Video Transcription

00:00
So this is the back of the orchestrator. Model 1 40
00:06
I wanted to point out
00:08
the consul ports.
00:11
So on this particular model,
00:14
there is a serial port
00:17
that you use initially to configure the Ethernet port
00:23
so you can manage via the Web user interface
00:26
that plug the serial cable in next.
00:30
Above that port is a management port for managing Theo orchestrator itself.
00:37
So I'm gonna plug a Ethernet cable in there.
00:42
I'll use the serial cable first to do the initial set up of the management
00:47
Ethernet port,
00:48
and then I'll use the management Ethernet port
00:51
for subsequent configuration of the orchestrator. Now, if you were paying close attention, you may have noticed that when I inserted the pink Ethernet cable
00:59
into the
01:00
appliance management port on the back, actually plugged it into management to by mistake,
01:07
I've
01:07
plugged it into the correct Port
01:10
Management one, the one that I intend to configure via the Serial Council.
01:14
Now I've turned the orchestrator around, and I'm
01:19
plugging in to
01:21
security gateway modules to checkpoint firewalls.
01:26
I'm attaching them to the orchestrator again. This is a model 1 42 ports 27 28 which are the first to ports
01:37
that are configured out of the box as down like ports. Plug your security gateway modules into down link ports
01:46
and you want to see link lights appear
01:51
and they are slowly there. We have link for both appliances on both appliances and on the orchestrator.
02:00
So
02:00
I just want to reiterate the default port allocation of the model 1 40 ports 27 28. Begin
02:08
the default
02:10
down link ports. And again, that's what you would plug your security gateway modules into
02:16
the down link ports. Extend from there all the way to the right.
02:22
We have,
02:23
yeah,
02:23
two on the top two in the bottom management ports,
02:27
The rest of the SFP ports, our up link and all of the quad FSP ports are uplink as well.
02:35
So at this point, I've got the serial cable plugged in to the serial console,
02:40
opened up a serial terminal emulator.
02:45
The first thing I'm gonna do is configure the number of
02:49
orchestrator appliances that
02:51
will be used in this deployment.
02:53
The default is to
02:55
I only have one for this presentation, and so I'll get an error if I don't change the number of
03:01
orchestrator units to one.
03:05
And that's Ah,
03:06
restart of the orchestrator unit. So
03:09
double checks to make sure this is indeed what you want to do.
03:15
It doesn't take that long for the change to be made, but it does as a brief interruption. Next, I'm going to configure the management Ethernet interface with an I P address
03:25
and sub net mask,
03:28
and I'll also ensure that it set on, though it should be already
03:32
and all said, a static route that allows me to access this orchestrator over the network from a different subject.
03:42
So once I've done that, I can use the Web user interface and complete my initial configuration of this orchestrator safe config.
03:53
Just ah habit, but probably a good idea.
03:58
So we've looked at the
04:00
actual physical
04:02
orchestrator appliance,
04:04
at least the model 1 40 orchestrator appliance. I just wanted to spend a little bit more time explaining the port map Ing's.
04:15
So shown here is the 1 40 again,
04:18
and in the back of the appliance
04:21
are the management ports for managing the orchestrator appliance itself.
04:29
That includes one RJ 45 serial Jack
04:34
and two RJ 45 Ethernet jacks.
04:40
So you would typically plug into the serial port,
04:44
do the configuration of the first management port
04:48
and then
04:49
use the Web user interface to communicate with the orchestrator over that management Ethernet port.
04:58
On the front of the model 1 40 appliance,
05:02
there are again a series of small form factor plausible
05:09
warts and
05:11
at the very right,
05:13
another Siris of wad small form factor applicable.
05:17
And there is a mapping of be interfaces
05:24
that
05:25
you can change. But
05:27
as shipped,
05:30
the 1st 4 sfp interfaces 1234
05:34
are
05:36
assigned the role of being management interfaces for the security groups that you create,
05:44
and you can have multiple security groups sharing the same management interface.
05:50
Then
05:51
we have
05:54
up link ports, which again are used to connect your sights networks into the orchestrator so traffic can move through the orchestrator
06:03
and security policy can be applied to it.
06:08
So note that the up link ports
06:11
extend beyond the second grouping of six ports
06:15
and include the first
06:18
to
06:19
of the
06:21
third grouping of
06:25
six network ports.
06:28
So the down link ports begin at the next port
06:31
over, and that's a trap. It's very easy to assume that the
06:38
the 1st 2 ports top and bottom
06:42
of the third grouping of six
06:45
start the down link ports, but that's not the case. You need to go one to the right.
06:49
That's where the down link ports start, and you can, of course,
06:54
reassigned the ports to different roles.
06:58
But make the, uh,
07:00
what are currently uplink ports down link ports. But that's not the default.
07:05
And then the very last of the small form factor ports
07:11
is by default, used for synchronization to a second orchestrator appliance in your deployment
07:17
so the two orchestrator appliances
07:20
can act
07:21
in active, active
07:25
mode. They're both processing traffic, but in addition, high availability one can take over if the other fails,
07:32
assuming that you have everything cabled into both
07:36
and then the
07:38
eight quad small form factor ports on the very right
07:43
are by default, assigned as up link
07:46
and thes ports. You can use a four way splitter
07:49
if you do so,
07:51
and
07:53
you get
07:54
or distinct Ethernet ports,
07:57
and each one can be assigned different roles
08:01
with the orchestrator
08:03
and finally on the right. We have eight quad small form factor ports,
08:09
which
08:09
you can
08:11
use a four way splitter in those ports to get
08:16
for independent
08:18
network ports that show up as four
08:22
Ethernet ports
08:24
instead of one.
08:28
Now the model 1 70
08:31
is
08:31
similar,
08:35
except that
08:37
on the 1 70 all of the ports are on the front. So way over on the right, we have
08:43
one RJ 45 serial console
08:46
and one RJ 45
08:48
Ethernet Consul port for managing the orchestrator itself.
08:56
Then we have, from left to right, a Siris of quad small form factor ports,
09:03
and the 1st 2 top and bottom are by default
09:07
used for managing your security groups.
09:11
Then we have
09:13
ports three through 16 which by default, are assigned to be up link interfaces
09:20
and then 17 through
09:22
31 are assigned to be down link, except for actually 31. If you're in a
09:28
a duel,
09:30
orchestrator deployment would be synchronization to the other orchestrator appliance.
09:35
And again, all of these ports can be split with a four way splitter, giving you four
09:41
physical, distinct Ethernet ports
09:45
through the splitter.
09:48
I also want to
09:48
Klay cover
09:50
the uh
09:52
down link between the orchestrator
09:54
and a security gateway module
09:58
and
09:58
down link is split into numerous villains.
10:03
For instance,
10:05
there's a Phelan. For each uplink port,
10:09
the traffic from that up link port port to that uplink port will be sent over a specific villain,
10:16
which it starts at 10 to 3,
10:20
plus
10:20
port number on the orchestrator.
10:24
Then the correction layer, which will discuss in a bit correction layer, deals with matted traffic. Correction Layer
10:31
is a separate villain.
10:35
Synchronization
10:37
between the security gateway modules in the security group
10:41
is
10:43
done over a separate villain.
10:45
And
10:46
finally,
10:48
uh,
10:48
chassis Internal Network or C I n villain
10:52
is used for connectivity between the orchestrators and the security gateway modules.
11:01
So
11:03
how important are these violence? Very important and probably worth
11:07
remembering. The numbering of the violence 10 to 3, plus the port number correction layer,
11:15
Um 3700 plus the
11:18
security Gateway Modules number
11:20
the villain be 800 plus the security Gateway module
11:24
and the chassis Internal network 3900 plus the security Gateway
11:31
number
11:31
and I. I. P addresses.
11:35
So, for instance, Sink. It uses 192.0 dot to network
11:39
chassis. Internal network uses one. I'm 8.51 dot 100 network
11:48
10
11:50
a number of security gateway uh, burdock debt varies as well

Up Next

Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By

Instructor Profile Image
CheckPoint
Instructor