3 hours 53 minutes
So at this point, I have configured my orchestrator appliance by connecting to the
security gateway modules
two down link ports on the orchestrator. I also connected a serial console cable as well as an Ethernet consul. Cable
then used the serial consul to configure the Ethernet management consul.
A serial console, by the way, uses 9600 bod eight bits, no parity by default.
So here I have connected to the Web user interface of the orchestrator appliance and, ah, law again, default credentials are admin and admin.
The little wants you to change that the first time you log in. Note that the Web user interface for the orchestrator looks like pretty much any other guy, a Web user interface
except for the addition of this orchestrator menu entry. So when I click on that, you can see
that the orchestrator has connected to it.
Six security Gateway modules and
the Security Gateway modules
must be using a line card and Ethernet card that supports the Link layer. Discovery Protocol, L L. D P.
This link Layer Discovery Protocol is used to inform the orchestrator of what's plugged in to that down Lakeport,
and it includes as you can see information about the model of the
security gateway module Ah, and serial number
network card, as I said, must support Linklater. Discovery Protocol must also support double villain to be compatible with the orchestrator.
So I have six unassigned
security gateway modules,
and I have many, many
unassigned interfaces available.
I want to create a security group.
A secure security group is a logical group
computing, and that would be the
security gateway, module, appliances and network. That would be the interfaces
logical group of compute and networking Resource is.
as I briefly discussed, a security group is represented by a single management object
that presents the illusion that there's just one appliance.
And that illusion is presented by the
single management object host,
which by default is the first security gateway module added to the security group.
And the security group needs an I P address, which will be used to communicate with that single management object
for policy installs as well as Web user interface and secure shell command line interaction.
So I'm going to configure
I p address of this security group,
and I'm not going to configure default, Gateway because this will not be the external network.
I have the option of setting up the first time wizard on. It's convenient to do it here. When I'm creating the security group, though, I can come back in,
set the activation key and set the host name
at that time.
And here I can choose to create a V SX security group.
And when I go create the object in Smart
Consul to represent this security group in policy,
I need to know if it was created as a regular security group or as a V s ex security group, to know what kind of checkpoint object to select.
represent the security group.
So I've created the security group.
Note that, ah,
there are still no gateways or interfaces assigned to it. I have to assign them by dragging and dropping.
I would note that the Web user interface on the orchestrator is touchy about where you drag and drop, too.
dragon dropped there. It's not excepted. I have to drag and drop
to the correct gateways for
gateway objects and
interfaces for interfaces.
So at this point,
if I try to apply,
I'll be told you gotta have at least one management interface.
And again that management interface. It's It's distinct from the management interface for the orchestrator appliance itself,
that is, on the other end of the orchestrator appliance here. What we mean by management interface
is one of the ports
have been configured as management interfaces
instead of up link or down like in her face is,
ports are used for communicating with the single management object.
So I'm going to assign interfaces.
There's a management interface. I'm also going to assign
interfaces for the security group
so that we can have an internal network and an external network as well as the management network.
At this point, I should be able to apply because in the security group I've configured I p address information. I've added gateways to the security group, and I've added at least one. You generally only have one management port and also some some other ports for the site traffic,
and when I click, apply will take a look at that and decided five fulfilled all the requirements,
and if I have,
then it will
choose the first security gateway in the list of gateways
as the single management object,
and it will send the configuration of this security group to that
single management object. It will be received
ultimately by all of the security gateway modules in this security group.
These security gateway modules will then restart
because their configuration has changed.
They now know about different network interfaces and so on.
So there's a brief period of time that you have tow weight after applying changes to the security group
ah, the security group to be ready, at least when you initially configure the security group
while I'm waiting for Thesiger management object
to become responsive after having
created this security group, I just wanted to know
that the security gateway modules, the Checkpoint firewall appliances are running a special version of the guy operating system.
It's called the scalable platform version denoted by an SP, so
you'll note that these appliances are actually running.
Ah version are 80.20 s p. Now in a future release, perhaps the
scalable platform features which handled the synchronization of configuration changes and so on
will be just merged into the regular already dot What have you product?
at least as of our a d 0.30 There still
flavours versions of the operating system, and you need to make sure that you have scalable platform version,
uh, for use with the orchestrator.
So at this point, thes security group
has been created
and the single management object
is answering the security groups i p address,
which is in this demonstration. 1 72 25 1 61.1 55 And so I'm able to connect to the Web user interface
of the security group. I'm talking to the single management object.
Don't go ahead and sign in to the Web user interface.
one thing that I want to do while I'm in the Web user interface of the single management object
is configure. The network interfaces that way.
They're configuration can be imported into the smart consul security gateway object
when it fetches topology.
in this demonstration environment noted the link statuses, nobody will ignore that because
this is not, ah, production deployed
So I've created the security group. I logged into the Web user interface of the single management object
and configured the
interfaces that will be used to,
except traffic from the internal network
apply security policy and then for the traffic out to the external network off to the Internet.
At this point,
I'm going to change the ah password for the admin user.
currently the default of Ah,
admin and admin.
No. Said it to a different password.
So I I did that
so that later on in the command line interpreter, uh, I won't have to change it then.
Now that I have the single management object
configured with the interfaces assigned I P addresses
Next, I'm going to go to Smart Consul smart consul application and
create the object and established sick and use it in security policy.
I'm now ready to create a checkpoint object
to represent the security group that I created.
I'm using the Wizard. You don't have to. You can use the classical method.
So I'm going to name the Gateway
what I named the security group
Maestro SG and select that it's the maestro platform
and the I P address I signed with Security group. Now,
now those of you that have been paying attention the eagle eyed among you may notice that I p address and ports are a little bit different. It's because of this demonstration environment.
it was necessary for the demonstration.
But what we get is a checkpoint Gateway object that represents
the security group via that single management object, which answers at 1 70 to 31.1 in this environment.
the orchestrator is hiding the fact that there are multiple
security gateway modules
that are assigned to the security group will be handling traffic.
From the point of view of the management server and smart Dash or smart Consul,
it appears to be just one security gateway. And again, if I would have created the security group as a V s ex security group,
I would want to have created a V s ex gateway object instead of a checkpoint security get weight, object.
I'm just going to install a very simple policy for demonstration purposes. I just used the cleanup rule and set the action to accept.
I explained before that
after the security group was created and the single management object host came up and was responsive connected to that
via the Web user interface, and I
set up the
interfaces that I had assigned to the security Groopman. I did that so that
when I established sick with the new security gateway object and it pulls over the topology of that gateway,
it had the interfaces pre defined.
So policy installation is proceeding.
And once policy installation has successfully completed, then
this security group will be available for use.
in the security gateway object that I created for simplicity sake during this demonstration, I only had the firewall blade
And now that I have
installed my access control policy and if I want, I can go back in and
set up what other blades
that that I might want, including https inspection.
So next I'm gonna I'm gonna show you some command line commands that are useful in a maestro deployment both on the orchestrator and on the single management objects.