Port Split ID>

Examples:

  • 1/3/1

  • 2/6/1

Notes:

  • If the port is not split with a breakout cable, then the default value of the <Port Split ID> is 1.

  • To see the available Port IDs, press the Tab key.

  • To see the Port IDs and the names Gaia OS assigned to them, connect to the Gaia Portal on the Quantum Maestro Orchestrator and click Orchestrator page.

    For the default mapping, see the Quantum Maestro Getting Started Guide > Section Quantum Maestro Orchestrator Ports and Gaia OS Interfaces.

admin-state

Shows the port administrative state:

  • up - Enabled

  • down - Disabled

mtu

Shows the port MTU.

optic-info

Shows the information about the QSFP transceiver.

qsfp-mode

Shows the QSFP mode:

  • 1G - Port works with the 1 GbE speed (only 10 GbE ports support this mode).

  • 10G - Port works with the 10 GbE speed.

  • 4x10G - Split of a 40 GbE port into four ports that work with the 10 GbE speed each.

  • 4x25G - Split of a 100 GbE port into four ports that work with the 25 GbE speed each.

    Note - Available in the R81.10 Jumbo Hotfix Accumulator Take 110 and above (MBS-14158).

  • 25G - Port works with the 25 GbE speed.

    Note - Available in the R81.10 Jumbo Hotfix Accumulator Take 110 and above (MBS-14158).

  • 40G - Port works with the 40 GbE speed.

  • 100G - Port works with the 100 GbE speed.

type

Shows the port type:

  • uplink - Connects to external and internal production networks

  • downlink - Connects to Check Point Security Appliances

  • management - Connects to a Management Server that manages the applicable Security Group

  • site_sync - External synchronization in Dual Site deployment - between peer Orchestrators on different sites

  • ssm_sync - Internal synchronization in Dual Site deployment - between peer Orchestrators on the same site

vlans

Shows the VLAN IDs configured on this port.

Example 1 - Viewing all available ports

MHO> show maestro port [TAB]

1/42/1 1/48/1 1/43/1 1/55/1 1/56/1 1/49/1 1/51/1 1/24/1 1/25/1
1/26/1 1/27/1 1/20/1 1/21/1 1/22/1 1/23/1 1/46/1 1/47/1 1/44/1
1/45/1 1/28/1 1/29/1 1/40/1 1/41/1 1/1/1 1/3/1 1/2/1 1/5/1
1/4/1 1/7/1 1/6/1 1/9/1 1/8/1 1/50/1 1/39/1 1/38/1 1/54/1
1/11/1 1/10/1 1/13/1 1/12/1 1/15/1 1/14/1 1/17/1 1/16/1 1/19/1
1/18/1 1/31/1 1/30/1 1/37/1 1/36/1 1/35/1 1/34/1 1/33/1 1/52/1
1/32/1 1/53/1

MHO>

Example 2 - Viewing the port administrative state

MHO> show maestro port 1/4/1 admin-state

Port 1/4/1 admin-state is down

MHO>

 

MHO> show maestro port 1/27/1 admin-state

Port 1/27/1 admin-state is up

MHO>

Example 3 - Viewing the port MTU

MHO> show maestro port 1/27/1 mtu

Port 27 mtu is 10236

MHO>

Example 4 - Viewing the QSFP transceiver information

MHO> show maestro port 1/27/1 optic-info

Port:27

Vendor Name:Gigalight

Serial Number:GE18190022

Part Number:GPP-PC192-3001CP

Check Point Part Number:NIY4471

Enforcement:Supported

Check Point SKU:CPAC-DAC-10G-1M-B

Material ID:320904

Product Type:10GBASE-CU-1M

Speed:10G

MHO>

Example 5 - Viewing the port QSFP mode

MHO> show maestro port 1/27/1 qsfp-mode

Port 27 qsfp-mode is 10G

MHO>

MHO> show maestro port 1/55/1 qsfp-mode

Port 55 qsfp-mode is 100G

MHO>

Example 6 - Viewing the port type

MHO> show maestro port 1/1/1 type

Port 1/4/1 type is management

MHO>

MHO> show maestro port 1/27/1 type

Port 1/27/1 type is downlink

MHO>

MHO> show maestro port 1/55/1 type

Port 1/55/1 type is uplink

MHO>

Example 7 - Viewing the VLAN IDs

MHO> show maestro port 1/20/1 vlans

Port 1/20/1 vlans are: 100 200

MHO>

Description

This command shows the Security Group settings on the Quantum Maestro Orchestrator.

Syntax

show maestro security-group id <Security Group ID>

Parameters

Parameter

Description

id <Security Group ID>

Specifies the Security Group ID.

To see the existing IDs, press the Tab key.

Example

MHO> show maestro security-group id 1

name: 1

 - uplinks:

  - eth1-05:

   - physical: Port 1/5/1

  - eth1-Mgmt1:

   - physical: Port 1/1/1

  - eth2-05:

   - physical: Port 2/5/1

 - mgmt_ip: 192.168.19.52

 - sic_pass: 12345

 - hostname: MyGW1

 - default_gw: 192.168.19.1

 - is_vsx: false

 - gateways:

  - 1:

   - serial: 2222222222

   - model: Check Point16000

  - 3:

   - serial: 3333333333

   - model: Check Point16000

  - 2:

   - serial: 4444444444

   - model: Check Point16000

  - 4:

   - serial: 5555555555

   - model: Check Point16000

 - mgmt_netmask: 24

MHO>