Configuring VLAN Interfaces on top of a Bond Interface on Uplink Ports

This section shows how to configure VLAN Interfaces on top of a Bond Interface that is configured on Uplink Ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object..

Procedure

Add the required VLAN tags and assign the Uplink ports to the applicable Security Group

You can perform this step in either Gaia Portal Web interface for the Check Point Gaia operating system., or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). of the Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO..

In Gaia Portal

Step	Instructions
1	Connect with a web browser to the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal on one of the Quantum Maestro Orchestrators.
2	Add VLAN tags on the applicable Uplink Ports. See Adding VLAN Interfaces on Uplink Ports.
3	Assign the applicable Uplink ports with VLAN tags to the applicable Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.. See Assigning Interfaces to a Security Group.
4	In the bottom left corner, click Apply.

In Gaia Clish

Step	Instructions
1	Connect to the command line on one of the Quantum Maestro Orchestrators.
2	Log in to the Gaia Clish.
3	Add VLAN tags on the applicable Uplink Ports. See Adding VLAN Interfaces on Uplink Ports.
4	Assign the applicable Uplink ports to the applicable Security Group. See Assigning One Interface to a Security Group.
5	Verify the new configuration. See Verifying the Configuration Changes.
6	Apply the new configuration. See Applying the Configuration Changes.

Configure the Bond interface and VLAN interfaces on the Bond interface in the Security Group

You can perform this step in either Gaia Portal, or Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. of the Security Group.

In Gaia Portal

Step

Instructions

Connect with a web browser to the Gaia Portal of the Security Group.

Configure the Bond interface on top of the Uplink ports.

Add the same VLAN interfaces on the Bond interface, which you added in the Quantum Maestro Orchestrator.

In Gateway mode only:

Assign the IP addresses to these VLAN interfaces.

Important - In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must assign the IP addresses in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. in the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. object or applicable Virtual System object.

In Gaia gClish

Step

Instructions

Connect to the command line of the Security Group.

Go to the Gaia gClish:

gclish

Configure the Bond interface on top of the Uplink ports.

Add the same VLAN interfaces on the Bond interface, which you added in the Quantum Maestro Orchestrator.

In Gateway mode only:

Assign the IP addresses to these VLAN interfaces.

Important - In VSX mode, you must assign the IP addresses in SmartConsole in the VSX Gateway object or applicable Virtual System object.

For more information, see the R81 Scalable Platforms Gaia Administration Guide.

Configure the Security Gateway or VSX Gateway object in SmartConsole

If you already created a Security Gateway object for this Security Group:

Step	Instructions
1	Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
2	From the left navigation panel, click Gateways & Servers.
3	Open the applicable Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.
4	From the left tree, click Network Management.
5	Click Get Interfaces > Get Interfaces Without Topology.
6	Click OK.
7	Install the Access Control Policy on this Security Gateway object.

If you already created a VSX Gateway object for this Security Group:

Note - For more information, see the R81 Scalable Platforms VSX Administration Guide.

Step

Instructions

Connect with SmartConsole to the Management Server.

From the left navigation panel, click Gateways & Servers.

Open the applicable VSX Gateway object.

From the left tree, click Physical Interfaces.

Click Add.

Add the new Bond interface.

Important - Enter the same name (case sensitive) you see in the Gaia settings of this Security Group.

In the VLAN Trunk column, check the box for this Bond interface.

Click OK.

Install the Access Control Policy on this VSX Gateway object.

Configure the VLAN interfaces in the applicable Virtual System.

Install the Access Control Policy on the applicable Virtual System object.

Example

This example is based on the default configuration of MHO-170:

Explanations

Item

Description

Network 1 in VLAN 10 connected to ports on the Networking Device (3).

Network 2 in VLAN 20 connected to ports on the Networking Device (3).

Networking Device (router or switch) that connects your Network 1 and Network 2 to the Quantum Maestro Orchestrators (10 and 12) with Bond interfaces (Link Aggregation).

Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (10 and 12).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances (26 and 24) in the applicable Security Group (25).

Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (10 and 12).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances (23 and 21) in the applicable Security Group (22).

A DAC cable, Fiber cable (with transceivers), or Breakout cable An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable. that connects a first slave of the first Bond (4) on the Networking Device (3) to the first Quantum Maestro Orchestrator (10).

This cable connects to the Uplink port 3 (interface eth1-05), which must be configured with the VLAN tag 10.

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second slave of the first Bond (4) on the Networking Device (3) to the first Quantum Maestro Orchestrator (12).

This cable connects to the Uplink port 3 (interface eth2-05), which must be configured with the VLAN tag 10.

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a first slave of the second Bond (5) on the Networking Device (3) to the second Quantum Maestro Orchestrator (10).

This cable connects to the Uplink port 9 (interface eth1-17), which must be configured with the VLAN tag 20.

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second slave of the second Bond (5) on the Networking Device (3) to the second Quantum Maestro Orchestrator (12).

This cable connects to the Uplink port 9 (interface eth2-17), which must be configured with the VLAN tag 20.

First Quantum Maestro Orchestrator.

A DAC that connects the dedicated Synchronization ports 32 on the Quantum Maestro Orchestrators (10 and 12).

Important - This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

Second Quantum Maestro Orchestrator.

13-20

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). on Quantum Maestro Orchestrators to the Security Appliances.

21-23

All Security Appliances assigned to the Security Group 2.

24-26

All Security Appliances assigned to the Security Group 1.

Example procedure

Step	Instructions
1	Configure the required settings on one of the Quantum Maestro Orchestrators: Connect to one of the Quantum Maestro Orchestrators. Add VLAN tag 10 to the Port 1/3/1 (interface `eth1-05`). Add VLAN tag 10 to the Port 2/3/1 (interface `eth2-05`). Add VLAN tag 20 to the Port 1/9/1 (interface `eth1-17`). Add VLAN tag 20 to the Port 2/9/1 (interface `eth2-17`). Assign the Port 1/3/1 with VLAN tag 10 (interface `eth1-05.10`) to the Security Group 1. Assign the Port 2/3/1 with VLAN tag 10 (interface `eth2-05.10`) to the Security Group 1. Assign the Port 1/9/1 with VLAN tag 20 (interface `eth1-17.20`) to the Security Group 2. Assign the Port 2/9/1 with VLAN tag 20 (interface `eth1-17.20`) to the Security Group 2. Apply the configuration.
2	Configure the required settings in the Security Group 1: Connect to the Gaia of the Security Group 1. Configure a new interface Bond1 on top of the interfaces `eth1-05` and `eth2-05`. Add the VLAN tag 10 on top of the new interface Bond1 (`bond1.10`).
3	Configure the required settings in the Security Group 2: Connect to the Gaia of the Security Group 2. Configure a new interface Bond1 on top of the interfaces `eth1-17` and `eth2-17`. Add the VLAN tag 20 on top of the new interface Bond1 (`bond1.20`).
4	In SmartConsole, add the new interface (`bond1.XX`) to the Security Group object.