Jump Start: Maestro Accreditation Exam Details

00:00

Hello and welcome to check Point. Jump start training on the maestro Hyper scale network Security solution.

00:09

There is an accreditation exam available after you complete this training.

00:15

To take the exam, go to home dot Pearson Vue dot com slash checkpoint exam number is 156-412

00:25

There is a $49 fee to take the exam,

00:29

but the exam is not Proctor did.

00:32

So you can take it anytime, anywhere. You really just need a web browser

00:39

again. This training will be on the maestro hyper scale network security solution.

00:46

We're going to talk about security groups.

00:49

We will also briefly discuss the option tohave a dual site set up.

00:55

And most of this training will be demonstrations on how to initially configure and then set up,

01:03

manage,

01:03

monitor and troubleshoot your maestro deployment.

01:08

Maestro has two major types of components. The orchestrator is an appliance

01:17

that acts as, ah traffic and ah CPU

01:22

resource allocator, a traffic cop.

01:26

It

01:26

sends packets to specific security gateway modules

01:33

and overall spreads out your traffic load amongst all of the security Gateway modules assigned. Handle that traffic

01:42

so it acts as a load balancer and

01:46

also a network switch. Packets that arrive on one port of the orchestrator are switched at Layer 22 on output port

01:55

with no routing.

01:57

The other major component is

01:59

security gateway modules and these air just checkpoint firewall appliances.

02:04

They have to be compatible with the maestro product. They have to be,

02:09

um,

02:10

they have to meet certain hardware requirements. Most or all current checkpoint appliances are compatible. If you have an older appliance,

02:20

need to check that

02:22

the beauty of maestro is that you can start with your existing appliances,

02:28

cable them into the orchestrator and and set up your security group,

02:32

and that's handling your current load. However, over time

02:37

load increases traffic increases, and you may need to

02:40

enable mawr CPU intensive security blades

02:46

so you can buy additional

02:49

security gateway modules. Additional firewall appliances

02:52

like them into the orchestrator assigned them to the existing security groups.

02:57

And when that assignment is completed,

03:00

the additional the new security Gateway modules will start handling

03:07

their share of the traffic assigned to that security group.

03:13

There are two models of the orchestrator appliance. Currently the MH 01 40 which has 48

03:21

small form factor plug, herbal ports, which

03:25

each can do about 10 gigabits per second and then eight quad small form factor ports, which each could do about 100 gigabits per second. And in the quad ports, you can insert

03:37

a four way splitter, which gives you four

03:40

small form factor ports so you can increase the number of ports.

03:46

The model 1 70 has 32

03:49

quad small form factor ports, and again

03:53

you can insert four way splitter and get four ports.

03:59

That gives you roughly the same number of port says 1 40 if you use splitters in the 1 70

04:08

now, this is a 1 40 illustrated here. 1 70 is similar. The orchestrator appliance

04:15

comes shipped to you with

04:17

the ports allocated for different purposes. By default, you can change the purpose of ah

04:25

point

04:26

by default on the 1 40 The 1st 4 ports are

04:30

designated for management traffic,

04:32

which is your security management server, sending policy updates to security groups or

04:40

you using the Web user interface or see Ally to Change Guy, a configuration

04:45

for the security group.

04:46

Then there are up link traffic ports and these these accept traffic from your various networks, so you have internal networks. You have TMZ, wireless data center and external networks.

05:00

Those networks air routing traffic, and they get routed

05:04

through the orchestrator,

05:08

which

05:09

switches the incoming packet from the up link port to the appropriate down link port

05:15

that your security gateway modules are

05:17

plugged into.

05:19

So for a given connection, the orchestrator will designate a specific down link port

05:26

that it will switch that traffic out, too. And so the security gateway module plugged into that doubt. Link Port is responsible for processing the traffic of that connection,

05:36

and

05:38

a second security gateway module is designated to be a backup. So if the active security gateway module for this connection fails,

05:49

the backup will go active. And state synchronization has been done

05:56

between the active and the backup

05:58

to ensure that the state tables connection table

06:01

are up to date.

06:03

You can have two orchestrators in your deployment, and if you do so, you need to plug a synchronization cable between them.

06:14

So the ah, the maestro solution uses the notion of a security group of security group is a collection of assigned security gateway modules and interfaces.

06:27

When traffic arrives on ah, an up link

06:30

port that has been assigned to the security group.

06:34

The uh,

06:35

security group will

06:39

receive this traffic. The security group. When you create it, you give it a name which you're going to use in the security gateway object

06:46

In Smart Consul, you will also provide an I P address and and network configuration.

06:53

And that's the I. P address that you're going to use in smart concert Smart Consul for the

07:00

ah security Gateway object. And you would also use that I p address for the Web user interface or secure show.

07:09

And that I p address Virtual eyes is the fact that there are actually multiple security gateways assigned to that security group

07:16

One Security gateway Notice. The single management object will answer that

07:23

groups I p address.

07:25

And so you push policy. It goes to that one appliance, the single management object plants

07:31

that will receive the policy and then transparently propagate the policy update to the other

07:39

security gateway modules in the security group. Likewise, if you make configuration changes via the Web user interface,

07:46

you're making those changes to the security gateway module.

07:49

The other security gateway modules will be transparently given your configuration changes,

07:58

so again. Security groups provide a virtual ization of the fact there are actually multiple security gateways in the group

08:05

now forgiven connection. It's active. Back up. One security gateway module in the group is processing the traffic. The other is being kept up to date.

08:16

However,

08:18

looking at the overall mix of traffic, there are many connections and so different security. Gateway modules will be active for different connections

08:28

and that provides active, active load balancing.

08:31

As I said when you ah, use a security group, you're using the I. P address that you assigned to the security group

08:39

in the smart consul Security Gateway object

08:43

as well as when you're using the Web user interface.

08:48

So any changes that you make are propagated from the single management. Object to the other gateways in the group,

08:56

including hot fixes and jumble. Hot fixes If you enable that

09:01

a security group can also be designated a V s ex security group,

09:05

and

09:07

if you do that, then in Smart Consul, you'll create a V Essex's Gateway object instead of, ah, regular security gateway object.

09:16

Then, when you deploy virtual systems to that V s ex gateway, object to those virtual systems will be replicated

09:24

among all of the security gateway modules in the security group.

09:30

Now there's some limits on the security group. It could be up to eight security groups defined total,

09:37

with 31 security gateway modules per group and a total of 52 security gateway modules connected to the orchestrator.

09:45

The orchestrator also provides a dual site option where you have

09:50

to

09:50

physically distant site

09:52

with synchronization between the two sites, and there are limits on tolerable, late and see and packet loss.

10:00

You can have up to two orchestrators at each site, so total of up to four orchestrators.

10:07

And the limitation is that there could be up to 14 security gateway modules assigned to a security group

10:16

her site.

10:18

And it is a personal security group setting of whether or not to use to participate in dual site.

10:24

If you don't enable that for security group than at Side A, perhaps there will be an active security gateway module and a backup.

10:35

If the security group has been configured to use dual site than, say it side A. There's an active security gateway module. There's a backup

10:43

and its site B. There's also a backup security gateway module for this connection, and state synchronization is keeping it updated. So if we lose sight A,

10:54

we can continue to process traffic at Site B.

10:58

That security Gateway module will go active, and

11:01

another security gateway module at Site B will be designated back up

11:05

to provide the high availability.

11:09

There isn't accreditation exam that goes along with

11:13

this jump start training.

11:16

It's available at Pearson Vue dot com slash checkpoint. You don't have to goto a testing center. You can do it

11:22

from your office or your home. It's Proctor via a webcam exam. Number is one five six dash for 12 When you successfully passed the exam, then you earn the

11:33

maestro

11:35

accreditation.

11:37

So now we're gonna go into the demonstration of the maestro product.

11:41

We're going to look at how to

11:45

initially configure and then set up your maestro deployment.

11:50

Use the security groups in policy. Will also look at how you

11:56

monitor these security groups will also ah, discuss troubleshooting.