Hello and welcome to check Point. Jump start training on the maestro Hyper scale network Security solution.
There is an accreditation exam available after you complete this training.
To take the exam, go to home dot Pearson Vue dot com slash checkpoint exam number is 156-412
There is a $49 fee to take the exam,
but the exam is not Proctor did.
So you can take it anytime, anywhere. You really just need a web browser
again. This training will be on the maestro hyper scale network security solution.
We're going to talk about security groups.
We will also briefly discuss the option tohave a dual site set up.
And most of this training will be demonstrations on how to initially configure and then set up,
monitor and troubleshoot your maestro deployment.
Maestro has two major types of components. The orchestrator is an appliance
that acts as, ah traffic and ah CPU
resource allocator, a traffic cop.
sends packets to specific security gateway modules
and overall spreads out your traffic load amongst all of the security Gateway modules assigned. Handle that traffic
so it acts as a load balancer and
also a network switch. Packets that arrive on one port of the orchestrator are switched at Layer 22 on output port
The other major component is
security gateway modules and these air just checkpoint firewall appliances.
They have to be compatible with the maestro product. They have to be,
they have to meet certain hardware requirements. Most or all current checkpoint appliances are compatible. If you have an older appliance,
the beauty of maestro is that you can start with your existing appliances,
cable them into the orchestrator and and set up your security group,
and that's handling your current load. However, over time
load increases traffic increases, and you may need to
enable mawr CPU intensive security blades
so you can buy additional
security gateway modules. Additional firewall appliances
like them into the orchestrator assigned them to the existing security groups.
And when that assignment is completed,
the additional the new security Gateway modules will start handling
their share of the traffic assigned to that security group.
There are two models of the orchestrator appliance. Currently the MH 01 40 which has 48
small form factor plug, herbal ports, which
each can do about 10 gigabits per second and then eight quad small form factor ports, which each could do about 100 gigabits per second. And in the quad ports, you can insert
a four way splitter, which gives you four
small form factor ports so you can increase the number of ports.
The model 1 70 has 32
quad small form factor ports, and again
you can insert four way splitter and get four ports.
That gives you roughly the same number of port says 1 40 if you use splitters in the 1 70
now, this is a 1 40 illustrated here. 1 70 is similar. The orchestrator appliance
comes shipped to you with
the ports allocated for different purposes. By default, you can change the purpose of ah
by default on the 1 40 The 1st 4 ports are
designated for management traffic,
which is your security management server, sending policy updates to security groups or
you using the Web user interface or see Ally to Change Guy, a configuration
for the security group.
Then there are up link traffic ports and these these accept traffic from your various networks, so you have internal networks. You have TMZ, wireless data center and external networks.
Those networks air routing traffic, and they get routed
through the orchestrator,
switches the incoming packet from the up link port to the appropriate down link port
that your security gateway modules are
So for a given connection, the orchestrator will designate a specific down link port
that it will switch that traffic out, too. And so the security gateway module plugged into that doubt. Link Port is responsible for processing the traffic of that connection,
a second security gateway module is designated to be a backup. So if the active security gateway module for this connection fails,
the backup will go active. And state synchronization has been done
between the active and the backup
to ensure that the state tables connection table
You can have two orchestrators in your deployment, and if you do so, you need to plug a synchronization cable between them.
So the ah, the maestro solution uses the notion of a security group of security group is a collection of assigned security gateway modules and interfaces.
When traffic arrives on ah, an up link
port that has been assigned to the security group.
receive this traffic. The security group. When you create it, you give it a name which you're going to use in the security gateway object
In Smart Consul, you will also provide an I P address and and network configuration.
And that's the I. P address that you're going to use in smart concert Smart Consul for the
ah security Gateway object. And you would also use that I p address for the Web user interface or secure show.
And that I p address Virtual eyes is the fact that there are actually multiple security gateways assigned to that security group
One Security gateway Notice. The single management object will answer that
And so you push policy. It goes to that one appliance, the single management object plants
that will receive the policy and then transparently propagate the policy update to the other
security gateway modules in the security group. Likewise, if you make configuration changes via the Web user interface,
you're making those changes to the security gateway module.
The other security gateway modules will be transparently given your configuration changes,
so again. Security groups provide a virtual ization of the fact there are actually multiple security gateways in the group
now forgiven connection. It's active. Back up. One security gateway module in the group is processing the traffic. The other is being kept up to date.
looking at the overall mix of traffic, there are many connections and so different security. Gateway modules will be active for different connections
and that provides active, active load balancing.
As I said when you ah, use a security group, you're using the I. P address that you assigned to the security group
in the smart consul Security Gateway object
as well as when you're using the Web user interface.
So any changes that you make are propagated from the single management. Object to the other gateways in the group,
including hot fixes and jumble. Hot fixes If you enable that
a security group can also be designated a V s ex security group,
if you do that, then in Smart Consul, you'll create a V Essex's Gateway object instead of, ah, regular security gateway object.
Then, when you deploy virtual systems to that V s ex gateway, object to those virtual systems will be replicated
among all of the security gateway modules in the security group.
Now there's some limits on the security group. It could be up to eight security groups defined total,
with 31 security gateway modules per group and a total of 52 security gateway modules connected to the orchestrator.
The orchestrator also provides a dual site option where you have
physically distant site
with synchronization between the two sites, and there are limits on tolerable, late and see and packet loss.
You can have up to two orchestrators at each site, so total of up to four orchestrators.
And the limitation is that there could be up to 14 security gateway modules assigned to a security group
And it is a personal security group setting of whether or not to use to participate in dual site.
If you don't enable that for security group than at Side A, perhaps there will be an active security gateway module and a backup.
If the security group has been configured to use dual site than, say it side A. There's an active security gateway module. There's a backup
and its site B. There's also a backup security gateway module for this connection, and state synchronization is keeping it updated. So if we lose sight A,
we can continue to process traffic at Site B.
That security Gateway module will go active, and
another security gateway module at Site B will be designated back up
to provide the high availability.
There isn't accreditation exam that goes along with
this jump start training.
It's available at Pearson Vue dot com slash checkpoint. You don't have to goto a testing center. You can do it
from your office or your home. It's Proctor via a webcam exam. Number is one five six dash for 12 When you successfully passed the exam, then you earn the
So now we're gonna go into the demonstration of the maestro product.
We're going to look at how to
initially configure and then set up your maestro deployment.
Use the security groups in policy. Will also look at how you
monitor these security groups will also ah, discuss troubleshooting.
So thank you for attending this jump start training