Video Transcription

00:01
Hello and
00:02
welcome back to
00:04
Checkpoint Jumpstart. Maestro training.
00:07
I'd like to go over
00:09
some more useful command line utilities
00:12
and config files.
00:15
First,
00:16
there are six
00:18
security gateway modules attached to this orchestrator,
00:24
and
00:25
the unattached or unassigned gateways
00:28
can see the serial numbers of those gateways
00:33
of those that are already in security group
00:36
Just have to mouse over and see them.
00:40
Uh,
00:41
you really can't
00:43
copy
00:45
these
00:46
serial numbers. It's It's
00:49
just not very convenient.
00:51
So if you log in to the, uh, orchestrator,
00:56
call that there's, ah command that,
01:00
uh, uses the link lawyer Discovery Protocol
01:03
L L D p
01:06
cto
01:07
and
01:08
it spits out a bunch of
01:10
output.
01:11
You can
01:15
rep out
01:17
pull out
01:19
just ah
01:23
specific string. And I should probably put the command there.
01:30
And that
01:30
will display the list of known
01:34
security gateway modules that this orchestrator has received
01:41
lean, clear discovery protocol frames.
01:46
So this is handy because you can copy and paste
01:51
from this as as you need to.
01:53
So the two unassigned security gateway modules and in 553 and 551
02:04
and see them here, they're the first to listed.
02:09
So I want to demonstrate some Klay Shell commands.
02:20
First, I need to get the lock.
02:30
So, um,
02:30
you can
02:32
manage security groups through the Web user interface. But sometimes it's just
02:38
easier to do some operations. Be a the
02:44
Mannlein
02:45
and scripting. For instance.
02:47
Invoking Klay shell in a script
02:51
can
02:52
speed up repetitive tasks. That's that's just one way to handle repetitive tasks.
02:58
So from from Cle Show,
03:00
you want to create a new security group,
03:08
types command incorrectly,
03:19
and I have to know that
03:21
I mean, I could I could show,
03:23
uh, the
03:24
security groups that exist on DSI, which I DS are currently
03:30
in use as a security group
03:32
and and the ideas correspond here. Security a one security group to
03:38
those numbers
03:39
respond to the I. D.
03:42
So I'll just pick three,
03:46
and I can
03:50
add a
03:53
clients
03:53
to the security group.
04:00
Add Maestro
04:01
Security Group
04:04
hand.
04:11
And
04:12
since I'm
04:14
this this is actually this this
04:15
demo environment is actually a dual site
04:18
set up. Ah, I have to provide the site I d parameter.
04:30
I copied the appliance serial number above
04:33
paste it here,
04:35
so that's very handy. To be able to get the appliance serial numbers
04:41
be of the l L
04:43
DPC TL command.
04:50
I can add interfaces.
04:59
So, uh, by the way, I should I should show this If I want to delete an appliance from a security group
05:15
like I either specify the appliance by its member number
05:19
in the security group
05:21
or by the Appliance Serial number
05:31
and
05:33
started well
05:45
to command incorrectly.
05:54
I will type commanding correctly
05:56
assigned it to security Group three.
06:00
But I'm fickle. I actually wanted in that security group.
06:04
So
06:06
it's back.
06:09
I have created a new
06:11
security group, i d three. I added an appliance to that security group,
06:15
and now I want to add some interfaces to the security group.
06:55
Couple of more.
07:15
So I've raided the security group. I've added an appliance. I've added interfaces to the security group.
07:21
Next, I might want to Ah, run the are configure the first time wizard,
07:30
by the way,
07:30
delete the interface. The grand is
07:34
the wheat.
07:53
So delete Maestro Security Group
07:55
I, D
07:56
member of the security group
07:58
in her face and name of interface and very helpfully cliche
08:03
tab Complete
08:05
possible
08:05
interfaces for you
08:15
earlier. I am I showed you that you can get the appliance serial numbers from the L L D P CTL Command,
08:24
and I did that because I wanted to show you
08:26
back to man and how toe pull the appliance serial numbers out of it. But
08:31
if I want to add
08:35
another appliance
08:37
to the security group,
08:39
there's there's actually an easier way
09:05
it'll tab complete
09:07
the serial,
09:09
and no serial here is more than what I copied.
09:13
Doesn't matter.
09:18
So I've added that appliance to the security group without having toe
09:24
going expert mode and run the l l
09:28
DPC Teal command. Pipe it through grip.
09:33
So I want Teoh configure the information for the first time wizard.
10:13
And now you know the super secret password
10:26
and
10:28
this country either over yes and will say no.
10:37
So now I'm going to, uh,
10:39
actually create the security group
10:54
and there's, ah, an option
10:58
that I could specify telling it. Don't confirm.
11:18
So, like in the Web user interface, it takes a bit
11:22
to verify the security group configuration,
11:24
which you can push it out to the security gateway modules
11:28
and ah,
11:31
now the security gateway modules will be restarting.
11:35
And in the Web user interface,
11:39
I refresh
11:41
security free is now displayed.
12:03
I decide that
12:05
I don't want to create the security group. I can throw away
12:09
the configuration that I have been working on.
12:11
Uh,
12:13
in and off it goes.
12:20
There wasn't any
12:22
UN applied configuration, so nothing actually thrown away there.
12:39
You can also see the details of the security group in Cle show
12:43
in
12:45
expert mode.
12:46
This data is in a CONFIG file which will look at
12:50
in cle show
12:52
Shell Maestro, Security Group I D.
12:54
And then
12:56
number of the security group
12:58
dump the information about the security group
13:05
eso the the
13:09
orchestrator has several ports. Depending on the model of orchestrator, it may have different types of ports.
13:18
You can
13:18
see
13:20
information about
13:22
ports on the orchestrator.
13:46
I want to see what type of port it is.
13:52
So
13:52
this port is currently defined as a management port
13:56
and we'll pick a different port.
14:01
The sport should be an up link port.
14:05
Yes,
14:07
unless it has been changed.
14:09
And then something near the right side
14:11
1 70
14:16
should be a down link.
14:20
Now you can
14:22
change the type of port
14:41
and so I could make it a management port or a sink port
14:48
are not playing port.
14:50
Ah,
14:50
I'm not gonna make a change
14:54
that command is available.
15:00
You can also set the port administratively down. You can configure the
15:05
maximum transmission unit mtu of that port.
15:09
You can configure the speed
15:15
and there's
15:15
also ah, no confirmation option at the end and that you can use to not have to go through the compliment confirmation
15:24
dialogue.
15:28
Next,
15:28
I'm gonna switch.
15:31
Actually, I'm not going to switch yet. I had one more thing. I wanted to show you an expert mode
15:48
as there to config files here of interest.
15:54
This config file describes
15:58
the, uh,
16:00
orchestrator eso like
16:03
back plane service networks that are that are used for the various communications
16:11
V lands that have been defined and so on.
16:14
So, like the chassis internal network here defines the i p address ranges for that
16:25
Yeah, the Sink network. And so one
16:30
of the burying
16:32
degrees of
16:33
interesting
16:37
The other command are the other config file
16:42
I
16:44
that shows the configuration of security groups and on the orchestrator. It lists all of the security groups
16:52
this orchestrator knows about.
16:53
You can also find this file in the single management object
16:57
and there it has the security groups,
17:02
security group information for that single
17:04
management object
17:07
that this shows the
17:10
aim of the security group,
17:12
the, uh,
17:15
bsx state
17:17
What up links are assigned to it.
17:21
Security. Too scary Group three.
17:26
There's, um,
17:29
not a whole lot That's interesting in Cle Shell on a single management object, except
17:34
the fact that it's actually by default
17:37
global. Please show.
17:40
And so setting changes that you make here in the global Beashel will be synchronized out
17:45
to the other
17:48
security group members.
17:51
And so, if you have 20
17:53
security gateway modules
17:56
that, uh,
17:57
you need to make a change on
18:00
connect to one of them. Usually the single management object
18:07
is the first security gateway module in the list and
18:11
then using the global Klay show. You make your change
18:15
and you don't have to do it
18:17
20 times, and that's
18:21
a big convenience
18:23
in expert mode.
18:26
Want to show just a few commands?
18:36
So a SG policy.
18:40
This is useful, for instance, to to do the
18:45
scaled will platform equivalent of FW, unload local FW unload local, of course, removes the unloads the firewall policy
18:53
and essentially turns the firewall host into a
19:00
router that is unplugged.
19:02
Packets packets do not pass
19:06
So here
19:07
the equivalent
19:07
is
19:08
a SG policy unload,
19:12
and there's an option in, ah, non scalable platform
19:18
dia.
19:18
In expert mode,
19:21
you can
19:22
right
19:22
a value of one to a magic
19:26
device. File
19:29
slash
19:30
rock p r o c slash cysts
19:33
slash net slash i p forward
19:36
and
19:37
and Do that
19:40
and
19:41
FW unload
19:41
local so your firewall policy will be removed.
19:45
But then the linen routing will be enabled.
19:48
So that essentially turns your security gateway host into
19:53
a random
19:55
that is plugged in
19:56
the equivalent in the scale of will platform is
20:03
so
20:06
add the minus I p underscore
20:11
forward
20:14
option
20:21
except with two minuses.
20:29
So, um,
20:32
pretty dire warning. And I'm not going toe. Have it actually do that,
20:37
that when you install policy,
20:41
the management server connects to the single management object
20:45
and
20:48
installs policy to the single management object. The single management object
20:52
then
20:55
copies the new policy
20:57
miles involved in the new policy to the other security gateway modules in the group.
21:03
And then they independently installed a new policy
21:08
essentially at their convenience when
21:12
they do it quickly. But
21:15
it won't be instantaneous,
21:18
and
21:21
that holds true for access control, policy and threat prevention policy
21:26
that prevention Paul at least starting with our 80 dot
21:30
10 with threat prevention policy
21:33
in our 80
21:34
versions of of the firewall product.
21:37
The threat prevention policy is also
21:42
pushed out as part of a policy install.
21:45
It will be
21:48
copied from the single management object to the other security gateway modules
21:53
in the security group, and they will install the threat prevention policy.
21:59
Essentially, at their convenience,
22:06
can see
22:14
the latest
22:15
access control,
22:30
access control file
22:32
or policy that was installed.
22:34
It is at Dollar Sign, FW dear, which is an environment variable that expands
22:45
into slash opt slash cp Sweet dash already not 20 slash FW one. This is Lennox. Lennox is case sensitive, so you have to type to capital C the capital p the capital are
22:57
and everything else lower case.
23:07
To see the contents of this
23:10
G zipped tar file
23:15
is the magic incantation. Tar space minus
23:18
t z v
23:21
t the ZF
23:23
T Z v f. It doesn't matter. The minus T option
23:29
lists the files in this G zip tar file
23:33
minus V option. Does it ever mostly the minus Z option says
23:38
you're looking at a G zipped tar file instead of, ah, non G zipped tar file. And then the minus F option
23:45
indicates what file will you want to read?
23:51
And
23:52
there it is. We have another
23:55
Jesup tar file that actually has the policy,
23:57
and then we have an empty five. Check some of that file.
24:04
Perhaps you have a
24:07
security gateway module
24:10
that is having a problem with
24:12
properly getting the policy for for whatever reason,
24:18
in expert mode,
24:21
there is a
24:22
useful command.
24:33
It's command has many options.
24:41
One option, for instance,
24:44
uh
24:45
allows you to reset sick
24:48
globally, which is
24:48
very handy.
24:49
Uh, you need to reset sick on X number of security gateway modules.
24:56
Um,
24:56
that can That can be a bit of a process.
25:07
You can use the SG underscore blade on a score config command to pull
25:14
config
25:15
and specified that the type of config
25:19
from another security gateway module.
25:26
So once you do that
25:29
good. Uh,
25:30
run Cp, Stop CP start.
25:33
Oh, and if necessary,
25:34
Run, Cluster Excel Underscore Admin up
25:37
to get
25:38
clustering
25:41
back out of a problem state. If it is
25:48
another
25:48
MANNLEIN command, that is useful.
25:51
The
25:53
G update comp file,
25:56
man.
26:00
So this command it wants a config file too
26:04
At it, or or two.
26:07
Add an entry in two.
26:10
And you also have to provide a
26:12
variable or key equals value pair.
26:22
So I don't wanna risk accidentally messing up
26:26
a, uh,
26:27
medical config file. So I'll just use
26:32
a non critical CONFIG file.
26:37
And there's another top secret password for you.
26:41
It always displays his *** tricks for me. Anyway, the, uh,
26:48
g update config file command will
26:52
propagate this out.
27:03
There's that test dot com file.
27:07
I assure you, it did not exist before.
27:11
Let me.
27:27
It was created by this,
27:32
uh, utility.
27:47
And
27:48
there's the CONFIG file entry That was added.
27:51
So, uh,
27:53
you should have a very good reason to be editing config files.
27:57
Now, you're probably following ah SK article or something like that,
28:03
but, um, this provides a convenient way to
28:07
the same change to that config file on all of the security gateway modules
28:11
in the in the security group.
28:18
Bring back Teoh Klay Shell
28:21
Global the show.
28:27
So, uh,
28:29
this set S m o image command
28:33
allows you to
28:36
enable auto clone mode.
28:45
Actually, before I said it, I won't show it
28:56
so
28:56
Auto clone currently has turned off, but Auto clone does is
29:03
it will clone
29:06
the
29:07
the image of the single management object host
29:12
on to
29:14
another
29:15
security get way module in the security group
29:19
if needed.
29:21
So
29:22
the
29:25
module
29:26
or so the security gateway module will determine if it needs to be cloned
29:33
through empty five check sums. So the uh,
29:37
single management object host will generate an empty five, check some of its
29:41
configuration
29:44
and propagate that out to all of the other security gateway modules. And and if they have a different empty five, check something they can pull
29:52
could figure over,
29:55
and
29:56
this again could be very handy. For instance, if you have
30:00
on appliance that
30:02
bales and you get an Army replacement,
30:07
the new appliance is going to start off without the configuration. So,
30:12
uh,
30:14
image cloning would be one way to get it
30:18
up to speed.
30:21
Or if you add a new security gateway module to your security group,
30:26
this can provide a way to get that
30:29
to the same configuration. Is everyone else not should happen automatically. In some cases, it doesn't
30:34
and so image cloning could be useful,
30:41
and image cloning can also copy over hot fixes
30:48
and hot a jumble hot fixes, which could be very convenient.
30:57
Next,
30:59
I would like to go over this this graphic that that I'd already shown in an earlier
31:04
module, but
31:07
I wanted I just wanted to cover it a little bit more
31:11
down. Link interfaces
31:14
between the orchestrator and the security gateway module
31:18
use several different V lands to separate different types of traffic.
31:25
For instance, if
31:26
we have, say, to uplink interfaces
31:32
that have been assigned to this security group, traffic
31:36
to and from
31:37
each
31:38
up link interface
31:41
will be sent from the orchestrator to the security gateway module
31:45
through
31:47
the down Link connection. And it will be tagged with a villain number of 10 to 3, plus
31:56
port number on the orchestrator
31:59
that
32:00
received the traffic.
32:06
And so, if you
32:09
have
32:12
a management interface and a couple of up link interfaces, management interfaces are sort of like up link interfaces
32:20
than traffic. Coming into the management interface,
32:24
the
32:25
heath won dash
32:27
management. One
32:29
will be
32:30
the land 10 to 3 plus number of interface. That's that's one. So it'll be villain
32:35
10 to 4.
32:37
If you have an up link port of 8th 105 it will be
32:42
one or 23 plus five or 1028
32:46
Villain
32:47
102
32:50
nine would be
32:52
Keith 1-06
32:55
So
32:58
the different V lands are used to separate
33:00
the the up link
33:04
traffic to and from.
33:07
And then I already sort of discussed the other villains.
33:12
There's ah, villain
33:14
that handles correction layer traffic and
33:17
correction layer again is
33:21
they're too.
33:22
Make sure that Navid packets
33:25
are always processed by the right security gateway module.
33:30
So when
33:31
a new connection arrives
33:34
on the orchestrator,
33:36
it'll use its distribution mode algorithm to determine
33:40
which
33:42
security gateway module in that security group
33:45
should handle
33:45
this connection. The traffic for this connection and
33:51
the
33:52
the uh,
33:53
distribution algorithm
33:55
works in both directions.
33:58
So outgoing traffic from this source to that destination and then the return traffic from
34:04
that destination to this source
34:07
will always be sent to the same
34:10
security gateway module again. Technically, it's being sent to a particular down lake port on the orchestrator.
34:17
You only have one security eight way
34:20
module plugged into that down Lakeport so implicitly that selects
34:24
the security gateway
34:27
module.
34:30
So once we have determined the down Lakeport and the security gateway module attached to that
34:37
should be
34:38
handling the traffic for this connection
34:42
in both directions.
34:44
That security Gateway module will be active that connection, and it will then determine another security gateway module in the security group
34:52
that should be back up, and it will start synchronizing the state of the connection to the backup.
35:00
However, if Nat policy is in use,
35:04
then
35:06
perhaps the source i p address
35:08
and or the destination I P address and and even perhaps layer for ports
35:15
maybe changed
35:16
as part of the gnat policy. So
35:21
we have
35:22
packets going out with a different source or destination I P address, or perhaps a different source port,
35:30
then
35:31
the original packets that came in.
35:35
And so when the return traffic the return added traffic arrives on the orchestrator,
35:40
the
35:42
distribution algorithm
35:44
likely
35:45
determined that a different security gateway modules should be handling this traffic
35:50
because it keys off of depending on the distribution mode
35:53
source I P or Destination I p or both or something else. And
35:59
by default. It also looks at the layer for sore sport or destination port or both.
36:06
So
36:07
correction layer exists
36:09
to allow
36:13
the security Gateway module, which is handling the Navid traffic, to forward that traffic
36:19
through this
36:20
direction. Layer villain to the security gateway
36:23
module that is handling the original traffic
36:27
because
36:28
it has the state table entries. So
36:31
we have the same security gateway module handling
36:35
both the original and then added
36:37
traffic.
36:39
So it can, for instance, reverse the NAT for return traffic
36:45
and then the synchronization
36:47
villain that is useful for synchronizing configuration changes.
36:55
Then there's the chassis Internal Network, which
36:59
carries information between the orchestrator and the security gateway modules attached to it.
37:07
So I I hope this review of the
37:14
command line demands that might be useful and of the, uh,
37:19
down link be lands
37:22
has been useful. Thank you very much for attending.

Up Next

Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By

Instructor Profile Image
CheckPoint
Instructor