Video Transcription

00:00
So at this point, I have configured my orchestrator appliance by connecting to the
00:07
security gateway modules
00:10
two down link ports on the orchestrator. I also connected a serial console cable as well as an Ethernet consul. Cable
00:20
then used the serial consul to configure the Ethernet management consul.
00:27
A serial console, by the way, uses 9600 bod eight bits, no parity by default.
00:34
So here I have connected to the Web user interface of the orchestrator appliance and, ah, law again, default credentials are admin and admin.
00:47
The little wants you to change that the first time you log in. Note that the Web user interface for the orchestrator looks like pretty much any other guy, a Web user interface
00:59
except for the addition of this orchestrator menu entry. So when I click on that, you can see
01:06
that the orchestrator has connected to it.
01:08
Six security Gateway modules and
01:12
the Security Gateway modules
01:15
must be using a line card and Ethernet card that supports the Link layer. Discovery Protocol, L L. D P.
01:25
This link Layer Discovery Protocol is used to inform the orchestrator of what's plugged in to that down Lakeport,
01:34
and it includes as you can see information about the model of the
01:40
security gateway module Ah, and serial number
01:45
that, um,
01:46
network card, as I said, must support Linklater. Discovery Protocol must also support double villain to be compatible with the orchestrator.
01:55
So I have six unassigned
01:57
security gateway modules,
02:00
and I have many, many
02:01
unassigned interfaces available.
02:05
I want to create a security group.
02:07
A secure security group is a logical group
02:13
of
02:14
computing, and that would be the
02:16
security gateway, module, appliances and network. That would be the interfaces
02:22
logical group of compute and networking Resource is.
02:29
And,
02:30
as I briefly discussed, a security group is represented by a single management object
02:38
that presents the illusion that there's just one appliance.
02:44
And that illusion is presented by the
02:49
single management object host,
02:51
which by default is the first security gateway module added to the security group.
02:58
And the security group needs an I P address, which will be used to communicate with that single management object
03:06
for policy installs as well as Web user interface and secure shell command line interaction.
03:14
So I'm going to configure
03:17
I p address of this security group,
03:28
and I'm not going to configure default, Gateway because this will not be the external network.
03:34
I have the option of setting up the first time wizard on. It's convenient to do it here. When I'm creating the security group, though, I can come back in,
03:43
set the activation key and set the host name
03:46
at that time.
03:58
And here I can choose to create a V SX security group.
04:02
And when I go create the object in Smart
04:08
Consul to represent this security group in policy,
04:12
I need to know if it was created as a regular security group or as a V s ex security group, to know what kind of checkpoint object to select.
04:20
True
04:21
represent the security group.
04:26
So I've created the security group.
04:29
Note that, ah,
04:30
there are still no gateways or interfaces assigned to it. I have to assign them by dragging and dropping.
04:39
So
04:41
I would note that the Web user interface on the orchestrator is touchy about where you drag and drop, too.
04:48
I can't
04:49
dragon dropped there. It's not excepted. I have to drag and drop
04:56
to the correct gateways for
05:00
gateway objects and
05:01
interfaces for interfaces.
05:11
So at this point,
05:13
if I try to apply,
05:17
I'll be told you gotta have at least one management interface.
05:21
And again that management interface. It's It's distinct from the management interface for the orchestrator appliance itself,
05:30
that is, on the other end of the orchestrator appliance here. What we mean by management interface
05:38
is one of the ports
05:41
that
05:42
have been configured as management interfaces
05:46
instead of up link or down like in her face is,
05:49
and these
05:50
ports are used for communicating with the single management object.
05:58
So I'm going to assign interfaces.
06:01
There's a management interface. I'm also going to assign
06:05
some
06:08
interfaces for the security group
06:11
so that we can have an internal network and an external network as well as the management network.
06:17
At this point, I should be able to apply because in the security group I've configured I p address information. I've added gateways to the security group, and I've added at least one. You generally only have one management port and also some some other ports for the site traffic,
06:38
and when I click, apply will take a look at that and decided five fulfilled all the requirements,
06:45
and if I have,
06:46
then it will
06:48
choose the first security gateway in the list of gateways
06:55
as the single management object,
06:58
and it will send the configuration of this security group to that
07:03
single management object. It will be received
07:06
ultimately by all of the security gateway modules in this security group.
07:14
These security gateway modules will then restart
07:16
because their configuration has changed.
07:19
They now know about different network interfaces and so on.
07:25
So there's a brief period of time that you have tow weight after applying changes to the security group
07:31
for
07:32
ah, the security group to be ready, at least when you initially configure the security group
07:39
while I'm waiting for Thesiger management object
07:43
to become responsive after having
07:46
created this security group, I just wanted to know
07:48
that the security gateway modules, the Checkpoint firewall appliances are running a special version of the guy operating system.
08:00
It's called the scalable platform version denoted by an SP, so
08:05
you'll note that these appliances are actually running.
08:09
Ah version are 80.20 s p. Now in a future release, perhaps the
08:16
scalable platform features which handled the synchronization of configuration changes and so on
08:22
will be just merged into the regular already dot What have you product?
08:30
But
08:31
at least as of our a d 0.30 There still
08:33
two distinct
08:35
flavours versions of the operating system, and you need to make sure that you have scalable platform version,
08:43
uh, for use with the orchestrator.
08:48
So at this point, thes security group
08:50
has been created
08:52
and the single management object
08:56
is answering the security groups i p address,
09:01
which is in this demonstration. 1 72 25 1 61.1 55 And so I'm able to connect to the Web user interface
09:11
of the security group. I'm talking to the single management object.
09:18
Don't go ahead and sign in to the Web user interface.
09:33
And
09:33
one thing that I want to do while I'm in the Web user interface of the single management object
09:41
is configure. The network interfaces that way.
09:45
They're configuration can be imported into the smart consul security gateway object
09:52
when it fetches topology.
10:43
So
10:45
in this demonstration environment noted the link statuses, nobody will ignore that because
10:50
this is not, ah, production deployed
10:54
maestro environment.
10:58
So I've created the security group. I logged into the Web user interface of the single management object
11:07
and configured the
11:09
interfaces that will be used to,
11:13
except traffic from the internal network
11:18
apply security policy and then for the traffic out to the external network off to the Internet.
11:24
At this point,
11:26
I'm going to change the ah password for the admin user.
11:31
Uh, it's
11:33
currently the default of Ah,
11:35
admin and admin.
11:52
No. Said it to a different password.
12:01
So I I did that
12:03
so that later on in the command line interpreter, uh, I won't have to change it then.
12:11
Now that I have the single management object
12:13
configured with the interfaces assigned I P addresses
12:20
Next, I'm going to go to Smart Consul smart consul application and
12:26
create the object and established sick and use it in security policy.
12:33
I'm now ready to create a checkpoint object
12:39
to represent the security group that I created.
12:43
And
12:45
I'm using the Wizard. You don't have to. You can use the classical method.
12:54
So I'm going to name the Gateway
12:56
what I named the security group
12:58
Maestro SG and select that it's the maestro platform
13:18
and the I P address I signed with Security group. Now,
13:43
now those of you that have been paying attention the eagle eyed among you may notice that I p address and ports are a little bit different. It's because of this demonstration environment.
13:54
Um,
13:54
it was necessary for the demonstration.
13:58
But what we get is a checkpoint Gateway object that represents
14:03
the security group via that single management object, which answers at 1 70 to 31.1 in this environment.
14:13
And
14:13
the orchestrator is hiding the fact that there are multiple
14:18
security gateway modules
14:22
that are assigned to the security group will be handling traffic.
14:26
From the point of view of the management server and smart Dash or smart Consul,
14:30
it appears to be just one security gateway. And again, if I would have created the security group as a V s ex security group,
14:37
I would want to have created a V s ex gateway object instead of a checkpoint security get weight, object.
14:50
And now
14:50
I'm just going to install a very simple policy for demonstration purposes. I just used the cleanup rule and set the action to accept.
15:09
So
15:09
I explained before that
15:13
after the security group was created and the single management object host came up and was responsive connected to that
15:20
via the Web user interface, and I
15:24
set up the
15:26
interfaces that I had assigned to the security Groopman. I did that so that
15:31
when I established sick with the new security gateway object and it pulls over the topology of that gateway,
15:39
it had the interfaces pre defined.
15:46
So policy installation is proceeding.
15:54
And once policy installation has successfully completed, then
15:58
this security group will be available for use.
16:03
And
16:06
in the security gateway object that I created for simplicity sake during this demonstration, I only had the firewall blade
16:14
enabled.
16:15
And now that I have
16:18
installed my access control policy and if I want, I can go back in and
16:22
set up what other blades
16:26
that that I might want, including https inspection.
16:32
So next I'm gonna I'm gonna show you some command line commands that are useful in a maestro deployment both on the orchestrator and on the single management objects.

Up Next

Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By

Instructor Profile Image
CheckPoint
Instructor