Hello, and welcome to Check Point Jump Start training on the Maestro Hyperscale Network Security Solution. There is an accreditation exam available after you complete this training. To take the exam, go to home.pearsonvue.com/checkpoint. The exam number is 156-412. There's a $49 fee to take the exam, but the exam is not proctored, so you can take it anytime, anywhere, you really just need a web browser. Again, this training will be on the Maestro Hyperscale Network Security Solution. We're going to talk about security groups. We will also briefly discuss the option to have a dual-site setup. And most of this training will be demonstrations on how to initially configure and then set up, manage, monitor, and troubleshoot your Maestro deployment. Maestro has two major types of components. The orchestrator is an appliance that acts as a traffic and CPU resource allocator, a traffic cop. It sends packets to specific security gateway modules and overall spreads out your traffic load amongst all of the security gateway modules assigned to handle that traffic. So it acts as a load balancer. And also, a network switch packets that arrive on one port of the orchestrator are switched at layer 2 to an output port with no routing. The other major component is security gateway modules. And these are just Check Point firewall appliances. They have to be compatible with the Maestro product, they have to meet certain hardware requirements. Most or all current Check Point appliances are compatible. If you have an older appliance, need to check that. The beauty of Maestro is that you can start with your existing appliances, cable them into the orchestrator, and set up your security groups. And that's handling your current load. However, over time, load increases, traffic increases, and you may need to enable more CPU-intensive security blades. So you can buy additional security gateway modules, additional firewall appliances, plug them into the orchestrator, assign them to the existing security groups. And when that assignment is completed, the additional, the new security gateway modules will start handling their share of the traffic assigned to that security group. There are two models of the orchestrator appliance currently, the MHO-140, which has 48 small form-factor pluggable ports, which each can do about 10 gigabits per second. And then eight quad small form-factor ports, which each can do about 100 gigabits per second. And in the quad ports, you can insert a four-way splitter which gives you four small form-factor ports, so you can increase the number of ports. The model 170 has 32 quad small form-factor ports, and again, you can insert a four-way splitter and get four ports. That gives you roughly the same number of ports as the 140 if you use splitters in the 170. Now, this is a 140 Illustrated here, the 170 is similar. The orchestrator appliance comes shipped to you with the ports allocated for different purposes by default. And you can change the purpose of a port. By default, on the 140, the first four ports are designated for management traffic, which is your security management server, sending policy updates to security groups. Or you using the web user interface or CLI to change Gaia configuration for the security group. Then there are uplink traffic ports, and these accept traffic from your various networks. So you have internal networks, you have DMZ, wireless, data center, and external networks, those networks are routing traffic. And they get routed through the orchestrator, which switches the incoming packet from the uplink port to the appropriate downlink port that your security gateway modules are plugged into. So for a given connection, the orchestrator will designate a specific downlink port that it will switch that traffic out to. And so the security gateway module plugged into that downlink port is responsible for processing the traffic of that connection. And second security gateway module is designated to be a backup. So if the active security gateway module for this connection fails, the backup will go active. And state synchronization has been done [COUGH] between the active and the backup to ensure that the state tables, connection table are up to date. You can have two orchestrators in your deployment. And if you do so, you need to plug a synchronization cable between them. So the the Maestro solution uses the notion of a security group. A security group is a collection of assigned security gateway modules and interfaces. When traffic arrives on an uplink port that has been assigned to the security group, the security group will receive this traffic. The security group, when you create it, you give it a name which you're going to use in the security gateway object in SmartConsole. You also provide an IP address and network configuration. And that's the IP address that you're going to use in SmartConsole for the security gateway object. And you would also use that IP address for the web user interface or Secure Shell. And that IP address virtualizes the fact that there are actually multiple security gateways assigned to that security group. One security gateway, known as the single management object, will answer that group's IP address. And so you push policy, it goes to that one appliance, the single management object appliance. That will receive the policy and then transparently propagate the policy update to the other security gateway modules in the security group. Likewise, if you make configuration changes via the web user interface, you're making those changes to the security gateway module. The other security gateway modules will be transparently given your configuration changes. So again, security groups provide a virtualization of the fact that there are actually multiple security gateways in the group. Now, for a given connection, its active backup, one security gateway module in the group is processing the traffic, the other is being kept up-to-date. However, looking at the overall mix of traffic, there are many connections. And so different security gateway modules will be active for different connections, and that provides active/active load balancing. [COUGH] As I said, when you use a security group, you're using the IP address that you've assigned to the security group in the SmartConsole security gateway object, as well as when you're using the web user interface. So any changes that you make are propagated from the single management object to the other gateways in the group, including hotfixes and jumbo hotfixes, if you enable that. A security group can also be designated a VSX security group. And if you do that, then in SmartConsole, you'll create a VSX gateway object instead of a regular security gateway object. Then when you deploy virtual systems to that VSX gateway object, those virtual systems will be replicated among all of the security gateway modules in the security group. Now, there are some limits on the security group. There can be up to eight security groups defined total, with 31 security gateway modules per group and a total of 52 security gateway modules connected to the orchestrator. Your orchestrator also provides a dual-site option, where you have two physically distant sites with synchronization between the two sites, and there are limits on tolerable latency and packet loss. You can have up to two orchestrators at each site, so total of up to four orchestrators. And the limitation is that there can be up to 14 security gateway modules assigned to a security group per site. And it is a per-security group setting whether or not to use, to participate in dual-site. If you don't enable that for a security group, then at site A perhaps there will be an active security gateway module and a backup. If the security group has been configured to use dual-site, then, say, at site A there's an active security gateway module, there's a backup. And at site B, there's also a backup security gateway module for this connection, and state synchronization is keeping it updated. So if we lose site A, we can continue to process traffic at site B. That security gateway module will go active, and another security gateway module at site B will be designated backup to provide the high availability. There is an accreditation exam that goes along with this Jump Start training, it's available at pearsonvue.com/checkpoint. You don't have to go to a testing center, you can do it from your office or your home, it's proctored via a web cam. The exam number is 156-412. When you successfully pass the exam, then you earn the Maestro accreditation. So now we're going to go into the demonstration of the Maestro product. We're going to look at how to initially configure and then set up your Maestro deployment, use the security groups and policy. We'll also look at how you monitor the security groups, and we'll also discuss troubleshooting. So thank you for attending this Jump Start training.
