Video Transcription

00:00
Hello and welcome to check Point. Jump start training on the maestro Hyper scale network Security solution.
00:09
There is an accreditation exam available after you complete this training.
00:15
To take the exam, go to home dot Pearson Vue dot com slash checkpoint exam number is 156-412
00:25
There is a $49 fee to take the exam,
00:29
but the exam is not Proctor did.
00:32
So you can take it anytime, anywhere. You really just need a web browser
00:39
again. This training will be on the maestro hyper scale network security solution.
00:46
We're going to talk about security groups.
00:49
We will also briefly discuss the option tohave a dual site set up.
00:55
And most of this training will be demonstrations on how to initially configure and then set up,
01:03
manage,
01:03
monitor and troubleshoot your maestro deployment.
01:08
Maestro has two major types of components. The orchestrator is an appliance
01:17
that acts as, ah traffic and ah CPU
01:22
resource allocator, a traffic cop.
01:26
It
01:26
sends packets to specific security gateway modules
01:33
and overall spreads out your traffic load amongst all of the security Gateway modules assigned. Handle that traffic
01:42
so it acts as a load balancer and
01:46
also a network switch. Packets that arrive on one port of the orchestrator are switched at Layer 22 on output port
01:55
with no routing.
01:57
The other major component is
01:59
security gateway modules and these air just checkpoint firewall appliances.
02:04
They have to be compatible with the maestro product. They have to be,
02:09
um,
02:10
they have to meet certain hardware requirements. Most or all current checkpoint appliances are compatible. If you have an older appliance,
02:20
need to check that
02:22
the beauty of maestro is that you can start with your existing appliances,
02:28
cable them into the orchestrator and and set up your security group,
02:32
and that's handling your current load. However, over time
02:37
load increases traffic increases, and you may need to
02:40
enable mawr CPU intensive security blades
02:46
so you can buy additional
02:49
security gateway modules. Additional firewall appliances
02:52
like them into the orchestrator assigned them to the existing security groups.
02:57
And when that assignment is completed,
03:00
the additional the new security Gateway modules will start handling
03:07
their share of the traffic assigned to that security group.
03:13
There are two models of the orchestrator appliance. Currently the MH 01 40 which has 48
03:21
small form factor plug, herbal ports, which
03:25
each can do about 10 gigabits per second and then eight quad small form factor ports, which each could do about 100 gigabits per second. And in the quad ports, you can insert
03:37
a four way splitter, which gives you four
03:40
small form factor ports so you can increase the number of ports.
03:46
The model 1 70 has 32
03:49
quad small form factor ports, and again
03:53
you can insert four way splitter and get four ports.
03:59
That gives you roughly the same number of port says 1 40 if you use splitters in the 1 70
04:08
now, this is a 1 40 illustrated here. 1 70 is similar. The orchestrator appliance
04:15
comes shipped to you with
04:17
the ports allocated for different purposes. By default, you can change the purpose of ah
04:25
point
04:26
by default on the 1 40 The 1st 4 ports are
04:30
designated for management traffic,
04:32
which is your security management server, sending policy updates to security groups or
04:40
you using the Web user interface or see Ally to Change Guy, a configuration
04:45
for the security group.
04:46
Then there are up link traffic ports and these these accept traffic from your various networks, so you have internal networks. You have TMZ, wireless data center and external networks.
05:00
Those networks air routing traffic, and they get routed
05:04
through the orchestrator,
05:08
which
05:09
switches the incoming packet from the up link port to the appropriate down link port
05:15
that your security gateway modules are
05:17
plugged into.
05:19
So for a given connection, the orchestrator will designate a specific down link port
05:26
that it will switch that traffic out, too. And so the security gateway module plugged into that doubt. Link Port is responsible for processing the traffic of that connection,
05:36
and
05:38
a second security gateway module is designated to be a backup. So if the active security gateway module for this connection fails,
05:49
the backup will go active. And state synchronization has been done
05:56
between the active and the backup
05:58
to ensure that the state tables connection table
06:01
are up to date.
06:03
You can have two orchestrators in your deployment, and if you do so, you need to plug a synchronization cable between them.
06:14
So the ah, the maestro solution uses the notion of a security group of security group is a collection of assigned security gateway modules and interfaces.
06:27
When traffic arrives on ah, an up link
06:30
port that has been assigned to the security group.
06:34
The uh,
06:35
security group will
06:39
receive this traffic. The security group. When you create it, you give it a name which you're going to use in the security gateway object
06:46
In Smart Consul, you will also provide an I P address and and network configuration.
06:53
And that's the I. P address that you're going to use in smart concert Smart Consul for the
07:00
ah security Gateway object. And you would also use that I p address for the Web user interface or secure show.
07:09
And that I p address Virtual eyes is the fact that there are actually multiple security gateways assigned to that security group
07:16
One Security gateway Notice. The single management object will answer that
07:23
groups I p address.
07:25
And so you push policy. It goes to that one appliance, the single management object plants
07:31
that will receive the policy and then transparently propagate the policy update to the other
07:39
security gateway modules in the security group. Likewise, if you make configuration changes via the Web user interface,
07:46
you're making those changes to the security gateway module.
07:49
The other security gateway modules will be transparently given your configuration changes,
07:58
so again. Security groups provide a virtual ization of the fact there are actually multiple security gateways in the group
08:05
now forgiven connection. It's active. Back up. One security gateway module in the group is processing the traffic. The other is being kept up to date.
08:16
However,
08:18
looking at the overall mix of traffic, there are many connections and so different security. Gateway modules will be active for different connections
08:28
and that provides active, active load balancing.
08:31
As I said when you ah, use a security group, you're using the I. P address that you assigned to the security group
08:39
in the smart consul Security Gateway object
08:43
as well as when you're using the Web user interface.
08:48
So any changes that you make are propagated from the single management. Object to the other gateways in the group,
08:56
including hot fixes and jumble. Hot fixes If you enable that
09:01
a security group can also be designated a V s ex security group,
09:05
and
09:07
if you do that, then in Smart Consul, you'll create a V Essex's Gateway object instead of, ah, regular security gateway object.
09:16
Then, when you deploy virtual systems to that V s ex gateway, object to those virtual systems will be replicated
09:24
among all of the security gateway modules in the security group.
09:30
Now there's some limits on the security group. It could be up to eight security groups defined total,
09:37
with 31 security gateway modules per group and a total of 52 security gateway modules connected to the orchestrator.
09:45
The orchestrator also provides a dual site option where you have
09:50
to
09:50
physically distant site
09:52
with synchronization between the two sites, and there are limits on tolerable, late and see and packet loss.
10:00
You can have up to two orchestrators at each site, so total of up to four orchestrators.
10:07
And the limitation is that there could be up to 14 security gateway modules assigned to a security group
10:16
her site.
10:18
And it is a personal security group setting of whether or not to use to participate in dual site.
10:24
If you don't enable that for security group than at Side A, perhaps there will be an active security gateway module and a backup.
10:35
If the security group has been configured to use dual site than, say it side A. There's an active security gateway module. There's a backup
10:43
and its site B. There's also a backup security gateway module for this connection, and state synchronization is keeping it updated. So if we lose sight A,
10:54
we can continue to process traffic at Site B.
10:58
That security Gateway module will go active, and
11:01
another security gateway module at Site B will be designated back up
11:05
to provide the high availability.
11:09
There isn't accreditation exam that goes along with
11:13
this jump start training.
11:16
It's available at Pearson Vue dot com slash checkpoint. You don't have to goto a testing center. You can do it
11:22
from your office or your home. It's Proctor via a webcam exam. Number is one five six dash for 12 When you successfully passed the exam, then you earn the
11:33
maestro
11:35
accreditation.
11:37
So now we're gonna go into the demonstration of the maestro product.
11:41
We're going to look at how to
11:45
initially configure and then set up your maestro deployment.
11:50
Use the security groups in policy. Will also look at how you
11:56
monitor these security groups will also ah, discuss troubleshooting.
12:01
So thank you for attending this jump start training

Up Next

Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By

Instructor Profile Image
CheckPoint
Instructor