Configuring Weights for Security Group Members
|
|
Note - Do not confuse this section with Configuring Security Group High Availability that is related to the hardware monitoring. |
Introduction
Starting in R81.10, you can assign different models of Security Appliances (mix of appliance models) to the same Security Group
A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. - see sk162373.
To make sure all Security Group Members are loaded as equally as possible, you can configure relative weights to Security Group Members.
As a result, traffic is distributed between the Security Group Members according to these relative weights.
Limitations
-
In R81.20, it is not supported to configure Auto Scaling Settings if a Maestro Security Group contains different Appliance models.
-
If a Security Group contains Security Appliance of different models, you must disable the SMO Image Cloning in the Security Group (Known Limitation PMTR-71298) in Gaia gClish
The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.:set smo image auto-clone state offshow smo image auto-clone state
Calculating the Security Group Member Weight
Default Weight for each Security Group Member:
|
--------------------------------------------------------- x 100% |
Custom Weight for a Security Group Member:
|
-------------------------------------------------- x 100% |
Examples for a Security Group that has three Security Group Members - M1, M2, and M3:
|
Required Traffic Assignment |
Configuration Workflow |
|---|---|
|
M3 - 15% M2 - 15% M1 - 70% |
M3 - assign a number between 0 and 512 M2 - assign the same number you assigned to M3 M1 - assign the number that is 7-fold of the number assigned to M2 / M3 |
|
M3 - 10% M2 - 10% M1 - 80% |
M3 - assign the same number between 0 and 512 M2 - assign the same number you assigned to M3 M1 - assign the number that is 8-fold of the number assigned to M2 / M3 |
|
M3 - 10% M2 - 20% M1 - 70% |
M3 - assign a number between 0 and 512 M2 - assign the number that is 2-fold of the number assigned to M3 M1 - assign the number that is 7-fold of the number assigned to M3 |
Configuring the Security Group Member Weights
|
Step |
Instructions |
|||
|---|---|---|---|---|
|
1 |
Connect to the command line on the Security Group. |
|||
|
2 |
If your default shell is
|
|||
|
3 |
Configure the required weight:
|
|||
|
4 |
Apply the new configuration:
|
Parameters:
|
Parameter |
Description |
|---|---|
|
|
Applies to Security Group Members as specified by the
|
|
|
Specifies the weight. |
Monitoring the Security Group Member Weights
|
Step |
Instructions |
|
|---|---|---|
|
1 |
Connect to the command line on the Security Group. |
|
|
2 |
If your default shell is
|
|
|
3 |
Examine the weights:
|
Example 1:
[Global] HostName-ch01-01> show smo security-group sgm-weight all SGM weights are: 1_01: 8 (33.33%) 1_02: 16 (66.67%) [Global] HostName-ch01-01> |
Example 2:
[Global] HostName-ch01-01> show smo security-group sgm-weight 1_2 SGM 1_2 weight is: 16 (66.67%) [Global] HostName-ch01-01> |
Best Practices
-
Do not assign Security Appliance models that differ significantly in their CPU power to the same Security Group.
-
In Dual Site, use the same Security Appliance models for the same Security Group Members on each site.
Example:
-
Security Group Member with ID 1 on Site 1 (1_1) and Security Group Member with ID 1 on Site 2 (2_1) should be the same.
-
Security Group Member with ID 2 on Site 1 (1_2) and Security Group Member with ID 2 on Site 2 (2_2) should be the same.
-
-
If you assign different models of Security Appliances to the same Security Group, then all Security Group Members have the same number of CoreXL Firewall instances (
fw_worker).By default, the number of CoreXL Firewall instances is configured according to the SMO Security Group Member.
We recommend the maximal number of CoreXL Firewall instances in the Security Group does not exceed this number:
2 x (Number of CPU cores on the weakest Security Group Member)