do something a little bit different now. I'd like to go through some questions and answers
Better improve our understanding of the maestro's solution.
So some basic questions. First, what is the security group?
collection, a group of compute.
So in this case, it would be the security gateway modules
and network its case. It would be the up link port,
so compute and network resource is
next. What is the minimum requirement or a security group
answers. You have to have at least one appliance
and at least one management port knots. It's not gonna be very useful if you don't have at least two up link ports
unless you're using V lands or something like that.
The next question. What is the orchestrator E Orchestrator manages?
group of compute and network resource is
it is a load balancer.
New connection comes in. The orchestrator will determine
which security Gateway module
in associated with this up link port should handle this connection and actually
should handle that connection. But there's only one security gateway module plugged in there
so that security gateway module will be active for that connection, and
the next connection that comes in
should be handled by a different security gateway module, thus spreading the load out in giving Active,
And finally, it's a network switch
on one of the orchestrators up link ports.
It determines which down Lakeport that
pack it should be handled by. It switches that packet to that down like port at Layer two.
The next question. What licenses should be used or provided for the orchestrator?
no. License is you don't need a license. The orchestrator.
You do need the license, the Security Kate way modules.
is a down link interface used for
down link interfaces? Connect
security Gateway modules to the orchestrator
link layer Discovery Protocol. LDP to ah
that I am plugged in to your port so the orchestrator knows what's plugged in there,
and that's how the gateways over here come to be populated.
Next question. What's the up link interface used for the up league interface
customer site traffic. So your internal networks, your DMC networks, your wireless access network,
data center network, external networks. All of those are connected to up link ports.
So if you have a security gateway module,
what's required? What? What What do you have to have? First, it has to be a checkpoint appliance,
and that appliance must have
that supports the LDP protocol but also has to support double Villain,
the villain tag stacked on top of a villain.
What's the maximum number of appliances that you can have in a security group?
In a single site? Deployment 31
gonna have up to 31 appliances connected
who are associated with a security group
in a duel site deployment.
It's 14 security gateways
at each site in that security group.
default range of physical ports for the down links
on the orchestrator?
I know the question was about
I've supports, but I just wanted to go through the port assignment again.
So this is the model 1 40 of the orchestrator appliance, and it's the front
and 1st 4 ports or by default management ports. And again, those reports that you use to manage
the security groups through the single management object
in the back of the 1 40 there are ports that you use to manage the appliance, the orchestrator appliance itself.
are by default up blink ports, and that's what you would connect your site traffic
So your internal networks, your external networks, etcetera
and imports 27 through 47
and those of the ports that you would connect
security gateways to.
With the exception of Port 48 Port 48 on the 1 40 is used to synchronize
the two orchestrator appliances. Assuming you have to, it's normal to have to
Port 48 is sort of set aside for that
ports 49 through 56 or all the quad
small form factor ports.
Those are also by default uplink ports
and again, you can insert a four way splitter
into those quad ports, but you do it to the top port in the top port that disables the port below it.
So you lose that pork, but you get
purpose. The designation of Ah, port on the orchestrator with the command set, Space Maestro, Spaceport,
based type space. And then what kind of port you wanted to be down Link up link
so that that can You can shift the purpose of a port to, for instance, from uplink port to a down Lakeport if you need more down like ports.
So on the model 1 70 orchestrator appliance,
manage the orchestrator appliance ports are on the front,
there's, ah, serial console and Ethernet.
What you would use to manage the orchestrator appliance itself now
The management ports for that are the first to ports
one and two by default
again that manages the security groups through the single management object
ports three through 16. Our up link ports
and ports 17 through 32 are down Lee forts,
except that 32 is actually reserved for synchronization between two orchestrators.
It meant again you can change this configuration
using the set maestro command.
And again, if you insert a four way splitter into one of the quad ports, you do so into the top row
and that disables the role. Blew it.
Our sorry, the port below it.
in this configuration, we're inserting four way splitters and all of these quad ports.
Now we have four management ports
up link ports for per down link ports and note that you you can't insert a four way splitter into Port 31 because doing so would disable Port 32 thus disabled synchronization.
Port speed is 100 gigabits
per second. By default, you can change that Using the set mice report command.
So earlier I had talked about What are the requirements for security Gateway module Toe work. In a maestro deployment,
you need a line card
that has support for both the L. L. D. P
line cards that use copper are not supported.
a security gateway module has both 10 gigabits per second and 40 or 100 gigs per second.
Installed on the same appliance. That's not supported
if you have to. Security gateway modules. One has one connection to an up lean pork
or on the orchestrator. The other has to connections
to to up link ports on the orchestrator,
a traffic, all things being equal still be distributed
to those two security Gateway modules.
It's another question. What kind of object should you create
the single management object
of the security group and the answers you'd created? A checkpoint Gateway object,
not a cluster object.
So I had another question. If you have an appliance that has a
eight Port Network interface card in slot three,
what would be the name of Port three
of that network interface card?
This is just the output of
single management object
there is indeed a network interface card in slot three
and Port three of that network interface card
would be E T. H s Capital B Capital P three just the slot number dash
03 which is the port number.
The Fort numbers start at one
and in this case go up to eight.
Next question. If you have to orchestrators at a site
those orchestrators work in
The open question. But
what we're trying to say is the orchestrators woodwork active, active,
so they're both doing work. Plus, they provide
high availability of one fails
next. If if you have a security group. So I have a security group defined here. And
for this demonstration there's only
security gateway modules in this security group.
in the security group, if ah connection comes in
on some up link port,
it's an up link port
that is assigned to the security group so ive to dash 05 wreath to Dash 07
The orchestrator will determine
That package should be sent to him.
doing the distribution mode algorithm, which again looks at source I. P or destination I. P or both and possibly by default
output of this distribution mode algorithm, a down link port will be selected,
connected to a security gateway module
assigned in this security group.
A pack it will be passed to that security gateway module.
And if this is a new connection, that security gateway module will
run your policy. And if Policy says, except this connection,
create state table entries such as in the Connections Table
meanwhile simultaneously, or during this process. The
active security gateway module that was chosen by the distribution mode algorithm
will itself. The security Gateway module will designate or select
another security gateway module in this same security group
and it will synchronize
the connections table another state
table entries to the backup security Gateway module.
at the individual connection level,
there's at any 0.1 active,
looking at all of the connections that make up your traffic flow.
Each connection can be designated to a different down leak port in the security group, so a different security gateway
each connection as long as you chose the distribution mode algorithm
But at the big picture at the macro level,
all of the security gateway modules should be handling at least some traffic.
And so you get a load sharing
active, active. This security gateway modules active for this connection. This other security gateway modules active for this connection
multiple security gateway modules
that are talking to each other. For instance, the state synchronization from the active active to the backup
there is a performance
overhead that is incurred, and it's been measured in current versions of Guyana
her security gateway module in the security group.
in this security group there to security gateway modules,
we would expect to get ah, 198% of the throughput
of an individual security gateway model because two of them,
we should expect to get 200%.
her security gateway module
198% of the throughput of a single security gateway module
average for each security gateway
in the security group.
I've already demonstrated this in module to, but I just wanted to quickly go over the workflow for
the point of a new maestro,
um, configuration. So
the the first thing that I need to do is configure the
Ethernet management port.
I do that by plugging into the appliance cereal management port,
I have ah, serial terminal emulator. But
I'm also going to attach an Ethernet cable to the appliance,
the third at Management port. And again, this is a model 1 40 orchestrator.
orchestrator appliance management ports are on the back of appliance.
At this point, I have turned the orchestrator appliance around.
So the front is facing the camera
and now I'm connecting down like ports.
in this case I'm only gonna connect one down leak port
our appliance to the orchestrator.
In a production environment, you would probably have multiple lying cards. You would probably
I want to make sure that I get leaked
and you can see that both appliances have link lights on both the appliances
and on the orchestrator itself.
So at this point, I have cereal connective ity
to the orchestrator appliance.
I want to set up the Ethernet connectivity
to the orchestrator Appliance management port again on a model 1 40
The sports air in the back
in a model 1 70 There in the front, all the way to the right.
e i p address configuration
of management one port
and the port is almost certainly already set the on. But why not be sure?
I want to set a default route,
by default, the orchestrator appliance expects to be deployed in pairs,
the synchronization cable between them. If I only have one orchestrator
that I'm going to be using in this deployment,
I need to tell it. It's the only one. So it
knows that there's not another appliance it needs to be synchronizing with,
it's very concerned about this. So it wants me to
No video, just a brief blip of the orchestrator while the setting is made
management Ethernet interface
for managing the orchestrator appliance itself,
set up with network configuration
so that I can connect to the Web user interface, and that will be next.
So I started my deployment by
using a serial console cable
management network port, the Ethernet port on the back of the 1 40 appliance that manages the orchestrator appliance itself.
On the one seventies again, that
management, Ethernet port and the serial port would be on the front on the right.
So using the serial connection, I configured, I be address net mask,
management Ethernet port.
I also in this example,
I only have one orchestrator, and that's not
the usual case. Typically, there's too.
So since I only have one, I needed to change that orchestrator amount setting
to reflect that Change it toe one.
You have to orchestrators
a ship with the orchestrator amount setting to two. You don't need to do that.
connected the appliances to down leak ports of the orchestrator.
then I browse to the orchestrators Web user interface at the I. P address that I configured via the serial console,
and at this point I would create security groups. The security groups I want are already there, so I'm not going to bother with that.
That's sort of the workflow.
Use the serial consul to configure the network settings for the Ethernet management port,
configure the orchestrator amount if needed.
Connect your security Gateway module appliances to the down link ports.
Then fire up your Web browser and go to the I. P. Address of the orchestrator appliance that you configured
long into the Web user interface
and set up the security groups that you need
another question if you have
Network interface cards
and each of those cards
have dual 10 gigabit per second ports.
How should you connect your
security Gateway module
dual port 10 gig network interface cards
to the orchestrator appliance?
First of all, if if you have
the odd port is plugged in to the first orchestrator.
The even port is plugged in to the second orchestrator.
to port network interface cards,
you would plug Port one of the first card into orchestrator one
port, one of the second card into orchestrator, one that if you have a dual orchestrator deployment,
you would plug Port two of the first card and orchestrator to
port to the second card into orchestrator to
network interface card,
such as in the second row,
there's a limitation. In our 80.20 scalable platform, you can only plug
of that card into a given orchestrator
with jumble. Hot fix. Wander. Newer. That limitation is
scalable platform with jumble, hot fix one
or already 0.30 scalable platform or newer,
to plug Port one and Port three of the Quad Network interface card into the same orchestrator appliance.
To reiterate what I said earlier. If you have
security Gateway module appliance
10 gigabit per second network interface card with however many ports
and a 40 gigabit per second network interface card with however many ports,
Another question. What setting
would you need to make or change
in order to connect an appliance with a 40 gig down link interface
to the orchestrator model 1 40
Recall that the orchestrator model 1 40 has eight.
network interface ports
and those ports are all up link ports.
If you want to connect down Lee
Port, that must are down Lee Connection. That must go into one of those
wad ports on the 1 40 you have to change
the type of the port,
this should be uplink.
It is. Now. I can change that to a down Lakeport,
wants me to verify that this is what I want to do.
I'm not gonna go ahead and finish the command. I just wanted to demonstrate what the command look like if you have a break out cable that is used to convert one of the quad
small form factor ports and the 1 70 or the 1 40 into four small form factor connections.
wad end into one of the quad
and it's one of the ones on top the top row.
The the breakout cables go into a port on the top row and inserting, playing in a break out cable to a port on the top road disables
port. Blow it on the second row
with this break out cable
on the other end, you have
connections that you can plug into
for different security gateway modules, for instance. They're all independent network ports, and they show up
network ports in Guyana.
you only have the quad ports,
and so if you connect ah, break out cable to that
by default. Onley Ports one and two are designated
management for Managing Single Management Objects Security Group
you would plug the break out cable into Port one on top. That would disable port two on the bottom,
and you get four different
names of these ports are each one dash management one,
see from the picture of a physical break out cable.
cannot be used to connect a single port on appliance
multiple ports. On the orchestrator,
and plugged into a quad port, and you get four
interfaces that you can plug into four different
ports on again. Probably
two or four different
security Gateway modules.
Another question is, how do you represent the orchestrator appliance itself?
Smart Council doesn't see the orchestrator appliance, and neither does the security management server.
entities Smart consul in the Security Management server on Lea Si,
the orchestrator appliance is
providing of you off.
number of orchestrators that you can have deployed
your options are to have
and so the default is one
and changed the setting to two.
If you have two sites. You need the same number of orchestrator appliances on each site,
if you have to on side A, you'll have to on site B for a total of four.
So the answer to what's the maximum amount of orchestrators that you can have in your maestro deployment in a duel site deployment is or in a single site deployment. It's too.
distribution mode a couple of times.
The distribution mode selects the algorithm
that determines for a given packet
which down Lakeport that package should be switched out on,
and thus which security Gateway module should process that packet.
see the distribution mode
on the security group single management object,
you can use the show distribution configuration command, and this will show you the system wide distribution mode.
And the default is manual. Gen. General. You can also
show the configuration of a specific
up link interface. Onley Uplink interfaces
is down leak interfaces. Well, they're determined by the distribution mode,
and you can ignore the fact that one of the members is down because it's rebooting.
In this example, the global mode is manual dash General and
this interface takes that
the options for distribution modes are manual general and auto topology.
the differences between these
distribution modes user uses the destination i p of
and by default, it looks at the layer for source port.
So those two things you can turn off
player four if you want.
the source i p of the packet and the destination. Port
Policy uses the topology of that interface as defined in smart Consul for for the
Security Gateway object
and then manual general uses both packet source i P and destination I'd be
and source and destination therefore ports
in already 0.30 scalable platform. That fault
has been changed. It is now
also using player four.
So I am going to demonstrate
an expert mode command
This allows you to simulate
a selective distribution mode would do with the package
and the usage is fairly simple.
So we'll say a sore sport of 1 70 Sorry source. I'd be a 1 72 dot
and a destination i p of 1 92.1 68.1 dot one
and distribution mode of general.
It would be sent out that
So note that, um, user and network,
a different global distribution mode instead of manual. General,
you have to set auto topology,
so DS dxl Count Command can be useful to do some what if scenarios to try to find the distribution mode that
best matches your traffic flow.
dual orchestrator set up, though that's not significant to this question. Could be just one.
And there are four security gateway modules that are connected
to the two orchestrators.
uplink ports on one orchestrator. There's a network connection from the internal network
plugged into the orchestrator on the top. On the second orchestrator, there's an uplink port with network connection out to the Internet
and say a packet arrives from an internal desktop.
The orchestrator will populate a matrix table from 1 to 500 a size 0 to 511
port numbers. The down link port numbers of the security gateway modules
in this case, therefore security gateway modules. So be
populate each cell with
down leave port of one Dalek port of $2.43 down like porter floor down the porta one
and someone in someone. And so until we fill up this matrix table,
then according to the distribution mode,
as an output to the distribution mode algorithm is this essentially a hashing algorithm
So it works in both directions. If the source and destination
is reversed, its return traffic.
You get the same hash output
as you would for the original direction traffic.
generates a number between zero and 511.
whatever down Lee fort
that lands on whatever down Lee say it chose
266. That was the output.
That means that we look in
position 266 of this table and
down Lakeport 27. So down leave Port 27
down Lakeport to send this traffic tune and say this is a new connection.
We switch the traffic in the packet to that down Lakeport. It is received
by the security Gateway module,
which runs its policy and policy, resulted in a decision to allow this connection.
state tables air populated with information about this connection.
security gateway module, which received the packet on its down Lakeport, is active for this connection.
It the security Gateway module designates another security gateway module
in the security group to be back up,
and it notifies that security gateway module that it's back up
be ah state synchronization, a specific
variant of state synchronization called hyper sink.
two security Gateway modules involved,
so the backup security Gateway module receives synchronization updates from the active as the connection progresses.
Meanwhile, the active
routed the packet out. It is sent through its down leak port
to the other orchestrator, which switches that outgoing packet to an up link or where the Internet network is connected.
So for a given connection, there's going to be
security gateway modules
that will be aware of that connection.
the other is back up.
Now that's at the connection level at the security group level.
You've got a lot of different connections coming into the orchestrators,
and the orchestrators are determining
different down Lee ports
for those connections. And that spreads the workout amongst those down leak ports and thus amongst those security gateway modules.
the macro level, at a high level, this is
active active load sharing because all of the security gateway modules are
are all taking someone load.
In current versions of the scalable platform version of Guyana,
there's 1% of the performance of each security gateway module in the security group
used for synchronization and other tests.
in this example with with four security gateway modules in the security group, there would be
the ah if one security eight way module can maintain
10 gigabits per second of throughput,
you would expect four
to be able to maintain order gigabits per second of throughput,
or percent of that to the
doing the synchronization
in your deployment. You may have Nat policy,
and if that's the case, we have to account for the fact that
while the original traffic may be distributed toe one down leak port
added traffic may be distributed to a different, down like port.
In this example, we have a packet that arrives on an up link interface, and the distribution algorithm determines that
the down link interface toe handle this packet is
So whichever security eight way module is
plugged into Port 27 in this case security Gateway module number one,
it's going to be the active security gateway
for this connection.
If this is a new connection, Security eight way module one will run its policy and
we have, ah, policy decision of except the traffic.
that policy which matches, so we're going to rewrite
source or destination.
even without the NAT, we would still need to determine
a backup security gateway.
And we determined that will be security Gateway module number two. So we synchronize the connection details to security Gateway module number two.
We also calculate that security gateway Module
three is going to be active for then added traffic,
so the original packet comes from 1.1 dot 1.10. Mad at traffic is going to be coming from two dot to dot to dot to 54 according to the distribution mode that's active,
the packets will be handled then added packets will be handled by security Gateway Module three.
security eight Way Module one, which is active for the original
connection. The original packets
must also synchronise connection details.
Two. Security Gateway Module three, which will be active for the Nat ID traffic
So it does that it it updates security Gateway module number three. And when Security Gateway Module number three receives this update,
which security Gateway module will be back up
for the Navid traffic.
determined that that's going to be in this example. Security Gateway Module number one.
security Gateway module number one is active for the original packets. It's back up for the Nat ID packets. It could easily have been any other security gateway module in the security group, except for security Gateway module number three since it was active.
routed through layer three and sent on its way to the destination,
ultimately the destination sends a response packet. The response pack. It is then
checked by the distribution mode, which determines that
this packet should be handled by the security gateway module attached to down Lakeport 29.
And that is security Gateway module number three.
So the packet is sent to
the security eight way module attached. Teoh 29 Security Away Module number three,
which itself determines that the backup for this connection should be security Eight way module. One note that both one and three were able to arrive
at this answer. One was able to determine that three is going to be active for the nat'l traffic.
The packet is then forwarded
to the active gateway for the original traffic through the correction layer.
Because we want all of the pack. It's an added and not to be processed by the same security gateway module.
Keep all the state table information in one place,
so the packet is forded over the correction layer to security Gateway Module one
I security Gateway module number three. Note that the orchestrator doesn't know nap,
so it did not know that the Navid package should be sent.
Two. Security gateway module. One.
It determined security Gateway Module three. So it's up to the security gateway modules themselves to correct this
and ensure that the Navid packets are sent to
the active security gateway
for the original connection
security. Gateway Module three Does that forwards the packet to security Gateway Module one,
is then processed by security. Eight Way module one.
Security eight way module one synchronizes the state of the connection with this new packet
to the backup of the original connection security eight way module to
and then sends the packet off
to its next destination, which in this case is the internal desktop host.
It's a lot of moving parts.
There are a couple of commands to see the statistics of the corrections table.
Cph a prob space C O R r will show you how maney corrections are currently
also the connections table has an additional entry.
There's a note that says
original owner of this traffic is this security gateway module.
So if if you need to calculate the minimum or maximum number of security, eight mail gateway modules that may have
for a given connection,
the Bin Hammam would be too. There's going to be inactive and a backup.
However, if Nat is involved
then there could be three and we have some overlap. One of the actives or backups is also an active or back up for the Nada traffic
or four. There's no overlap,
so one security gateway module is active for the original. Another is back up for the original Ah, 3rd 1 is active for then added, Ah, 4th 1 is active, active for the backup.
So between two and four security gateway modules may know about
a connection may be getting synchronized with details about the connection
in a V SX deployment. You have, ah, security group in this example with
three security gateway modules in the group,
and it's a V s ex group.
You've created a V s ex gateway object in Smart Consul,
and in that you've created
three virtual systems.
Note that the virtual systems are on all of the security gateway modules in the group.
attached to that security group,
orchestrator will determine which down Lee port should handle that traffic.
to that down. Lakeport, which is active for that connection
that security gateway module will determine
which other security gate, where module should be back up for the traffic and synchronize that.
the security gateway modules will determine which virtual system that pack it belongs to,
and that virtual system will then process the packet.
One virtual system will be active, the one on security Gateway module one. The other will be back up
for this connection,
and as Mawr connections arrive,
they will be distributed to
the other security gateway modules. Some will be active, some will be back up.
So overall there will be a mix of distribution of the traffic and again that provides
active, active load sharing
on the single management object of, AH security group.
The in expert mode, there's a command g underscore all,
what this command does is you give it a command to run,
so I'll do something innocuous.
And this runs that command on all of the currently up
members of the security group
and displays their output back here.
And in this case right now, there's only one
member that's up in this demonstration,
and I get the output nicely. Co elated by the
remember which contributed that output.
So the G underscore all command is a general version of
the global commands that are available
on Guyana under scalable platform.
Note that there's g underscore cp stop G underscore cp start, for example.
and there's actually ah g underscore up time. So
using g underscore all was perhaps a bit of an overkill
anyway, useful command for running the same command on all of the members of the security group.
specifically the G TCP dumped command
and this does, as you would expect, run TCP dump with the arguments that you provide
on all of the members that are currently up in the security group.
Another useful command, a SG perf
And this shows you aggregated statistics of all the security gateway modules in the security group.
Give you more details.
This will show you a lot of information. Note. It doesn't show you information about the orchestrators.
security gateway modules in the security group,
will run various diagnostics for you
system diagnostics. So a SG diag list
list all of the possible diagnostics.
So this is ah, useful command to see
various 28 in this list
different diagnostics that are run
in your security group
on the single management object of a security group.
will show you real time status
of the security gateway modules in the security group.
And again, I have one security gateway module which is down right now,
and that's that's useful information to know.
Now I'm on a V s ex security group because I wanted to show
this command SG perf minus v s all
so display information about all virtual systems and be very verbose about it.
So this command will
look at all of the security gateway modules in the security group
and show you the virtual systems that are defined
and the throughput, the connection rate of those virtual systems.
Now I'm in the command line interface of the orchestrator itself,
and there are some commands here that are useful.
This man, for instance, will
show you the status of the ports of the orchestrator which ports are plugged in which ports are administratively down, etcetera.
So you would run this grant on the orchestrator, not in the single management object of a security group
DP Link Layer Discovery Protocol CTL One word
the devices that have been discovered by the Linklater Discovery Protocol.
One thing that it doesn't show you is the distribution mode of system or of a specific interface.
You have to use show distribution for that
show you diagnostic information about the orchestrator.
we take a while to run,
collect a lot of information
put it in a archive file.
So pause while this runs
so this command has finished executing,
you can see the contents of the violent pulled in a lot of long data
from various diagnostic commands that were executed.
down link connection between the orchestrator and ah security gateway module
carries a lot of information. And these
this information is isolated in violence, virtual lands.
So, for instance, if you have traffic that arrived on an up link port
that is to be handled by the security gateway module, that traffic will be forwarded
to the security gateway module
will be 10 to 3, plus the port number
on the orchestrator,
then the synchronization villain,
the default I P address there is 192.0 dot to
Octet. The last part of the I. P address is determined by the security gateway module or depends on the security Gateway module.
That synchronization network is used to synchronize configuration and also used for state synchronization.
And there's the chassis. Internal Network,
villain of 3900 plus the number of the security gateway
and the I P addresses are in the 198.51 dot 100 range,
and then the correction layer of correction layer uses a villain of 3700 plus Gateway number.
Well, that's enough questions and answers.
Thank you very much for attending this module.