Configuring Weights for Security Group Members in Maestro

Note - Do not confuse this section with Configuring Security Group High Availability in Maestro that is related to the hardware monitoring.

Introduction

Starting in R81.10, you can assign different models of Security Appliances (mix of appliance models) to the same Security Group - see sk162373.

To make sure all Security Group Members are loaded as equally as possible, you can configure relative weights to Security Group Members.

As a result, traffic is distributed between the Security Group Members according to these relative weights.

Limitations

  • In R81.20, it is not supported to configure Auto Scaling Settings if a Maestro Security Group contains different Appliance models.

  • If a Security Group contains Security Appliance of different models, you must disable the SMO Image Cloning in the Security Group (Known Limitation PMTR-71298) in Gaia gClish:

    set cluster configuration image auto-clone state off

    show cluster configuration image auto-clone state

Calculating the Security Group Member Weight

Default Weight for each Security Group Member:

    Number of CPU Cores on this Security Group Member

--------------------------------------------------------- x 100%

 Total Number of CPU Cores on all Security Group Members

Custom Weight for a Security Group Member:

    Local Weight of this Security Group Member

-------------------------------------------------- x 100%

 Sum of all Weights of all Security Group Members

Examples for a Security Group that has three Security Group Members - M1, M2, and M3:

Required Traffic Assignment

Configuration Workflow

M3 - 15%

M2 - 15%

M1 - 70%

M3 - assign a number between 0 and 512

M2 - assign the same number you assigned to M3

M1 - assign the number that is 7-fold of the number assigned to M2 / M3

M3 - 10%

M2 - 10%

M1 - 80%

M3 - assign the same number between 0 and 512

M2 - assign the same number you assigned to M3

M1 - assign the number that is 8-fold of the number assigned to M2 / M3

M3 - 10%

M2 - 20%

M1 - 70%

M3 - assign a number between 0 and 512

M2 - assign the number that is 2-fold of the number assigned to M3

M1 - assign the number that is 7-fold of the number assigned to M3

Configuring the Security Group Member Weights

Step

Instructions

1

Connect to the command line on the Security Group.

2

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

3

Configure the required weight:

set smo security-group sgm-weight id <SGM IDs> weight {default | 0-512}

4

Apply the new configuration:

set smo security-group sgm-weight apply

Important - As a result of the calculation, some connections might move between the Security Group Members.

Parameters:

Parameter

Description

sgm-weight id <SGM IDs>

Applies to Security Group Members as specified by the <SGM IDs>.

<SGM IDs> can be:

  • No <SGM IDs> specified, or all

    Applies to all Security Group Members and all Sites

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • One Site (chassis1, or chassis2)

  • The Active Site (chassis_active)

weight {default | 0-512}

Specifies the weight.

Monitoring the Security Group Member Weights

Step

Instructions

1

Connect to the command line on the Security Group.

2

If your default shell is the Expert mode (/bin/bash), then go to Gaia gClish:

gclish

3

Examine the weights:

show smo security-group sgm-weight <SGM IDs>

Applies to Security Group Members as specified by the <SGM IDs>.

<SGM IDs> can be:

  • No <SGM IDs> specified, or all

    Applies to all Security Group Members and all Sites

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • One Site (chassis1, or chassis2)

  • The Active Site (chassis_active)

Example 1:

[Global] HostName-ch01-01> show smo security-group sgm-weight all
SGM weights are:
1_01: 8 (33.33%)
1_02: 16 (66.67%)
[Global] HostName-ch01-01>

Example 2:

[Global] HostName-ch01-01> show smo security-group sgm-weight 1_2
SGM 1_2 weight is: 16 (66.67%)
[Global] HostName-ch01-01>

Best Practices

  • Do not assign Security Appliance models that differ significantly in their CPU power to the same Security Group.

  • In Dual Site, use the same Security Appliance models for the same Security Group Members on each site.

    Example:

    • Security Group Member with ID 1 on Site 1 (1_1) and Security Group Member with ID 1 on Site 2 (2_1) should be the same.

    • Security Group Member with ID 2 on Site 1 (1_2) and Security Group Member with ID 2 on Site 2 (2_2) should be the same.

  • If you assign different models of Security Appliances to the same Security Group, then all Security Group Members have the same number of CoreXL Firewall instances (fw_worker).

    By default, the number of CoreXL Firewall instances is configured according to the SMO Security Group Member.

    We recommend the maximal number of CoreXL Firewall instances in the Security Group does not exceed this number:

    2 x (Number of CPU cores on the weakest Security Group Member)