Video Transcription

00:01
Welcome back.
00:02
Now I wanna
00:04
just demonstrate some
00:06
more practical steps
00:09
that you might go through
00:10
to
00:11
boy
00:13
the maestro environment.
00:15
So first I'm going to log in to my orchestrator. It's already been cabled.
00:20
I have
00:21
used the serial interface to set the management
00:26
interfaces I p address.
00:34
And again
00:36
you'll note that this looks very much like any other guy. A Web user interface. Except it has this
00:42
extra orchestrator
00:44
and you
00:45
entry over here
00:49
and
00:50
clicking on orchestrator. If I get a pop up error message about communicating with the orchestrator,
00:58
the most probable cause of the most common reason you see that is that
01:03
you are in a one orchestrator deployment,
01:07
the orchestrator appliances ship expecting to be in a duel deployment. So you have to go into the Seelye
01:15
of the orchestrator and
01:18
change the
01:19
orchestrator number count
01:23
21
01:26
And then you should not see that our message here. Excuse me.
01:32
So next I'm gonna create a security group
01:40
in the information
01:55
and I will go ahead and set up the first time wizard as well.
02:06
And I'm not going to create this as a V s ex Gateway security group.
02:15
So the security group has been created, but it requires at least
02:20
one
02:21
security gateway module be assigned and at least
02:24
one management interface be assigned
02:30
big. And I have to be very careful where I drag and drop the gateway objects
02:37
from the unassigned gateways
02:38
because
02:40
I tried to drag it somewhere else.
02:45
It doesn't accept it
02:46
sometimes, Ah, cause of confusion.
02:53
So I've populated it with or security gateway modules
02:58
also going to add
03:02
management interface and some additional traffic interfaces.
03:14
Next, I'm going to
03:16
create
03:19
be lands on the traffic interfaces.
03:53
It's repeating for all of these interfaces
03:58
reading violent interfaces,
04:16
so I wanna wanna wanna to be. Lands
04:19
are ultimately going to be internal networks,
04:23
and the 201 and
04:27
20 to V lands
04:29
are ultimately going to be
04:31
external networks.
04:39
This sort of thing might actually go faster via the command line interface,
04:50
so I've created
04:53
two villains each on the four
04:57
up link interfaces that I've assigned to this security group
05:01
down going to apply
05:03
security group settings.
05:05
This will do
05:08
many things. It will send the security group configuration out to those appliances
05:14
those appliances will
05:15
received. The security group information
05:18
could figure themselves and then restart themselves.
05:21
Teoh reflect the fact that they're now in a security group with these interfaces in this configuration.
05:29
So those security gateways are going to be restarting themselves, and I'll pause
05:35
and then continue when the security gateways or back up.
05:40
So at this point, thesis acuity, gateways are back up,
05:44
and Security Management Object is answering
05:46
security groups i p. Address so I can connect to it with the
05:51
Web user interface
06:01
and
06:03
used the default password admin, admin
06:06
full again.
06:11
Go ahead and make some setting changes.
06:15
Perhaps in a production environment, you wouldn't have the time outs be
06:18
this high
06:19
in this environment.
06:23
That's what I'm doing.
06:40
So now I want to set up the network interfaces
06:44
a little bit more.
06:46
I have the four network interfaces that were assigned to the security group
06:54
in the orchestrator web. You I
06:57
went to bond
07:00
interfaces together,
07:30
create another bond,
07:32
were the other pair of interfaces,
07:57
and I want to create violence on each of those bonds.
08:37
It will be a total of four V lands,
09:01
So next for each of those villains, I'm going to set up my I P addresses.
09:41
It's working through them all
10:09
last one.
10:24
So now all of the bonded interfaces
10:28
are participating in villains,
10:30
and I'm assigned each
10:33
the lan its own i p address.
10:35
I did that now in the security groups Web user interface
10:41
before I opened Smart Consul
10:46
and start creating the object that will represent the security group
10:56
now in Smart Consul Smart
10:58
Council. Yes,
11:01
I will create
11:03
a security group
11:05
object
11:05
represent
11:07
this
11:09
security group, and it's going to be a
11:41
so creating a gateway object
11:43
to represent the security group in policy
12:01
established sick.
12:13
Now let's sick is established.
12:16
Apology of the security gateway will be automatically fetched and populate this objects network management screen.
12:39
And I'm going to install a simple policy.
12:50
This policy
12:52
is modified clean. A parole always matches except some logs, the traffic.
13:03
So some things to note, even though that there are four security gateway modules assigned to the security group.
13:09
It's represented by that single management object at the I. P address that I assigned to the security group,
13:16
and so there is
13:18
no need to create a cluster object
13:22
create multiple gateway objects.
13:30
In the previous demonstration, I created one security group using up link interfaces
13:35
from one orchestrator
13:39
here. I'm in a duel orchestrator deployment, and I'm going to set up
13:43
two security groups
13:46
and use
13:46
uplink interfaces from both
13:50
orchestrators. So if an orchestrator has an issue, we have
13:54
high availability.
13:56
The first I'll create the security groups
14:00
and populate the single management object
14:03
Formacion
14:16
set up. The first time wizard
14:24
not installed, has via ***.
14:26
Go ahead and create the second security group.
14:30
Well, im
14:45
and the first time was
14:46
Second Security Group
14:54
and not Pez via ***.
14:56
Now I will allocate half of my security Gateway modules,
15:01
you
15:03
one security group and the other half to the other security group,
15:15
and I will start adding management interfaces.
15:20
Note that I can reuse the management interface
15:22
now.
15:24
I probably should
15:26
have management interfaces from both orchestrators, but
15:31
I'm not going to do that right now
16:02
and for the second security group,
16:18
and now I'm going to set up
16:19
the lands
16:56
and continuing.
17:34
So I have
17:37
two pairs of up imports,
17:41
assigned a security Group one,
17:44
and
17:45
each pair has a pair of villains.
17:48
Later on, I will bond the pairs together
17:51
and I do the same thing
17:53
in the second group
17:56
security group
18:41
and one last set of the lance to create
18:48
on
18:51
0 to 9.
19:00
So
19:02
I have on
19:03
both orchestrators
19:06
used
19:07
uplink ports, from those
19:10
to orchestrators in both security groups
19:15
and by bonding them later in the security groups Web user interface. I have high availability between
19:22
the two orchestrators. If one fails,
19:26
connectivity is still possible,
19:29
so I will apply the changes that I've made. It will take a little bit to think about,
19:36
and once it's done
19:38
validating and and applying the new topology, I'll get a report.
19:42
Oh, pause.
19:45
Until that report is ready
19:49
of the report,
19:51
the summary is available, and it looks very nice.
19:56
Now. The security
19:59
The security groups
20:02
have their configuration.
20:03
The security gateway modules are
20:08
plying the configuration and restarting.
20:11
And when that process is done than the single management object for each security group will be responsive toe Web user interface connections.
20:21
I'll pause until that's ready.
20:26
At this point, the security groups have been created,
20:32
security gateway modules have restarted and the single management object is available.
20:40
So lock in
20:41
to the Web Yui of the first security group,
20:51
and do just a little bit of
20:52
figuration.
21:15
Now I want to configure.
21:17
The interface is
21:18
here in the single management object,
21:25
but I will be doing is first creating bond interfaces.
22:03
And then I'll create V lands on top of those London bases.
22:37
That's the first bond interface,
23:04
so I've configured the bond interfaces.
23:10
Next, I'm going to give them I p addresses,
24:06
verifying that they are indeed enabled.
24:52
So I have created
24:56
to Bonds.
24:57
I've created two villains per bon. I've
25:00
configured I p address of each of those Phelan's
25:06
Next I'm going to
25:08
do the same on security group to
25:52
So you may have seen that there was an error.
25:56
Copy that convict propagating that big to the other
25:59
members of the security group.
26:00
Uh, so I paused. And
26:03
it turns out that of the six
26:06
security Gateway modules,
26:07
uh,
26:08
1st 4 are up and running.
26:11
One is unresponsive, and I don't know if it has power. Not the other
26:18
is
26:18
out in a healthy state. So
26:22
rather than deal with all that drama,
26:23
I redistributed the security gateway modules
26:26
the ah, the orchestrator Web user interface.
26:30
And now each security group has to security gateway modules.
26:34
And that's the beauty of Maestro.
26:37
The fact that I re allocated resource is
26:41
doesn't show up in the single management object, and it won't show up in policy or Smart Consul.
26:49
That adds a lot of flexibility.
26:55
So again, here I want to start creating bond interfaces and then V lands on those bond interfaces and then
27:03
38
27:06
our ad I p addresses
27:51
of going through all eight iterations of this.
28:08
It's at this point, it's four. It orations.
28:29
So I have
28:30
to v lands on each bond interface.
28:33
How I want to set I p addresses
29:17
or drama.
29:18
Yeah,
29:19
continuing setting up the
29:22
be lan interfaces
30:15
bill.
30:18
Turns out computers are very specific.
30:26
So
30:26
finally I have
30:30
to bonds created
30:32
with two inter fit physical interfaces per bond and then on top of the bonds, I've created
30:37
two villains per bond.
30:41
Next, I'm going to bring up
30:44
a smart consul application
30:47
and
30:48
create
30:51
objects
30:55
represent both security groups,
31:15
and typing is
31:17
obviously very difficult.
31:42
So now I have
31:45
created this security get way object
31:48
that's using a single management object of security Group one,
31:53
and
31:55
when I established sick, it was able to pull over the topology,
31:59
reflecting what I had just configured in the Web user interface.
32:04
Do the same thing
32:05
for the second security group
32:32
established sick.
32:45
Once again, technology will be etched.
32:49
I also wanted to point out the
32:51
platform hardware was updated to Maestro,
32:53
and
32:54
the version is already got 20 scalable platform.
33:05
Next, all install very simple policy. It's still the modified cleanup rule
33:10
that allows everything,
33:35
and policy installation is under way.
33:49
A pas. Until policies
33:52
installed
33:53
at this point,
33:54
policy has been successfully installed, toe both
33:58
security groups, both single management objects.
34:01
And again, I can
34:04
access the orchestrator command line or Web user interface
34:08
and shuffle around the
34:12
assignments of the individual security gateway modules. Perhaps
34:15
some of them are faster appliances, more powerful appliance than others that can shift them around in response to load
34:22
course. When I do that, it will be a brief time when they're not
34:28
managing any connections.
34:31
It is possible that in a future release of
34:36
the maestro
34:37
environment scalable platforms that
34:40
you will be able to
34:43
designate some of the security gateway modules to be,
34:49
um, to be floaters. I don't know exactly what the terminology will end up be, but
34:54
on a sign security gateways can be automatically dynamically added to security groups
35:04
based on
35:05
rules
35:06
that you define. If the the load is above this point for this long,
35:13
then add a security gateway.
35:15
If it falls below this point for this long, take the security gate way out.
35:21
Dynamic shifting dynamic
35:22
balancing of resource is,
35:25
um, it's not
35:27
currently yet
35:29
available, but it's
35:31
sort of on the road map, and we'll see which version
35:36
that feature
35:37
shows up in if if any,
35:40
so
35:43
I've demonstrated using both orchestrators
35:47
four
35:49
fail over for high availability
35:51
by creating security groups that
35:54
consist of uplink ports from both orchestrators.
36:00
And, of course,
36:00
the security gateway modules must have down link connectivity to both orchestrators
36:07
or this
36:09
to actually be high availability.
36:13
Next, I'm going to demonstrate security groups using
36:16
TSX virtual system extension.

Up Next

Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By

Instructor Profile Image
CheckPoint
Instructor