Demonstration Physical

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 53 minutes
Difficulty
Beginner
Video Transcription
00:00
So this is the back of the orchestrator. Model 1 40
00:06
I wanted to point out
00:08
the consul ports.
00:11
So on this particular model,
00:14
there is a serial port
00:17
that you use initially to configure the Ethernet port
00:23
so you can manage via the Web user interface
00:26
that plug the serial cable in next.
00:30
Above that port is a management port for managing Theo orchestrator itself.
00:37
So I'm gonna plug a Ethernet cable in there.
00:42
I'll use the serial cable first to do the initial set up of the management
00:47
Ethernet port,
00:48
and then I'll use the management Ethernet port
00:51
for subsequent configuration of the orchestrator. Now, if you were paying close attention, you may have noticed that when I inserted the pink Ethernet cable
00:59
into the
01:00
appliance management port on the back, actually plugged it into management to by mistake,
01:07
I've
01:07
plugged it into the correct Port
01:10
Management one, the one that I intend to configure via the Serial Council.
01:14
Now I've turned the orchestrator around, and I'm
01:19
plugging in to
01:21
security gateway modules to checkpoint firewalls.
01:26
I'm attaching them to the orchestrator again. This is a model 1 42 ports 27 28 which are the first to ports
01:37
that are configured out of the box as down like ports. Plug your security gateway modules into down link ports
01:46
and you want to see link lights appear
01:51
and they are slowly there. We have link for both appliances on both appliances and on the orchestrator.
02:00
So
02:00
I just want to reiterate the default port allocation of the model 1 40 ports 27 28. Begin
02:08
the default
02:10
down link ports. And again, that's what you would plug your security gateway modules into
02:16
the down link ports. Extend from there all the way to the right.
02:22
We have,
02:23
yeah,
02:23
two on the top two in the bottom management ports,
02:27
The rest of the SFP ports, our up link and all of the quad FSP ports are uplink as well.
02:35
So at this point, I've got the serial cable plugged in to the serial console,
02:40
opened up a serial terminal emulator.
02:45
The first thing I'm gonna do is configure the number of
02:49
orchestrator appliances that
02:51
will be used in this deployment.
02:53
The default is to
02:55
I only have one for this presentation, and so I'll get an error if I don't change the number of
03:01
orchestrator units to one.
03:05
And that's Ah,
03:06
restart of the orchestrator unit. So
03:09
double checks to make sure this is indeed what you want to do.
03:15
It doesn't take that long for the change to be made, but it does as a brief interruption. Next, I'm going to configure the management Ethernet interface with an I P address
03:25
and sub net mask,
03:28
and I'll also ensure that it set on, though it should be already
03:32
and all said, a static route that allows me to access this orchestrator over the network from a different subject.
03:42
So once I've done that, I can use the Web user interface and complete my initial configuration of this orchestrator safe config.
03:53
Just ah habit, but probably a good idea.
03:58
So we've looked at the
04:00
actual physical
04:02
orchestrator appliance,
04:04
at least the model 1 40 orchestrator appliance. I just wanted to spend a little bit more time explaining the port map Ing's.
04:15
So shown here is the 1 40 again,
04:18
and in the back of the appliance
04:21
are the management ports for managing the orchestrator appliance itself.
04:29
That includes one RJ 45 serial Jack
04:34
and two RJ 45 Ethernet jacks.
04:40
So you would typically plug into the serial port,
04:44
do the configuration of the first management port
04:48
and then
04:49
use the Web user interface to communicate with the orchestrator over that management Ethernet port.
04:58
On the front of the model 1 40 appliance,
05:02
there are again a series of small form factor plausible
05:09
warts and
05:11
at the very right,
05:13
another Siris of wad small form factor applicable.
05:17
And there is a mapping of be interfaces
05:24
that
05:25
you can change. But
05:27
as shipped,
05:30
the 1st 4 sfp interfaces 1234
05:34
are
05:36
assigned the role of being management interfaces for the security groups that you create,
05:44
and you can have multiple security groups sharing the same management interface.
05:50
Then
05:51
we have
05:54
up link ports, which again are used to connect your sights networks into the orchestrator so traffic can move through the orchestrator
06:03
and security policy can be applied to it.
06:08
So note that the up link ports
06:11
extend beyond the second grouping of six ports
06:15
and include the first
06:18
to
06:19
of the
06:21
third grouping of
06:25
six network ports.
06:28
So the down link ports begin at the next port
06:31
over, and that's a trap. It's very easy to assume that the
06:38
the 1st 2 ports top and bottom
06:42
of the third grouping of six
06:45
start the down link ports, but that's not the case. You need to go one to the right.
06:49
That's where the down link ports start, and you can, of course,
06:54
reassigned the ports to different roles.
06:58
But make the, uh,
07:00
what are currently uplink ports down link ports. But that's not the default.
07:05
And then the very last of the small form factor ports
07:11
is by default, used for synchronization to a second orchestrator appliance in your deployment
07:17
so the two orchestrator appliances
07:20
can act
07:21
in active, active
07:25
mode. They're both processing traffic, but in addition, high availability one can take over if the other fails,
07:32
assuming that you have everything cabled into both
07:36
and then the
07:38
eight quad small form factor ports on the very right
07:43
are by default, assigned as up link
07:46
and thes ports. You can use a four way splitter
07:49
if you do so,
07:51
and
07:53
you get
07:54
or distinct Ethernet ports,
07:57
and each one can be assigned different roles
08:01
with the orchestrator
08:03
and finally on the right. We have eight quad small form factor ports,
08:09
which
08:09
you can
08:11
use a four way splitter in those ports to get
08:16
for independent
08:18
network ports that show up as four
08:22
Ethernet ports
08:24
instead of one.
08:28
Now the model 1 70
08:31
is
08:31
similar,
08:35
except that
08:37
on the 1 70 all of the ports are on the front. So way over on the right, we have
08:43
one RJ 45 serial console
08:46
and one RJ 45
08:48
Ethernet Consul port for managing the orchestrator itself.
08:56
Then we have, from left to right, a Siris of quad small form factor ports,
09:03
and the 1st 2 top and bottom are by default
09:07
used for managing your security groups.
09:11
Then we have
09:13
ports three through 16 which by default, are assigned to be up link interfaces
09:20
and then 17 through
09:22
31 are assigned to be down link, except for actually 31. If you're in a
09:28
a duel,
09:30
orchestrator deployment would be synchronization to the other orchestrator appliance.
09:35
And again, all of these ports can be split with a four way splitter, giving you four
09:41
physical, distinct Ethernet ports
09:45
through the splitter.
09:48
I also want to
09:48
Klay cover
09:50
the uh
09:52
down link between the orchestrator
09:54
and a security gateway module
09:58
and
09:58
down link is split into numerous villains.
10:03
For instance,
10:05
there's a Phelan. For each uplink port,
10:09
the traffic from that up link port port to that uplink port will be sent over a specific villain,
10:16
which it starts at 10 to 3,
10:20
plus
10:20
port number on the orchestrator.
10:24
Then the correction layer, which will discuss in a bit correction layer, deals with matted traffic. Correction Layer
10:31
is a separate villain.
10:35
Synchronization
10:37
between the security gateway modules in the security group
10:41
is
10:43
done over a separate villain.
10:45
And
10:46
finally,
10:48
uh,
10:48
chassis Internal Network or C I n villain
10:52
is used for connectivity between the orchestrators and the security gateway modules.
11:01
So
11:03
how important are these violence? Very important and probably worth
11:07
remembering. The numbering of the violence 10 to 3, plus the port number correction layer,
11:15
Um 3700 plus the
11:18
security Gateway Modules number
11:20
the villain be 800 plus the security Gateway module
11:24
and the chassis Internal network 3900 plus the security Gateway
11:31
number
11:31
and I. I. P addresses.
11:35
So, for instance, Sink. It uses 192.0 dot to network
11:39
chassis. Internal network uses one. I'm 8.51 dot 100 network
11:48
10
11:50
a number of security gateway uh, burdock debt varies as well
Up Next