3 hours 53 minutes
welcome back to
Checkpoint Jumpstart. Maestro training.
I'd like to go over
some more useful command line utilities
and config files.
there are six
security gateway modules attached to this orchestrator,
the unattached or unassigned gateways
can see the serial numbers of those gateways
of those that are already in security group
Just have to mouse over and see them.
you really can't
serial numbers. It's It's
just not very convenient.
So if you log in to the, uh, orchestrator,
call that there's, ah command that,
uh, uses the link lawyer Discovery Protocol
L L D p
it spits out a bunch of
specific string. And I should probably put the command there.
will display the list of known
security gateway modules that this orchestrator has received
lean, clear discovery protocol frames.
So this is handy because you can copy and paste
from this as as you need to.
So the two unassigned security gateway modules and in 553 and 551
and see them here, they're the first to listed.
So I want to demonstrate some Klay Shell commands.
First, I need to get the lock.
manage security groups through the Web user interface. But sometimes it's just
easier to do some operations. Be a the
and scripting. For instance.
Invoking Klay shell in a script
speed up repetitive tasks. That's that's just one way to handle repetitive tasks.
So from from Cle Show,
you want to create a new security group,
types command incorrectly,
and I have to know that
I mean, I could I could show,
security groups that exist on DSI, which I DS are currently
in use as a security group
and and the ideas correspond here. Security a one security group to
respond to the I. D.
So I'll just pick three,
and I can
to the security group.
this this is actually this this
demo environment is actually a dual site
set up. Ah, I have to provide the site I d parameter.
I copied the appliance serial number above
paste it here,
so that's very handy. To be able to get the appliance serial numbers
be of the l L
DPC TL command.
I can add interfaces.
So, uh, by the way, I should I should show this If I want to delete an appliance from a security group
like I either specify the appliance by its member number
in the security group
or by the Appliance Serial number
to command incorrectly.
I will type commanding correctly
assigned it to security Group three.
But I'm fickle. I actually wanted in that security group.
I have created a new
security group, i d three. I added an appliance to that security group,
and now I want to add some interfaces to the security group.
Couple of more.
So I've raided the security group. I've added an appliance. I've added interfaces to the security group.
Next, I might want to Ah, run the are configure the first time wizard,
by the way,
delete the interface. The grand is
So delete Maestro Security Group
member of the security group
in her face and name of interface and very helpfully cliche
interfaces for you
earlier. I am I showed you that you can get the appliance serial numbers from the L L D P CTL Command,
and I did that because I wanted to show you
back to man and how toe pull the appliance serial numbers out of it. But
if I want to add
to the security group,
there's there's actually an easier way
it'll tab complete
and no serial here is more than what I copied.
So I've added that appliance to the security group without having toe
going expert mode and run the l l
DPC Teal command. Pipe it through grip.
So I want Teoh configure the information for the first time wizard.
And now you know the super secret password
this country either over yes and will say no.
So now I'm going to, uh,
actually create the security group
and there's, ah, an option
that I could specify telling it. Don't confirm.
So, like in the Web user interface, it takes a bit
to verify the security group configuration,
which you can push it out to the security gateway modules
now the security gateway modules will be restarting.
And in the Web user interface,
security free is now displayed.
I decide that
I don't want to create the security group. I can throw away
the configuration that I have been working on.
in and off it goes.
There wasn't any
UN applied configuration, so nothing actually thrown away there.
You can also see the details of the security group in Cle show
This data is in a CONFIG file which will look at
in cle show
Shell Maestro, Security Group I D.
number of the security group
dump the information about the security group
eso the the
orchestrator has several ports. Depending on the model of orchestrator, it may have different types of ports.
ports on the orchestrator.
I want to see what type of port it is.
this port is currently defined as a management port
and we'll pick a different port.
The sport should be an up link port.
unless it has been changed.
And then something near the right side
should be a down link.
Now you can
change the type of port
and so I could make it a management port or a sink port
are not playing port.
I'm not gonna make a change
that command is available.
You can also set the port administratively down. You can configure the
maximum transmission unit mtu of that port.
You can configure the speed
also ah, no confirmation option at the end and that you can use to not have to go through the compliment confirmation
I'm gonna switch.
Actually, I'm not going to switch yet. I had one more thing. I wanted to show you an expert mode
as there to config files here of interest.
This config file describes
orchestrator eso like
back plane service networks that are that are used for the various communications
V lands that have been defined and so on.
So, like the chassis internal network here defines the i p address ranges for that
Yeah, the Sink network. And so one
of the burying
The other command are the other config file
that shows the configuration of security groups and on the orchestrator. It lists all of the security groups
this orchestrator knows about.
You can also find this file in the single management object
and there it has the security groups,
security group information for that single
that this shows the
aim of the security group,
What up links are assigned to it.
Security. Too scary Group three.
not a whole lot That's interesting in Cle Shell on a single management object, except
the fact that it's actually by default
global. Please show.
And so setting changes that you make here in the global Beashel will be synchronized out
to the other
security group members.
And so, if you have 20
security gateway modules
you need to make a change on
connect to one of them. Usually the single management object
is the first security gateway module in the list and
then using the global Klay show. You make your change
and you don't have to do it
20 times, and that's
a big convenience
in expert mode.
Want to show just a few commands?
So a SG policy.
This is useful, for instance, to to do the
scaled will platform equivalent of FW, unload local FW unload local, of course, removes the unloads the firewall policy
and essentially turns the firewall host into a
router that is unplugged.
Packets packets do not pass
a SG policy unload,
and there's an option in, ah, non scalable platform
In expert mode,
a value of one to a magic
rock p r o c slash cysts
slash net slash i p forward
and Do that
local so your firewall policy will be removed.
But then the linen routing will be enabled.
So that essentially turns your security gateway host into
that is plugged in
the equivalent in the scale of will platform is
add the minus I p underscore
except with two minuses.
pretty dire warning. And I'm not going toe. Have it actually do that,
that when you install policy,
the management server connects to the single management object
installs policy to the single management object. The single management object
copies the new policy
miles involved in the new policy to the other security gateway modules in the group.
And then they independently installed a new policy
essentially at their convenience when
they do it quickly. But
it won't be instantaneous,
that holds true for access control, policy and threat prevention policy
that prevention Paul at least starting with our 80 dot
10 with threat prevention policy
in our 80
versions of of the firewall product.
The threat prevention policy is also
pushed out as part of a policy install.
It will be
copied from the single management object to the other security gateway modules
in the security group, and they will install the threat prevention policy.
Essentially, at their convenience,
access control file
or policy that was installed.
It is at Dollar Sign, FW dear, which is an environment variable that expands
into slash opt slash cp Sweet dash already not 20 slash FW one. This is Lennox. Lennox is case sensitive, so you have to type to capital C the capital p the capital are
and everything else lower case.
To see the contents of this
G zipped tar file
is the magic incantation. Tar space minus
t z v
t the ZF
T Z v f. It doesn't matter. The minus T option
lists the files in this G zip tar file
minus V option. Does it ever mostly the minus Z option says
you're looking at a G zipped tar file instead of, ah, non G zipped tar file. And then the minus F option
indicates what file will you want to read?
there it is. We have another
Jesup tar file that actually has the policy,
and then we have an empty five. Check some of that file.
Perhaps you have a
security gateway module
that is having a problem with
properly getting the policy for for whatever reason,
in expert mode,
there is a
It's command has many options.
One option, for instance,
allows you to reset sick
globally, which is
Uh, you need to reset sick on X number of security gateway modules.
that can That can be a bit of a process.
You can use the SG underscore blade on a score config command to pull
and specified that the type of config
from another security gateway module.
So once you do that
run Cp, Stop CP start.
Oh, and if necessary,
Run, Cluster Excel Underscore Admin up
back out of a problem state. If it is
MANNLEIN command, that is useful.
G update comp file,
So this command it wants a config file too
At it, or or two.
Add an entry in two.
And you also have to provide a
variable or key equals value pair.
So I don't wanna risk accidentally messing up
medical config file. So I'll just use
a non critical CONFIG file.
And there's another top secret password for you.
It always displays his *** tricks for me. Anyway, the, uh,
g update config file command will
propagate this out.
There's that test dot com file.
I assure you, it did not exist before.
It was created by this,
there's the CONFIG file entry That was added.
you should have a very good reason to be editing config files.
Now, you're probably following ah SK article or something like that,
but, um, this provides a convenient way to
the same change to that config file on all of the security gateway modules
in the in the security group.
Bring back Teoh Klay Shell
Global the show.
this set S m o image command
allows you to
enable auto clone mode.
Actually, before I said it, I won't show it
Auto clone currently has turned off, but Auto clone does is
it will clone
the image of the single management object host
security get way module in the security group
or so the security gateway module will determine if it needs to be cloned
through empty five check sums. So the uh,
single management object host will generate an empty five, check some of its
and propagate that out to all of the other security gateway modules. And and if they have a different empty five, check something they can pull
could figure over,
this again could be very handy. For instance, if you have
on appliance that
bales and you get an Army replacement,
the new appliance is going to start off without the configuration. So,
image cloning would be one way to get it
up to speed.
Or if you add a new security gateway module to your security group,
this can provide a way to get that
to the same configuration. Is everyone else not should happen automatically. In some cases, it doesn't
and so image cloning could be useful,
and image cloning can also copy over hot fixes
and hot a jumble hot fixes, which could be very convenient.
I would like to go over this this graphic that that I'd already shown in an earlier
I wanted I just wanted to cover it a little bit more
down. Link interfaces
between the orchestrator and the security gateway module
use several different V lands to separate different types of traffic.
For instance, if
we have, say, to uplink interfaces
that have been assigned to this security group, traffic
to and from
up link interface
will be sent from the orchestrator to the security gateway module
the down Link connection. And it will be tagged with a villain number of 10 to 3, plus
port number on the orchestrator
received the traffic.
And so, if you
a management interface and a couple of up link interfaces, management interfaces are sort of like up link interfaces
than traffic. Coming into the management interface,
heath won dash
the land 10 to 3 plus number of interface. That's that's one. So it'll be villain
10 to 4.
If you have an up link port of 8th 105 it will be
one or 23 plus five or 1028
nine would be
the different V lands are used to separate
the the up link
traffic to and from.
And then I already sort of discussed the other villains.
There's ah, villain
that handles correction layer traffic and
correction layer again is
Make sure that Navid packets
are always processed by the right security gateway module.
a new connection arrives
on the orchestrator,
it'll use its distribution mode algorithm to determine
security gateway module in that security group
this connection. The traffic for this connection and
works in both directions.
So outgoing traffic from this source to that destination and then the return traffic from
that destination to this source
will always be sent to the same
security gateway module again. Technically, it's being sent to a particular down lake port on the orchestrator.
You only have one security eight way
module plugged into that down Lakeport so implicitly that selects
the security gateway
So once we have determined the down Lakeport and the security gateway module attached to that
handling the traffic for this connection
in both directions.
That security Gateway module will be active that connection, and it will then determine another security gateway module in the security group
that should be back up, and it will start synchronizing the state of the connection to the backup.
However, if Nat policy is in use,
perhaps the source i p address
and or the destination I P address and and even perhaps layer for ports
as part of the gnat policy. So
packets going out with a different source or destination I P address, or perhaps a different source port,
the original packets that came in.
And so when the return traffic the return added traffic arrives on the orchestrator,
determined that a different security gateway modules should be handling this traffic
because it keys off of depending on the distribution mode
source I P or Destination I p or both or something else. And
by default. It also looks at the layer for sore sport or destination port or both.
correction layer exists
the security Gateway module, which is handling the Navid traffic, to forward that traffic
direction. Layer villain to the security gateway
module that is handling the original traffic
it has the state table entries. So
we have the same security gateway module handling
both the original and then added
So it can, for instance, reverse the NAT for return traffic
and then the synchronization
villain that is useful for synchronizing configuration changes.
Then there's the chassis Internal Network, which
carries information between the orchestrator and the security gateway modules attached to it.
So I I hope this review of the
command line demands that might be useful and of the, uh,
down link be lands
has been useful. Thank you very much for attending.