General Workflow in Maestro

Notes:

It is assumed that you already installed the Quantum Maestro Orchestrators, the Security Appliances, and connected all cables. See the Quantum Maestro Getting Started Guide.
When you create a new Security Group on a Maestro Orchestrator, it is not possible to configure the Gaia GRUB Password in the Security Group wizard on the Maestro Orchestrator.

You can configure the Gaia GRUB Password only after you complete the Gaia First Time Configuration Wizard on the Security Group. See the R82 Gaia Administration Guide > Chapter "System Management" > Section "System Passwords".
When you create a new Traditional VSX Gateway object (or change the settings in an existing Traditional VSX Gateway object) for a Scalable Platform Security Group, you must make sure that only one Security Group Member is "Active". You must manually set the state of all other Security Group Members to "Down" or disconnect them from the Management Server and from the one Security Group Member in the state "Active".
Conversion of an existing Security Gateway object (with the established SIC) to a Traditional VSX Gateway object is not supported.

Configure the applicable Security Groups on the Quantum Maestro Orchestrators

Note - Configure only one of the installed Quantum Maestro Orchestrators. The Quantum Maestro Orchestrators synchronize the configuration automatically with each other.

Each Security Group must contain:

One or more Security Appliances.

Note - The Quantum Maestro Orchestrators automatically assign the corresponding Downlink ports.
Applicable ports on the Quantum Maestro Orchestrators:
- A dedicated Management port, which connects the Security Group to the Management Server (for example, eth1-Mgmt1).
- Uplink ports, to which you connected the external traffic and internal traffic networks.

You can configure Security Groups in:

Gaia Portal (see Configuring Security Groups in Maestro in Gaia Portal).
Gaia Clish (see Configuring Security Groups in Maestro in Gaia Clish).

See Summary of Configuration Options in Maestro.

Perform these steps:

Step

Instructions

Create a new Security Group.

Add the Network Configuration to the Security Group.

Configure the First Time Wizard settings in the Security Group.

Note - This First Time Wizard configures only a limited number of settings.

Assign the available Security Appliances to the Security Group.

Important:

You can assign only supported Security Appliances to the same Security Group - see sk162373.
Security Appliances assigned to the Security Group automatically reboot after you apply the configuration.

Best Practice for Dual Site - Assign the same number (as possible) of Security Appliances from each site to the Security Group. If a failover occurs between the sites, Security Appliances on the new Active site must be able to process all the traffic.

Assign the applicable Quantum Maestro Orchestrator ports to the Security Group (Uplink ports and a Management interface).

Best Practice - Create a Gaia Backup on the Quantum Maestro Orchestrators to save the configuration. For more information, see the R82 Gaia Administration Guide > Chapter Maintenance > Section System Backup.

Configure the settings in SmartConsole
See Step 3 - Configuration of a Maestro Security Group in SmartConsole.
- For a Security Group in Gateway mode:
  1. Create one Security Gateway object.
  2. Configure the applicable Security Policy.
  3. Install the Security Policy on the Security Gateway object.
- For a Security Group in VSX mode:
  1. Create one VSX Gateway object.
  2. Create the objects of Virtual Systems.
  3. Configure the applicable Security Policies for the Virtual Systems.
  4. Install the Security Policies on the Virtual Systems.
Install licenses

See Step 4 - License Installation in Maestro.
Make sure the traffic passes as expected

Initiate connections that must pass through this Security Group.
Configure special settings, if required
See:

Watch the Demonstration Videos