3 hours 53 minutes
Now I wanna
just demonstrate some
more practical steps
that you might go through
the maestro environment.
So first I'm going to log in to my orchestrator. It's already been cabled.
used the serial interface to set the management
interfaces I p address.
you'll note that this looks very much like any other guy. A Web user interface. Except it has this
entry over here
clicking on orchestrator. If I get a pop up error message about communicating with the orchestrator,
the most probable cause of the most common reason you see that is that
you are in a one orchestrator deployment,
the orchestrator appliances ship expecting to be in a duel deployment. So you have to go into the Seelye
of the orchestrator and
orchestrator number count
And then you should not see that our message here. Excuse me.
So next I'm gonna create a security group
in the information
and I will go ahead and set up the first time wizard as well.
And I'm not going to create this as a V s ex Gateway security group.
So the security group has been created, but it requires at least
security gateway module be assigned and at least
one management interface be assigned
big. And I have to be very careful where I drag and drop the gateway objects
from the unassigned gateways
I tried to drag it somewhere else.
It doesn't accept it
sometimes, Ah, cause of confusion.
So I've populated it with or security gateway modules
also going to add
management interface and some additional traffic interfaces.
Next, I'm going to
be lands on the traffic interfaces.
It's repeating for all of these interfaces
reading violent interfaces,
so I wanna wanna wanna to be. Lands
are ultimately going to be internal networks,
and the 201 and
20 to V lands
are ultimately going to be
This sort of thing might actually go faster via the command line interface,
so I've created
two villains each on the four
up link interfaces that I've assigned to this security group
down going to apply
security group settings.
This will do
many things. It will send the security group configuration out to those appliances
those appliances will
received. The security group information
could figure themselves and then restart themselves.
Teoh reflect the fact that they're now in a security group with these interfaces in this configuration.
So those security gateways are going to be restarting themselves, and I'll pause
and then continue when the security gateways or back up.
So at this point, thesis acuity, gateways are back up,
and Security Management Object is answering
security groups i p. Address so I can connect to it with the
Web user interface
used the default password admin, admin
Go ahead and make some setting changes.
Perhaps in a production environment, you wouldn't have the time outs be
in this environment.
That's what I'm doing.
So now I want to set up the network interfaces
a little bit more.
I have the four network interfaces that were assigned to the security group
in the orchestrator web. You I
went to bond
create another bond,
were the other pair of interfaces,
and I want to create violence on each of those bonds.
It will be a total of four V lands,
So next for each of those villains, I'm going to set up my I P addresses.
It's working through them all
So now all of the bonded interfaces
are participating in villains,
and I'm assigned each
the lan its own i p address.
I did that now in the security groups Web user interface
before I opened Smart Consul
and start creating the object that will represent the security group
now in Smart Consul Smart
I will create
a security group
security group, and it's going to be a
so creating a gateway object
to represent the security group in policy
Now let's sick is established.
Apology of the security gateway will be automatically fetched and populate this objects network management screen.
And I'm going to install a simple policy.
is modified clean. A parole always matches except some logs, the traffic.
So some things to note, even though that there are four security gateway modules assigned to the security group.
It's represented by that single management object at the I. P address that I assigned to the security group,
and so there is
no need to create a cluster object
create multiple gateway objects.
In the previous demonstration, I created one security group using up link interfaces
from one orchestrator
here. I'm in a duel orchestrator deployment, and I'm going to set up
two security groups
uplink interfaces from both
orchestrators. So if an orchestrator has an issue, we have
The first I'll create the security groups
and populate the single management object
set up. The first time wizard
not installed, has via ***.
Go ahead and create the second security group.
and the first time was
Second Security Group
and not Pez via ***.
Now I will allocate half of my security Gateway modules,
one security group and the other half to the other security group,
and I will start adding management interfaces.
Note that I can reuse the management interface
I probably should
have management interfaces from both orchestrators, but
I'm not going to do that right now
and for the second security group,
and now I'm going to set up
So I have
two pairs of up imports,
assigned a security Group one,
each pair has a pair of villains.
Later on, I will bond the pairs together
and I do the same thing
in the second group
and one last set of the lance to create
0 to 9.
I have on
uplink ports, from those
to orchestrators in both security groups
and by bonding them later in the security groups Web user interface. I have high availability between
the two orchestrators. If one fails,
connectivity is still possible,
so I will apply the changes that I've made. It will take a little bit to think about,
and once it's done
validating and and applying the new topology, I'll get a report.
Until that report is ready
of the report,
the summary is available, and it looks very nice.
Now. The security
The security groups
have their configuration.
The security gateway modules are
plying the configuration and restarting.
And when that process is done than the single management object for each security group will be responsive toe Web user interface connections.
I'll pause until that's ready.
At this point, the security groups have been created,
security gateway modules have restarted and the single management object is available.
So lock in
to the Web Yui of the first security group,
and do just a little bit of
Now I want to configure.
The interface is
here in the single management object,
but I will be doing is first creating bond interfaces.
And then I'll create V lands on top of those London bases.
That's the first bond interface,
so I've configured the bond interfaces.
Next, I'm going to give them I p addresses,
verifying that they are indeed enabled.
So I have created
I've created two villains per bon. I've
configured I p address of each of those Phelan's
Next I'm going to
do the same on security group to
So you may have seen that there was an error.
Copy that convict propagating that big to the other
members of the security group.
Uh, so I paused. And
it turns out that of the six
security Gateway modules,
1st 4 are up and running.
One is unresponsive, and I don't know if it has power. Not the other
out in a healthy state. So
rather than deal with all that drama,
I redistributed the security gateway modules
the ah, the orchestrator Web user interface.
And now each security group has to security gateway modules.
And that's the beauty of Maestro.
The fact that I re allocated resource is
doesn't show up in the single management object, and it won't show up in policy or Smart Consul.
That adds a lot of flexibility.
So again, here I want to start creating bond interfaces and then V lands on those bond interfaces and then
our ad I p addresses
of going through all eight iterations of this.
It's at this point, it's four. It orations.
So I have
to v lands on each bond interface.
How I want to set I p addresses
continuing setting up the
be lan interfaces
Turns out computers are very specific.
finally I have
to bonds created
with two inter fit physical interfaces per bond and then on top of the bonds, I've created
two villains per bond.
Next, I'm going to bring up
a smart consul application
represent both security groups,
and typing is
obviously very difficult.
So now I have
created this security get way object
that's using a single management object of security Group one,
when I established sick, it was able to pull over the topology,
reflecting what I had just configured in the Web user interface.
Do the same thing
for the second security group
Once again, technology will be etched.
I also wanted to point out the
platform hardware was updated to Maestro,
the version is already got 20 scalable platform.
Next, all install very simple policy. It's still the modified cleanup rule
that allows everything,
and policy installation is under way.
A pas. Until policies
at this point,
policy has been successfully installed, toe both
security groups, both single management objects.
And again, I can
access the orchestrator command line or Web user interface
and shuffle around the
assignments of the individual security gateway modules. Perhaps
some of them are faster appliances, more powerful appliance than others that can shift them around in response to load
course. When I do that, it will be a brief time when they're not
managing any connections.
It is possible that in a future release of
environment scalable platforms that
you will be able to
designate some of the security gateway modules to be,
um, to be floaters. I don't know exactly what the terminology will end up be, but
on a sign security gateways can be automatically dynamically added to security groups
that you define. If the the load is above this point for this long,
then add a security gateway.
If it falls below this point for this long, take the security gate way out.
Dynamic shifting dynamic
balancing of resource is,
um, it's not
available, but it's
sort of on the road map, and we'll see which version
shows up in if if any,
I've demonstrated using both orchestrators
fail over for high availability
by creating security groups that
consist of uplink ports from both orchestrators.
And, of course,
the security gateway modules must have down link connectivity to both orchestrators
to actually be high availability.
Next, I'm going to demonstrate security groups using
TSX virtual system extension.
Check Point Jump Start
In this course brought to you by industry leader Check Point, they will cover cybersecurity ...
4 CEU/CPE Hours Available
Certificate of Completion Offered
Cisco Certified Network Associate (CCNA) Certification
Our online, self-paced Cisco Certified Network Associate CCNA training teaches students to install, configure, troubleshoot ...
31 CEU/CPE Hours Available
Certificate of Completion Offered