Security Groups on Dual MHO

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 53 minutes
Difficulty
Beginner
Video Transcription
00:01
Welcome back.
00:02
Now I wanna
00:04
just demonstrate some
00:06
more practical steps
00:09
that you might go through
00:10
to
00:11
boy
00:13
the maestro environment.
00:15
So first I'm going to log in to my orchestrator. It's already been cabled.
00:20
I have
00:21
used the serial interface to set the management
00:26
interfaces I p address.
00:34
And again
00:36
you'll note that this looks very much like any other guy. A Web user interface. Except it has this
00:42
extra orchestrator
00:44
and you
00:45
entry over here
00:49
and
00:50
clicking on orchestrator. If I get a pop up error message about communicating with the orchestrator,
00:58
the most probable cause of the most common reason you see that is that
01:03
you are in a one orchestrator deployment,
01:07
the orchestrator appliances ship expecting to be in a duel deployment. So you have to go into the Seelye
01:15
of the orchestrator and
01:18
change the
01:19
orchestrator number count
01:23
21
01:26
And then you should not see that our message here. Excuse me.
01:32
So next I'm gonna create a security group
01:40
in the information
01:55
and I will go ahead and set up the first time wizard as well.
02:06
And I'm not going to create this as a V s ex Gateway security group.
02:15
So the security group has been created, but it requires at least
02:20
one
02:21
security gateway module be assigned and at least
02:24
one management interface be assigned
02:30
big. And I have to be very careful where I drag and drop the gateway objects
02:37
from the unassigned gateways
02:38
because
02:40
I tried to drag it somewhere else.
02:45
It doesn't accept it
02:46
sometimes, Ah, cause of confusion.
02:53
So I've populated it with or security gateway modules
02:58
also going to add
03:02
management interface and some additional traffic interfaces.
03:14
Next, I'm going to
03:16
create
03:19
be lands on the traffic interfaces.
03:53
It's repeating for all of these interfaces
03:58
reading violent interfaces,
04:16
so I wanna wanna wanna to be. Lands
04:19
are ultimately going to be internal networks,
04:23
and the 201 and
04:27
20 to V lands
04:29
are ultimately going to be
04:31
external networks.
04:39
This sort of thing might actually go faster via the command line interface,
04:50
so I've created
04:53
two villains each on the four
04:57
up link interfaces that I've assigned to this security group
05:01
down going to apply
05:03
security group settings.
05:05
This will do
05:08
many things. It will send the security group configuration out to those appliances
05:14
those appliances will
05:15
received. The security group information
05:18
could figure themselves and then restart themselves.
05:21
Teoh reflect the fact that they're now in a security group with these interfaces in this configuration.
05:29
So those security gateways are going to be restarting themselves, and I'll pause
05:35
and then continue when the security gateways or back up.
05:40
So at this point, thesis acuity, gateways are back up,
05:44
and Security Management Object is answering
05:46
security groups i p. Address so I can connect to it with the
05:51
Web user interface
06:01
and
06:03
used the default password admin, admin
06:06
full again.
06:11
Go ahead and make some setting changes.
06:15
Perhaps in a production environment, you wouldn't have the time outs be
06:18
this high
06:19
in this environment.
06:23
That's what I'm doing.
06:40
So now I want to set up the network interfaces
06:44
a little bit more.
06:46
I have the four network interfaces that were assigned to the security group
06:54
in the orchestrator web. You I
06:57
went to bond
07:00
interfaces together,
07:30
create another bond,
07:32
were the other pair of interfaces,
07:57
and I want to create violence on each of those bonds.
08:37
It will be a total of four V lands,
09:01
So next for each of those villains, I'm going to set up my I P addresses.
09:41
It's working through them all
10:09
last one.
10:24
So now all of the bonded interfaces
10:28
are participating in villains,
10:30
and I'm assigned each
10:33
the lan its own i p address.
10:35
I did that now in the security groups Web user interface
10:41
before I opened Smart Consul
10:46
and start creating the object that will represent the security group
10:56
now in Smart Consul Smart
10:58
Council. Yes,
11:01
I will create
11:03
a security group
11:05
object
11:05
represent
11:07
this
11:09
security group, and it's going to be a
11:41
so creating a gateway object
11:43
to represent the security group in policy
12:01
established sick.
12:13
Now let's sick is established.
12:16
Apology of the security gateway will be automatically fetched and populate this objects network management screen.
12:39
And I'm going to install a simple policy.
12:50
This policy
12:52
is modified clean. A parole always matches except some logs, the traffic.
13:03
So some things to note, even though that there are four security gateway modules assigned to the security group.
13:09
It's represented by that single management object at the I. P address that I assigned to the security group,
13:16
and so there is
13:18
no need to create a cluster object
13:22
create multiple gateway objects.
13:30
In the previous demonstration, I created one security group using up link interfaces
13:35
from one orchestrator
13:39
here. I'm in a duel orchestrator deployment, and I'm going to set up
13:43
two security groups
13:46
and use
13:46
uplink interfaces from both
13:50
orchestrators. So if an orchestrator has an issue, we have
13:54
high availability.
13:56
The first I'll create the security groups
14:00
and populate the single management object
14:03
Formacion
14:16
set up. The first time wizard
14:24
not installed, has via ***.
14:26
Go ahead and create the second security group.
14:30
Well, im
14:45
and the first time was
14:46
Second Security Group
14:54
and not Pez via ***.
14:56
Now I will allocate half of my security Gateway modules,
15:01
you
15:03
one security group and the other half to the other security group,
15:15
and I will start adding management interfaces.
15:20
Note that I can reuse the management interface
15:22
now.
15:24
I probably should
15:26
have management interfaces from both orchestrators, but
15:31
I'm not going to do that right now
16:02
and for the second security group,
16:18
and now I'm going to set up
16:19
the lands
16:56
and continuing.
17:34
So I have
17:37
two pairs of up imports,
17:41
assigned a security Group one,
17:44
and
17:45
each pair has a pair of villains.
17:48
Later on, I will bond the pairs together
17:51
and I do the same thing
17:53
in the second group
17:56
security group
18:41
and one last set of the lance to create
18:48
on
18:51
0 to 9.
19:00
So
19:02
I have on
19:03
both orchestrators
19:06
used
19:07
uplink ports, from those
19:10
to orchestrators in both security groups
19:15
and by bonding them later in the security groups Web user interface. I have high availability between
19:22
the two orchestrators. If one fails,
19:26
connectivity is still possible,
19:29
so I will apply the changes that I've made. It will take a little bit to think about,
19:36
and once it's done
19:38
validating and and applying the new topology, I'll get a report.
19:42
Oh, pause.
19:45
Until that report is ready
19:49
of the report,
19:51
the summary is available, and it looks very nice.
19:56
Now. The security
19:59
The security groups
20:02
have their configuration.
20:03
The security gateway modules are
20:08
plying the configuration and restarting.
20:11
And when that process is done than the single management object for each security group will be responsive toe Web user interface connections.
20:21
I'll pause until that's ready.
20:26
At this point, the security groups have been created,
20:32
security gateway modules have restarted and the single management object is available.
20:40
So lock in
20:41
to the Web Yui of the first security group,
20:51
and do just a little bit of
20:52
figuration.
21:15
Now I want to configure.
21:17
The interface is
21:18
here in the single management object,
21:25
but I will be doing is first creating bond interfaces.
22:03
And then I'll create V lands on top of those London bases.
22:37
That's the first bond interface,
23:04
so I've configured the bond interfaces.
23:10
Next, I'm going to give them I p addresses,
24:06
verifying that they are indeed enabled.
24:52
So I have created
24:56
to Bonds.
24:57
I've created two villains per bon. I've
25:00
configured I p address of each of those Phelan's
25:06
Next I'm going to
25:08
do the same on security group to
25:52
So you may have seen that there was an error.
25:56
Copy that convict propagating that big to the other
25:59
members of the security group.
26:00
Uh, so I paused. And
26:03
it turns out that of the six
26:06
security Gateway modules,
26:07
uh,
26:08
1st 4 are up and running.
26:11
One is unresponsive, and I don't know if it has power. Not the other
26:18
is
26:18
out in a healthy state. So
26:22
rather than deal with all that drama,
26:23
I redistributed the security gateway modules
26:26
the ah, the orchestrator Web user interface.
26:30
And now each security group has to security gateway modules.
26:34
And that's the beauty of Maestro.
26:37
The fact that I re allocated resource is
26:41
doesn't show up in the single management object, and it won't show up in policy or Smart Consul.
26:49
That adds a lot of flexibility.
26:55
So again, here I want to start creating bond interfaces and then V lands on those bond interfaces and then
27:03
38
27:06
our ad I p addresses
27:51
of going through all eight iterations of this.
28:08
It's at this point, it's four. It orations.
28:29
So I have
28:30
to v lands on each bond interface.
28:33
How I want to set I p addresses
29:17
or drama.
29:18
Yeah,
29:19
continuing setting up the
29:22
be lan interfaces
30:15
bill.
30:18
Turns out computers are very specific.
30:26
So
30:26
finally I have
30:30
to bonds created
30:32
with two inter fit physical interfaces per bond and then on top of the bonds, I've created
30:37
two villains per bond.
30:41
Next, I'm going to bring up
30:44
a smart consul application
30:47
and
30:48
create
30:51
objects
30:55
represent both security groups,
31:15
and typing is
31:17
obviously very difficult.
31:42
So now I have
31:45
created this security get way object
31:48
that's using a single management object of security Group one,
31:53
and
31:55
when I established sick, it was able to pull over the topology,
31:59
reflecting what I had just configured in the Web user interface.
32:04
Do the same thing
32:05
for the second security group
32:32
established sick.
32:45
Once again, technology will be etched.
32:49
I also wanted to point out the
32:51
platform hardware was updated to Maestro,
32:53
and
32:54
the version is already got 20 scalable platform.
33:05
Next, all install very simple policy. It's still the modified cleanup rule
33:10
that allows everything,
33:35
and policy installation is under way.
33:49
A pas. Until policies
33:52
installed
33:53
at this point,
33:54
policy has been successfully installed, toe both
33:58
security groups, both single management objects.
34:01
And again, I can
34:04
access the orchestrator command line or Web user interface
34:08
and shuffle around the
34:12
assignments of the individual security gateway modules. Perhaps
34:15
some of them are faster appliances, more powerful appliance than others that can shift them around in response to load
34:22
course. When I do that, it will be a brief time when they're not
34:28
managing any connections.
34:31
It is possible that in a future release of
34:36
the maestro
34:37
environment scalable platforms that
34:40
you will be able to
34:43
designate some of the security gateway modules to be,
34:49
um, to be floaters. I don't know exactly what the terminology will end up be, but
34:54
on a sign security gateways can be automatically dynamically added to security groups
35:04
based on
35:05
rules
35:06
that you define. If the the load is above this point for this long,
35:13
then add a security gateway.
35:15
If it falls below this point for this long, take the security gate way out.
35:21
Dynamic shifting dynamic
35:22
balancing of resource is,
35:25
um, it's not
35:27
currently yet
35:29
available, but it's
35:31
sort of on the road map, and we'll see which version
35:36
that feature
35:37
shows up in if if any,
35:40
so
35:43
I've demonstrated using both orchestrators
35:47
four
35:49
fail over for high availability
35:51
by creating security groups that
35:54
consist of uplink ports from both orchestrators.
36:00
And, of course,
36:00
the security gateway modules must have down link connectivity to both orchestrators
36:07
or this
36:09
to actually be high availability.
36:13
Next, I'm going to demonstrate security groups using
36:16
TSX virtual system extension.
Up Next