3 hours 53 minutes
So this is the back of the orchestrator. Model 1 40
I wanted to point out
the consul ports.
So on this particular model,
there is a serial port
that you use initially to configure the Ethernet port
so you can manage via the Web user interface
that plug the serial cable in next.
Above that port is a management port for managing Theo orchestrator itself.
So I'm gonna plug a Ethernet cable in there.
I'll use the serial cable first to do the initial set up of the management
and then I'll use the management Ethernet port
for subsequent configuration of the orchestrator. Now, if you were paying close attention, you may have noticed that when I inserted the pink Ethernet cable
appliance management port on the back, actually plugged it into management to by mistake,
plugged it into the correct Port
Management one, the one that I intend to configure via the Serial Council.
Now I've turned the orchestrator around, and I'm
plugging in to
security gateway modules to checkpoint firewalls.
I'm attaching them to the orchestrator again. This is a model 1 42 ports 27 28 which are the first to ports
that are configured out of the box as down like ports. Plug your security gateway modules into down link ports
and you want to see link lights appear
and they are slowly there. We have link for both appliances on both appliances and on the orchestrator.
I just want to reiterate the default port allocation of the model 1 40 ports 27 28. Begin
down link ports. And again, that's what you would plug your security gateway modules into
the down link ports. Extend from there all the way to the right.
two on the top two in the bottom management ports,
The rest of the SFP ports, our up link and all of the quad FSP ports are uplink as well.
So at this point, I've got the serial cable plugged in to the serial console,
opened up a serial terminal emulator.
The first thing I'm gonna do is configure the number of
orchestrator appliances that
will be used in this deployment.
The default is to
I only have one for this presentation, and so I'll get an error if I don't change the number of
orchestrator units to one.
And that's Ah,
restart of the orchestrator unit. So
double checks to make sure this is indeed what you want to do.
It doesn't take that long for the change to be made, but it does as a brief interruption. Next, I'm going to configure the management Ethernet interface with an I P address
and sub net mask,
and I'll also ensure that it set on, though it should be already
and all said, a static route that allows me to access this orchestrator over the network from a different subject.
So once I've done that, I can use the Web user interface and complete my initial configuration of this orchestrator safe config.
Just ah habit, but probably a good idea.
So we've looked at the
at least the model 1 40 orchestrator appliance. I just wanted to spend a little bit more time explaining the port map Ing's.
So shown here is the 1 40 again,
and in the back of the appliance
are the management ports for managing the orchestrator appliance itself.
That includes one RJ 45 serial Jack
and two RJ 45 Ethernet jacks.
So you would typically plug into the serial port,
do the configuration of the first management port
use the Web user interface to communicate with the orchestrator over that management Ethernet port.
On the front of the model 1 40 appliance,
there are again a series of small form factor plausible
at the very right,
another Siris of wad small form factor applicable.
And there is a mapping of be interfaces
you can change. But
the 1st 4 sfp interfaces 1234
assigned the role of being management interfaces for the security groups that you create,
and you can have multiple security groups sharing the same management interface.
up link ports, which again are used to connect your sights networks into the orchestrator so traffic can move through the orchestrator
and security policy can be applied to it.
So note that the up link ports
extend beyond the second grouping of six ports
and include the first
third grouping of
six network ports.
So the down link ports begin at the next port
over, and that's a trap. It's very easy to assume that the
the 1st 2 ports top and bottom
of the third grouping of six
start the down link ports, but that's not the case. You need to go one to the right.
That's where the down link ports start, and you can, of course,
reassigned the ports to different roles.
But make the, uh,
what are currently uplink ports down link ports. But that's not the default.
And then the very last of the small form factor ports
is by default, used for synchronization to a second orchestrator appliance in your deployment
so the two orchestrator appliances
in active, active
mode. They're both processing traffic, but in addition, high availability one can take over if the other fails,
assuming that you have everything cabled into both
and then the
eight quad small form factor ports on the very right
are by default, assigned as up link
and thes ports. You can use a four way splitter
if you do so,
or distinct Ethernet ports,
and each one can be assigned different roles
with the orchestrator
and finally on the right. We have eight quad small form factor ports,
use a four way splitter in those ports to get
network ports that show up as four
instead of one.
Now the model 1 70
on the 1 70 all of the ports are on the front. So way over on the right, we have
one RJ 45 serial console
and one RJ 45
Ethernet Consul port for managing the orchestrator itself.
Then we have, from left to right, a Siris of quad small form factor ports,
and the 1st 2 top and bottom are by default
used for managing your security groups.
Then we have
ports three through 16 which by default, are assigned to be up link interfaces
and then 17 through
31 are assigned to be down link, except for actually 31. If you're in a
orchestrator deployment would be synchronization to the other orchestrator appliance.
And again, all of these ports can be split with a four way splitter, giving you four
physical, distinct Ethernet ports
through the splitter.
I also want to
down link between the orchestrator
and a security gateway module
down link is split into numerous villains.
there's a Phelan. For each uplink port,
the traffic from that up link port port to that uplink port will be sent over a specific villain,
which it starts at 10 to 3,
port number on the orchestrator.
Then the correction layer, which will discuss in a bit correction layer, deals with matted traffic. Correction Layer
is a separate villain.
between the security gateway modules in the security group
done over a separate villain.
chassis Internal Network or C I n villain
is used for connectivity between the orchestrators and the security gateway modules.
how important are these violence? Very important and probably worth
remembering. The numbering of the violence 10 to 3, plus the port number correction layer,
Um 3700 plus the
security Gateway Modules number
the villain be 800 plus the security Gateway module
and the chassis Internal network 3900 plus the security Gateway
and I. I. P addresses.
So, for instance, Sink. It uses 192.0 dot to network
chassis. Internal network uses one. I'm 8.51 dot 100 network
a number of security gateway uh, burdock debt varies as well