Video Transcription

00:01
like to, Ah,
00:03
do something a little bit different now. I'd like to go through some questions and answers
00:07
to help
00:08
Better improve our understanding of the maestro's solution.
00:14
So some basic questions. First, what is the security group?
00:18
Security group
00:19
is a logical
00:22
collection, a group of compute.
00:26
So in this case, it would be the security gateway modules
00:30
and network its case. It would be the up link port,
00:35
so compute and network resource is
00:38
next. What is the minimum requirement or a security group
00:45
answers. You have to have at least one appliance
00:49
and at least one management port knots. It's not gonna be very useful if you don't have at least two up link ports
00:58
unless you're using V lands or something like that.
01:00
The next question. What is the orchestrator E Orchestrator manages?
01:07
The
01:07
logical
01:10
group of compute and network resource is
01:14
it is a load balancer.
01:17
New connection comes in. The orchestrator will determine
01:22
which security Gateway module
01:25
in associated with this up link port should handle this connection and actually
01:32
calculates which
01:33
down Lakeport
01:34
should handle that connection. But there's only one security gateway module plugged in there
01:38
so that security gateway module will be active for that connection, and
01:45
the next connection that comes in
01:48
should be handled by a different security gateway module, thus spreading the load out in giving Active,
01:53
oh, Cherry.
01:56
And finally, it's a network switch
01:57
pack. It arrives
02:00
on one of the orchestrators up link ports.
02:02
It determines which down Lakeport that
02:06
pack it should be handled by. It switches that packet to that down like port at Layer two.
02:13
The next question. What licenses should be used or provided for the orchestrator?
02:21
And the answer is
02:23
no. License is you don't need a license. The orchestrator.
02:25
You do need the license, the Security Kate way modules.
02:30
Then what
02:31
is a down link interface used for
02:36
down link interfaces? Connect
02:38
security Gateway modules to the orchestrator
02:42
again. It uses this
02:45
link layer Discovery Protocol. LDP to ah
02:50
announced
02:51
that I am plugged in to your port so the orchestrator knows what's plugged in there,
02:57
and that's how the gateways over here come to be populated.
03:02
Next question. What's the up link interface used for the up league interface
03:08
handles
03:10
customer site traffic. So your internal networks, your DMC networks, your wireless access network,
03:17
data center network, external networks. All of those are connected to up link ports.
03:25
So if you have a security gateway module,
03:30
what's required? What? What What do you have to have? First, it has to be a checkpoint appliance,
03:37
and that appliance must have
03:40
interface card
03:42
that supports the LDP protocol but also has to support double Villain,
03:49
the villain tag stacked on top of a villain.
03:53
What's the maximum number of appliances that you can have in a security group?
04:00
In a single site? Deployment 31
04:02
gonna have up to 31 appliances connected
04:05
who are associated with a security group
04:09
in a duel site deployment.
04:12
It's 14 security gateways
04:15
at each site in that security group.
04:20
So, uh,
04:23
what's the
04:25
default range of physical ports for the down links
04:29
on the orchestrator?
04:30
Let me show you.
04:32
I know the question was about
04:35
specific.
04:36
I've supports, but I just wanted to go through the port assignment again.
04:42
So this is the model 1 40 of the orchestrator appliance, and it's the front
04:46
and 1st 4 ports or by default management ports. And again, those reports that you use to manage
04:55
the security groups through the single management object
04:59
in the back of the 1 40 there are ports that you use to manage the appliance, the orchestrator appliance itself.
05:06
Next ports 53 26
05:09
are by default up blink ports, and that's what you would connect your site traffic
05:14
to.
05:15
So your internal networks, your external networks, etcetera
05:17
and imports 27 through 47
05:20
are down link ports
05:24
and those of the ports that you would connect
05:26
Thea
05:28
security gateways to.
05:30
With the exception of Port 48 Port 48 on the 1 40 is used to synchronize
05:38
the two orchestrator appliances. Assuming you have to, it's normal to have to
05:44
eso.
05:46
Port 48 is sort of set aside for that
05:48
and then
05:50
ports 49 through 56 or all the quad
05:55
small form factor ports.
05:57
Those are also by default uplink ports
06:00
and again, you can insert a four way splitter
06:03
into those quad ports, but you do it to the top port in the top port that disables the port below it.
06:11
So you lose that pork, but you get
06:14
for Newport's
06:16
and
06:18
you can change the
06:21
purpose. The designation of Ah, port on the orchestrator with the command set, Space Maestro, Spaceport,
06:28
Spaceport number
06:30
based type space. And then what kind of port you wanted to be down Link up link
06:34
or management
06:36
so that that can You can shift the purpose of a port to, for instance, from uplink port to a down Lakeport if you need more down like ports.
06:46
So on the model 1 70 orchestrator appliance,
06:50
uh,
06:51
over on the right,
06:55
the
06:56
manage the orchestrator appliance ports are on the front,
07:00
not the back
07:01
again. These ports
07:03
there's, ah, serial console and Ethernet.
07:08
What you would use to manage the orchestrator appliance itself now
07:12
manage the
07:15
security groups.
07:16
The management ports for that are the first to ports
07:20
one and two by default
07:24
again that manages the security groups through the single management object
07:28
and then
07:29
ports three through 16. Our up link ports
07:34
and ports 17 through 32 are down Lee forts,
07:40
except that 32 is actually reserved for synchronization between two orchestrators.
07:46
It meant again you can change this configuration
07:50
using the set maestro command.
07:56
And again, if you insert a four way splitter into one of the quad ports, you do so into the top row
08:03
and that disables the role. Blew it.
08:05
Our sorry, the port below it.
08:11
So
08:13
in this configuration, we're inserting four way splitters and all of these quad ports.
08:18
Now we have four management ports
08:22
and then four per
08:24
up link ports for per down link ports and note that you you can't insert a four way splitter into Port 31 because doing so would disable Port 32 thus disabled synchronization.
08:41
Port speed is 100 gigabits
08:43
per second. By default, you can change that Using the set mice report command.
08:50
So earlier I had talked about What are the requirements for security Gateway module Toe work. In a maestro deployment,
08:58
you need a line card
09:01
that has support for both the L. L. D. P
09:05
and
09:07
dual villain.
09:11
Also,
09:15
line cards that use copper are not supported.
09:18
And
09:20
if you have
09:22
a security gateway module has both 10 gigabits per second and 40 or 100 gigs per second.
09:30
Installed on the same appliance. That's not supported
09:37
if you have to. Security gateway modules. One has one connection to an up lean pork
09:43
or on the orchestrator. The other has to connections
09:48
to to up link ports on the orchestrator,
09:50
a traffic, all things being equal still be distributed
09:54
50 50
09:56
to those two security Gateway modules.
10:03
It's another question. What kind of object should you create
10:07
to represent
10:09
the single management object
10:11
of the security group and the answers you'd created? A checkpoint Gateway object,
10:16
not a cluster object.
10:22
So I had another question. If you have an appliance that has a
10:28
and
10:28
eight Port Network interface card in slot three,
10:33
what would be the name of Port three
10:35
of that network interface card?
10:39
This is just the output of
10:41
I f. Config
10:43
on
10:43
single management object
10:46
CLI
10:48
and
10:50
you can see that
10:52
there is indeed a network interface card in slot three
10:56
and Port three of that network interface card
11:01
would be E T. H s Capital B Capital P three just the slot number dash
11:07
03 which is the port number.
11:09
The Fort numbers start at one
11:13
and in this case go up to eight.
11:16
Next question. If you have to orchestrators at a site
11:22
those orchestrators work in
11:24
what mode?
11:26
The open question. But
11:28
what we're trying to say is the orchestrators woodwork active, active,
11:33
so they're both doing work. Plus, they provide
11:39
high availability of one fails
11:43
next. If if you have a security group. So I have a security group defined here. And
11:50
for this demonstration there's only
11:52
to
11:54
security gateway modules in this security group.
11:56
But
11:58
in the security group, if ah connection comes in
12:03
to the orchestrator
12:05
on some up link port,
12:07
and
12:09
it's an up link port
12:11
that is assigned to the security group so ive to dash 05 wreath to Dash 07
12:18
The orchestrator will determine
12:22
which
12:22
down link port
12:24
That package should be sent to him.
12:26
And it does that by
12:28
doing the distribution mode algorithm, which again looks at source I. P or destination I. P or both and possibly by default
12:39
will look at ports
12:41
as well.
12:41
So,
12:43
based on the
12:46
output of this distribution mode algorithm, a down link port will be selected,
12:52
which is
12:54
connected to a security gateway module
12:56
assigned in this security group.
13:00
And so the
13:01
A pack it will be passed to that security gateway module.
13:05
And if this is a new connection, that security gateway module will
13:11
run your policy. And if Policy says, except this connection,
13:16
create state table entries such as in the Connections Table
13:22
and
13:24
meanwhile simultaneously, or during this process. The
13:28
active security gateway module that was chosen by the distribution mode algorithm
13:35
will itself. The security Gateway module will designate or select
13:39
another security gateway module in this same security group
13:45
to be
13:46
the backup
13:46
or this connection,
13:48
and it will synchronize
13:50
the connections table another state
13:54
table entries to the backup security Gateway module.
14:00
So
14:01
at the individual connection level,
14:03
there's at any 0.1 active,
14:07
however,
14:09
looking at all of the connections that make up your traffic flow.
14:15
Each connection can be designated to a different down leak port in the security group, so a different security gateway
14:24
module will handle
14:28
each connection as long as you chose the distribution mode algorithm
14:33
wisely.
14:35
But at the big picture at the macro level,
14:41
all of the security gateway modules should be handling at least some traffic.
14:46
And so you get a load sharing
14:48
active, active. This security gateway modules active for this connection. This other security gateway modules active for this connection
14:56
that would you have
14:58
multiple security gateway modules
15:01
that are
15:03
that are talking to each other. For instance, the state synchronization from the active active to the backup
15:11
there is a performance
15:11
overhead that is incurred, and it's been measured in current versions of Guyana
15:20
to be
15:20
roughly 1%
15:22
her security gateway module in the security group.
15:28
So
15:28
in this security group there to security gateway modules,
15:33
we would expect to get ah, 198% of the throughput
15:39
of an individual security gateway model because two of them,
15:43
we should expect to get 200%.
15:46
But there's that 1%
15:50
her security gateway module
15:52
overhead.
15:52
So
15:54
198% of the throughput of a single security gateway module
16:00
here,
16:00
99%
16:03
average for each security gateway
16:07
in the security group.
16:10
Next.
16:11
I've already demonstrated this in module to, but I just wanted to quickly go over the workflow for
16:18
the point of a new maestro,
16:19
um, configuration. So
16:23
the the first thing that I need to do is configure the
16:30
appliance
16:30
Ethernet management port.
16:33
I do that by plugging into the appliance cereal management port,
16:37
and
16:41
I have ah, serial terminal emulator. But
16:44
while I'm here,
16:45
I'm also going to attach an Ethernet cable to the appliance,
16:51
the third at Management port. And again, this is a model 1 40 orchestrator.
16:56
So the
16:56
orchestrator appliance management ports are on the back of appliance.
17:03
At this point, I have turned the orchestrator appliance around.
17:08
So the front is facing the camera
17:11
and now I'm connecting down like ports.
17:15
So I have
17:17
two appliances
17:18
and
17:21
in this case I'm only gonna connect one down leak port
17:25
our appliance to the orchestrator.
17:26
In a production environment, you would probably have multiple lying cards. You would probably
17:32
have redone it
17:33
down light ports.
17:36
So I
17:37
I want to make sure that I get leaked
17:40
and you can see that both appliances have link lights on both the appliances
17:45
and on the orchestrator itself.
17:49
So at this point, I have cereal connective ity
17:53
to the orchestrator appliance.
17:56
I want to set up the Ethernet connectivity
18:00
to the orchestrator Appliance management port again on a model 1 40
18:04
The sports air in the back
18:07
in a model 1 70 There in the front, all the way to the right.
18:11
I want to set
18:14
e i p address configuration
18:18
of management one port
18:45
and the port is almost certainly already set the on. But why not be sure?
18:49
I want to set a default route,
19:25
and
19:26
by default, the orchestrator appliance expects to be deployed in pairs,
19:33
the synchronization cable between them. If I only have one orchestrator
19:37
that I'm going to be using in this deployment,
19:41
I need to tell it. It's the only one. So it
19:45
knows that there's not another appliance it needs to be synchronizing with,
20:03
and
20:03
it's very concerned about this. So it wants me to
20:11
provide justification.
20:18
No video, just a brief blip of the orchestrator while the setting is made
20:23
and then
20:26
it's ready to go.
20:29
So now I have the
20:32
management Ethernet interface
20:34
for managing the orchestrator appliance itself,
20:38
set up with network configuration
20:41
so that I can connect to the Web user interface, and that will be next.
20:48
So I started my deployment by
20:52
using a serial console cable
20:56
to
20:57
configure the
21:00
management network port, the Ethernet port on the back of the 1 40 appliance that manages the orchestrator appliance itself.
21:10
On the one seventies again, that
21:11
management, Ethernet port and the serial port would be on the front on the right.
21:18
So using the serial connection, I configured, I be address net mask,
21:23
the fault gateway
21:26
for the
21:26
management Ethernet port.
21:29
I also in this example,
21:33
I only have one orchestrator, and that's not
21:36
the usual case. Typically, there's too.
21:38
So since I only have one, I needed to change that orchestrator amount setting
21:44
to reflect that Change it toe one.
21:47
You have to orchestrators
21:48
a ship with the orchestrator amount setting to two. You don't need to do that.
21:53
So then I
21:56
connected the appliances to down leak ports of the orchestrator.
22:03
And
22:07
then I browse to the orchestrators Web user interface at the I. P address that I configured via the serial console,
22:15
and at this point I would create security groups. The security groups I want are already there, so I'm not going to bother with that.
22:22
That's sort of the workflow.
22:23
Use the serial consul to configure the network settings for the Ethernet management port,
22:32
then
22:33
configure the orchestrator amount if needed.
22:37
Connect your security Gateway module appliances to the down link ports.
22:44
Then fire up your Web browser and go to the I. P. Address of the orchestrator appliance that you configured
22:52
long into the Web user interface
22:55
and set up the security groups that you need
23:00
another question if you have
23:03
to.
23:03
Network interface cards
23:06
and each of those cards
23:08
have dual 10 gigabit per second ports.
23:12
How should you connect your
23:15
security Gateway module
23:18
with these two
23:19
dual port 10 gig network interface cards
23:23
to the orchestrator appliance?
23:27
First of all, if if you have
23:32
to port,
23:33
the odd port is plugged in to the first orchestrator.
23:38
The even port is plugged in to the second orchestrator.
23:44
So if you have ah,
23:47
in this case, too,
23:49
to port network interface cards,
23:52
you would plug Port one of the first card into orchestrator one
23:57
port, one of the second card into orchestrator, one that if you have a dual orchestrator deployment,
24:06
you would plug Port two of the first card and orchestrator to
24:10
port to the second card into orchestrator to
24:14
now. If you have a
24:17
wad
24:18
network interface card,
24:19
such as in the second row,
24:25
there's a limitation. In our 80.20 scalable platform, you can only plug
24:30
one port
24:32
of that card into a given orchestrator
24:36
with jumble. Hot fix. Wander. Newer. That limitation is
24:41
lifted, so
24:44
if you have
24:45
already got 20
24:47
scalable platform with jumble, hot fix one
24:51
or already 0.30 scalable platform or newer,
24:55
then
24:56
it is supported
24:59
to plug Port one and Port three of the Quad Network interface card into the same orchestrator appliance.
25:11
To reiterate what I said earlier. If you have
25:15
security Gateway module appliance
25:18
that has a
25:19
10 gigabit per second network interface card with however many ports
25:25
and a 40 gigabit per second network interface card with however many ports,
25:30
it is not supported
25:32
or use with
25:33
an orchestrator.
25:37
Another question. What setting
25:40
would you need to make or change
25:41
in order to connect an appliance with a 40 gig down link interface
25:48
to the orchestrator model 1 40
25:52
Recall that the orchestrator model 1 40 has eight.
25:57
42 100 gig
26:00
network interface ports
26:03
on the right,
26:04
and those ports are all up link ports.
26:10
If you want to connect down Lee
26:11
Port, that must are down Lee Connection. That must go into one of those
26:17
wad ports on the 1 40 you have to change
26:21
the type of the port,
26:25
so
26:34
this should be uplink.
26:38
It is. Now. I can change that to a down Lakeport,
26:56
and again, it
26:59
wants me to verify that this is what I want to do.
27:03
I'm not gonna go ahead and finish the command. I just wanted to demonstrate what the command look like if you have a break out cable that is used to convert one of the quad
27:15
small form factor ports and the 1 70 or the 1 40 into four small form factor connections.
27:22
You would plug the
27:26
wad end into one of the quad
27:29
port,
27:30
and it's one of the ones on top the top row.
27:36
The the breakout cables go into a port on the top row and inserting, playing in a break out cable to a port on the top road disables
27:45
port. Blow it on the second row
27:51
with this break out cable
27:53
installed
27:55
on the other end, you have
27:56
four independent
28:02
connections that you can plug into
28:04
for different security gateway modules, for instance. They're all independent network ports, and they show up
28:12
as
28:14
logically distinct
28:17
network ports in Guyana.
28:19
On the model 1 70
28:21
you only have the quad ports,
28:25
and so if you connect ah, break out cable to that
28:30
by default. Onley Ports one and two are designated
28:33
management for Managing Single Management Objects Security Group
28:38
Port,
28:40
and
28:41
you would plug the break out cable into Port one on top. That would disable port two on the bottom,
28:48
and you get four different
28:52
management ports.
28:53
In the
28:55
names of these ports are each one dash management one,
28:59
23
29:00
and four.
29:02
You can just
29:03
see from the picture of a physical break out cable.
29:07
Ah,
29:08
break out. Cable
29:11
cannot be used to connect a single port on appliance
29:15
to
29:17
multiple ports. On the orchestrator,
29:19
you can't go from
29:22
4 to 1.
29:23
Instead, you get
29:26
ah,
29:29
break out cable
29:30
wad
29:32
and plugged into a quad port, and you get four
29:37
small form factor
29:40
interfaces that you can plug into four different
29:44
ports on again. Probably
29:47
two or four different
29:49
security Gateway modules.
29:52
Another question is, how do you represent the orchestrator appliance itself?
29:56
In smart Consul?
29:59
Answer is you don't
30:00
Smart Council doesn't see the orchestrator appliance, and neither does the security management server.
30:07
Those
30:08
entities Smart consul in the Security Management server on Lea Si,
30:14
the security groups
30:15
that
30:17
the orchestrator appliance is
30:19
providing of you off.
30:22
What's the maximum
30:23
number of orchestrators that you can have deployed
30:30
well for one site,
30:41
your options are to have
30:45
one or two
30:48
orchestrators
30:49
for that site.
30:52
You can also have
30:55
two sites,
30:59
and so the default is one
31:00
and changed the setting to two.
31:03
If you have two sites. You need the same number of orchestrator appliances on each site,
31:11
and so
31:14
if you have to on side A, you'll have to on site B for a total of four.
31:19
So the answer to what's the maximum amount of orchestrators that you can have in your maestro deployment in a duel site deployment is or in a single site deployment. It's too.
31:33
I've mentioned
31:33
this
31:34
distribution mode a couple of times.
31:38
The distribution mode selects the algorithm
31:41
that determines for a given packet
31:47
which down Lakeport that package should be switched out on,
31:52
and thus which security Gateway module should process that packet.
31:59
So if you want to
32:01
see the distribution mode
32:05
on the security group single management object,
32:08
you can use the show distribution configuration command, and this will show you the system wide distribution mode.
32:19
And the default is manual. Gen. General. You can also
32:24
show the configuration of a specific
32:28
up link interface. Onley Uplink interfaces
32:31
is down leak interfaces. Well, they're determined by the distribution mode,
32:38
and you can ignore the fact that one of the members is down because it's rebooting.
32:44
In this example, the global mode is manual dash General and
32:52
this interface takes that
32:54
the fault setting
33:05
at a
33:06
system level,
33:07
the options for distribution modes are manual general and auto topology.
33:16
At the
33:17
interface level,
33:30
you can set it to
33:31
user,
33:34
network
33:36
or policy.
33:38
The ah,
33:39
the differences between these
33:43
distribution modes user uses the destination i p of
33:50
the packet,
33:51
and by default, it looks at the layer for source port.
33:57
So those two things you can turn off
33:59
player four if you want.
34:02
Network uses
34:05
the source i p of the packet and the destination. Port
34:10
Policy uses the topology of that interface as defined in smart Consul for for the
34:19
Security Gateway object
34:22
and then manual general uses both packet source i P and destination I'd be
34:30
and source and destination therefore ports
34:37
in already 0.30 scalable platform. That fault
34:44
has been changed. It is now
34:46
auto topology,
34:47
also using player four.
34:52
So I am going to demonstrate
34:58
an expert mode command
35:04
of dxl Cal.
35:08
This allows you to simulate
35:10
what
35:12
a selective distribution mode would do with the package
35:16
dxl
35:19
count,
35:21
and the usage is fairly simple.
35:28
So we'll say a sore sport of 1 70 Sorry source. I'd be a 1 72 dot
35:32
31.1 dot one
35:36
and a destination i p of 1 92.1 68.1 dot one
35:40
and distribution mode of general.
35:45
It would be sent out that
35:49
at down Lakeport.
35:58
So note that, um, user and network,
36:00
you have to set
36:04
a different global distribution mode instead of manual. General,
36:08
you have to set auto topology,
36:14
so DS dxl Count Command can be useful to do some what if scenarios to try to find the distribution mode that
36:23
best matches your traffic flow.
36:29
Next question.
36:30
Uh, I have
36:32
dual orchestrator set up, though that's not significant to this question. Could be just one.
36:39
And there are four security gateway modules that are connected
36:45
to the two orchestrators.
36:51
I also have
36:52
uplink ports on one orchestrator. There's a network connection from the internal network
37:00
plugged into the orchestrator on the top. On the second orchestrator, there's an uplink port with network connection out to the Internet
37:07
plugged in
37:09
and say a packet arrives from an internal desktop.
37:15
The orchestrator will populate a matrix table from 1 to 500 a size 0 to 511
37:24
so
37:25
512 total slots
37:29
and
37:30
populates it with
37:32
port numbers. The down link port numbers of the security gateway modules
37:37
that are attached
37:39
in this case, therefore security gateway modules. So be
37:45
populate each cell with
37:47
down leave port of one Dalek port of $2.43 down like porter floor down the porta one
37:52
and someone in someone. And so until we fill up this matrix table,
37:58
then according to the distribution mode,
38:00
we
38:02
yet
38:04
as an output to the distribution mode algorithm is this essentially a hashing algorithm
38:09
in its design.
38:10
So it works in both directions. If the source and destination
38:15
is reversed, its return traffic.
38:19
You get the same hash output
38:21
as you would for the original direction traffic.
38:24
So,
38:28
uh,
38:28
distribution algorithm
38:30
generates a number between zero and 511.
38:35
And
38:37
whatever down Lee fort
38:39
that lands on whatever down Lee say it chose
38:44
266. That was the output.
38:46
That means that we look in
38:50
position 266 of this table and
38:52
there's
38:53
down Lakeport 27. So down leave Port 27
38:58
is designated
38:59
the
39:00
down Lakeport to send this traffic tune and say this is a new connection.
39:06
We switch the traffic in the packet to that down Lakeport. It is received
39:13
by the security Gateway module,
39:15
which runs its policy and policy, resulted in a decision to allow this connection.
39:22
So
39:23
state tables air populated with information about this connection.
39:29
The
39:30
security gateway module, which received the packet on its down Lakeport, is active for this connection.
39:37
It the security Gateway module designates another security gateway module
39:44
in the security group to be back up,
39:46
and it notifies that security gateway module that it's back up
39:51
be ah state synchronization, a specific
39:54
variant of state synchronization called hyper sink.
39:58
Since there's
40:00
Onley
40:00
two security Gateway modules involved,
40:05
so the backup security Gateway module receives synchronization updates from the active as the connection progresses.
40:14
Meanwhile, the active
40:16
has
40:17
routed the packet out. It is sent through its down leak port
40:22
to the other orchestrator, which switches that outgoing packet to an up link or where the Internet network is connected.
40:34
So for a given connection, there's going to be
40:38
to
40:40
security gateway modules
40:43
that will be aware of that connection.
40:46
One is
40:47
active,
40:49
the other is back up.
40:52
Now that's at the connection level at the security group level.
40:58
You've got a lot of different connections coming into the orchestrators,
41:02
and the orchestrators are determining
41:06
different down Lee ports
41:08
for those connections. And that spreads the workout amongst those down leak ports and thus amongst those security gateway modules.
41:19
So
41:20
at
41:21
the macro level, at a high level, this is
41:23
active active load sharing because all of the security gateway modules are
41:29
processing traffic
41:30
are all taking someone load.
41:34
In current versions of the scalable platform version of Guyana,
41:38
there's 1% of the performance of each security gateway module in the security group
41:45
that is
41:46
used for synchronization and other tests.
41:51
Not for processing
41:52
the site traffic
41:54
in this example with with four security gateway modules in the security group, there would be
42:01
or percent overhead
42:04
and
42:07
the ah if one security eight way module can maintain
42:12
10 gigabits per second of throughput,
42:15
you would expect four
42:16
to be able to maintain order gigabits per second of throughput,
42:21
but you would lose
42:22
or percent of that to the
42:25
overhead of
42:28
doing the synchronization
42:30
in your deployment. You may have Nat policy,
42:35
and if that's the case, we have to account for the fact that
42:38
while the original traffic may be distributed toe one down leak port
42:44
added traffic may be distributed to a different, down like port.
42:49
In this example, we have a packet that arrives on an up link interface, and the distribution algorithm determines that
42:58
the down link interface toe handle this packet is
43:01
or 27.
43:04
So whichever security eight way module is
43:07
plugged into Port 27 in this case security Gateway module number one,
43:10
it's going to be the active security gateway
43:15
for this connection.
43:16
If this is a new connection, Security eight way module one will run its policy and
43:22
we have, ah, policy decision of except the traffic.
43:25
We also have
43:28
that policy which matches, so we're going to rewrite
43:31
source or destination.
43:34
Well,
43:35
even without the NAT, we would still need to determine
43:37
a backup security gateway.
43:42
And we determined that will be security Gateway module number two. So we synchronize the connection details to security Gateway module number two.
43:51
We also calculate that security gateway Module
43:55
three is going to be active for then added traffic,
44:00
so the original packet comes from 1.1 dot 1.10. Mad at traffic is going to be coming from two dot to dot to dot to 54 according to the distribution mode that's active,
44:13
the packets will be handled then added packets will be handled by security Gateway Module three.
44:20
So
44:21
security eight Way Module one, which is active for the original
44:24
connection. The original packets
44:27
must also synchronise connection details.
44:31
Two. Security Gateway Module three, which will be active for the Nat ID traffic
44:42
So it does that it it updates security Gateway module number three. And when Security Gateway Module number three receives this update,
44:51
it determines
44:52
which security Gateway module will be back up
44:58
for the Navid traffic.
45:01
So we
45:04
determined that that's going to be in this example. Security Gateway Module number one.
45:08
So
45:09
security Gateway module number one is active for the original packets. It's back up for the Nat ID packets. It could easily have been any other security gateway module in the security group, except for security Gateway module number three since it was active.
45:29
Then,
45:30
the packed it is
45:31
routed through layer three and sent on its way to the destination,
45:37
and
45:37
ultimately the destination sends a response packet. The response pack. It is then
45:45
checked by the distribution mode, which determines that
45:52
this packet should be handled by the security gateway module attached to down Lakeport 29.
46:00
And that is security Gateway module number three.
46:05
So the packet is sent to
46:08
the security eight way module attached. Teoh 29 Security Away Module number three,
46:14
which itself determines that the backup for this connection should be security Eight way module. One note that both one and three were able to arrive
46:24
at this answer. One was able to determine that three is going to be active for the nat'l traffic.
46:34
The packet is then forwarded
46:37
to the active gateway for the original traffic through the correction layer.
46:45
Because we want all of the pack. It's an added and not to be processed by the same security gateway module.
46:53
Keep all the state table information in one place,
46:58
so the packet is forded over the correction layer to security Gateway Module one
47:04
I security Gateway module number three. Note that the orchestrator doesn't know nap,
47:09
so it did not know that the Navid package should be sent.
47:14
Two. Security gateway module. One.
47:17
It determined security Gateway Module three. So it's up to the security gateway modules themselves to correct this
47:27
decision
47:28
and ensure that the Navid packets are sent to
47:32
the active security gateway
47:36
for the original connection
47:37
security. Gateway Module three Does that forwards the packet to security Gateway Module one,
47:44
and
47:45
that packet
47:46
is then processed by security. Eight Way module one.
47:52
Security eight way module one synchronizes the state of the connection with this new packet
48:00
to the backup of the original connection security eight way module to
48:06
and then sends the packet off
48:07
to its next destination, which in this case is the internal desktop host.
48:15
It's a lot of moving parts.
48:16
There are a couple of commands to see the statistics of the corrections table.
48:25
Cph a prob space C O R r will show you how maney corrections are currently
48:34
occurring,
48:35
and
48:37
also the connections table has an additional entry.
48:40
There's a note that says
48:43
the
48:44
original owner of this traffic is this security gateway module.
48:53
So if if you need to calculate the minimum or maximum number of security, eight mail gateway modules that may have
49:02
synchronization
49:05
for a given connection,
49:07
the Bin Hammam would be too. There's going to be inactive and a backup.
49:12
However, if Nat is involved
49:15
then there could be three and we have some overlap. One of the actives or backups is also an active or back up for the Nada traffic
49:25
or four. There's no overlap,
49:28
so one security gateway module is active for the original. Another is back up for the original Ah, 3rd 1 is active for then added, Ah, 4th 1 is active, active for the backup.
49:38
So between two and four security gateway modules may know about
49:44
a connection may be getting synchronized with details about the connection
49:50
in a V SX deployment. You have, ah, security group in this example with
49:54
three security gateway modules in the group,
49:58
and it's a V s ex group.
50:01
You've created a V s ex gateway object in Smart Consul,
50:07
and in that you've created
50:09
three virtual systems.
50:13
Note that the virtual systems are on all of the security gateway modules in the group.
50:21
If a packet arrives
50:22
on an up link port
50:24
attached to that security group,
50:28
then
50:28
orchestrator will determine which down Lee port should handle that traffic.
50:32
It sends the packet
50:35
to that down. Lakeport, which is active for that connection
50:38
that security gateway module will determine
50:43
which other security gate, where module should be back up for the traffic and synchronize that.
50:49
And then
50:51
the security gateway modules will determine which virtual system that pack it belongs to,
50:58
and that virtual system will then process the packet.
51:01
One virtual system will be active, the one on security Gateway module one. The other will be back up
51:09
for this connection,
51:12
and as Mawr connections arrive,
51:15
they will be distributed to
51:19
the other security gateway modules. Some will be active, some will be back up.
51:23
So overall there will be a mix of distribution of the traffic and again that provides
51:31
active, active load sharing
51:34
on the single management object of, AH security group.
51:37
The in expert mode, there's a command g underscore all,
51:44
and
51:45
what this command does is you give it a command to run,
51:49
so I'll do something innocuous.
51:53
And this runs that command on all of the currently up
51:59
members of the security group
52:00
and displays their output back here.
52:05
And in this case right now, there's only one
52:07
member that's up in this demonstration,
52:10
and I get the output nicely. Co elated by the
52:15
remember which contributed that output.
52:20
So the G underscore all command is a general version of
52:25
the global commands that are available
52:30
on Guyana under scalable platform.
52:34
Note that there's g underscore cp stop G underscore cp start, for example.
52:39
Uh
52:40
and there's actually ah g underscore up time. So
52:51
using g underscore all was perhaps a bit of an overkill
52:55
anyway, useful command for running the same command on all of the members of the security group.
53:04
There's also
53:06
specifically the G TCP dumped command
53:09
and this does, as you would expect, run TCP dump with the arguments that you provide
53:16
on all of the members that are currently up in the security group.
53:28
Another useful command, a SG perf
53:31
performance.
53:34
And this shows you aggregated statistics of all the security gateway modules in the security group.
53:40
And this command
53:44
has some options
53:50
minus V minus p.
53:52
Give you more details.
53:53
This will show you a lot of information. Note. It doesn't show you information about the orchestrators.
54:01
It shows you Ah,
54:04
security gateway modules in the security group,
54:09
Another command,
54:14
a SG diag
54:16
will run various diagnostics for you
54:21
system diagnostics. So a SG diag list
54:25
list all of the possible diagnostics.
54:35
So this is ah, useful command to see
54:37
the results of
54:40
various 28 in this list
54:44
different diagnostics that are run
54:47
in your security group
54:51
on the single management object of a security group.
54:53
Command SG Monitor
54:59
will show you real time status
55:01
of the security gateway modules in the security group.
55:07
And again, I have one security gateway module which is down right now,
55:13
and that's that's useful information to know.
55:16
Now I'm on a V s ex security group because I wanted to show
55:21
this command SG perf minus v s all
55:24
so display information about all virtual systems and be very verbose about it.
55:30
So this command will
55:34
look at all of the security gateway modules in the security group
55:37
and show you the virtual systems that are defined
55:40
and the throughput, the connection rate of those virtual systems.
55:46
Now I'm in the command line interface of the orchestrator itself,
55:52
and there are some commands here that are useful.
56:05
This man, for instance, will
56:07
show you the status of the ports of the orchestrator which ports are plugged in which ports are administratively down, etcetera.
56:17
So you would run this grant on the orchestrator, not in the single management object of a security group
56:30
another command l L
56:32
DP Link Layer Discovery Protocol CTL One word
56:37
allows you to see
56:39
the devices that have been discovered by the Linklater Discovery Protocol.
56:45
One thing that it doesn't show you is the distribution mode of system or of a specific interface.
56:52
You have to use show distribution for that
56:57
O R ch info
57:00
underscore. Info
57:01
will
57:04
show you diagnostic information about the orchestrator.
57:08
It
57:08
we take a while to run,
57:10
but
57:12
it will
57:14
collect a lot of information
57:15
and
57:16
put it in a archive file.
57:21
So pause while this runs
57:27
so this command has finished executing,
57:51
you can see the contents of the violent pulled in a lot of long data
57:54
and outputs
57:57
from various diagnostic commands that were executed.
58:00
The
58:02
down link connection between the orchestrator and ah security gateway module
58:08
carries a lot of information. And these
58:13
this information is isolated in violence, virtual lands.
58:17
So, for instance, if you have traffic that arrived on an up link port
58:23
that is to be handled by the security gateway module, that traffic will be forwarded
58:30
to the security gateway module
58:31
in a villain that
58:35
will be 10 to 3, plus the port number
58:38
on the orchestrator,
58:43
then the synchronization villain,
58:45
which
58:46
the default I P address there is 192.0 dot to
58:52
dot
58:53
the the The Last
58:55
Octet. The last part of the I. P address is determined by the security gateway module or depends on the security Gateway module.
59:06
That synchronization network is used to synchronize configuration and also used for state synchronization.
59:13
And there's the chassis. Internal Network,
59:15
which uses
59:17
villain of 3900 plus the number of the security gateway
59:24
and the I P addresses are in the 198.51 dot 100 range,
59:34
and then the correction layer of correction layer uses a villain of 3700 plus Gateway number.
59:39
Well, that's enough questions and answers.
59:43
Thank you very much for attending this module.

Up Next

Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By

Instructor Profile Image
CheckPoint
Instructor