background image

[C

la

s

s

if

ic

a

ti

o

n

:

P

ro

te

c

te

d

]

24 April 2023

QUANTUM MAESTRO

Getting Started Guide

Summary of Contents for 1U

Page 1: ...Classification Protected 24 April 2023 QUANTUM MAESTRO Getting Started Guide...

Page 2: ...ty Gateway Object in SmartConsole 17 Part 4 Monitoring the Security Group Members 17 Hardware Components 18 MHO 140 Front Panel 23 MHO 140 Rear Panel 24 Ports 25 Mounting the Quantum Maestro Orchestra...

Page 3: ...Table of Contents Quantum Maestro Getting Started Guide 3 Connecting to the Downlink Ports with DAC or Fiber Cables 66 Quantum Maestro Orchestrator Ports and Gaia OS Interfaces 69...

Page 4: ...distributes traffic between the Security Appliances assigned to Security Groups n Ability to connect more Security Appliances and use their resources easily in the existing Security Groups Overview Q...

Page 5: ...head Phillips screws with a round patch 6 32x1 4 100 Deg Patch 360 Cables and Adapters n 2 power cables Type C13 C14 n 2 cable retainers n 1 DB9 to RJ45 serial console cable n 1 DAC cable 3m Document...

Page 6: ...76 Bpps l MHO 140 Throughput of up to 1280 Gbit sec and processing capacity up to 2 97 Bpps n Flat latency in the cut through mode l MHO 175 425 ns l MHO 170 300 ns l MHO 140 300 ns n Speeds of 1 10 4...

Page 7: ...FP28 use QSFP to SFP breakout cables 8 1 28 Tbit sec Quantum Maestro Orchestrator supports different interfaces and speed rates when you use QSFP to SFP adapters or hybrid cables For more information...

Page 8: ...k on page 29 2 Install the Security Appliances for your Security Groups Procedure a Install the applicable Expansion Line Cards if required in the appliances See Installing and Removing Line Cards Mae...

Page 9: ...you must use only the supported transceivers See sk92755 Compatibility of transceivers for Check Point appliances See n Port Mapping for the Quantum Maestro Orchestrator MHO 140 on page 20 n Connecti...

Page 10: ...chestrator and 1 out of 4 ports on the Quad Port Card on each Security Appliance Illustration Instructions On each Security Appliance C in the Security Group a Connect a cable from Port 1 on the Quad...

Page 11: ...on the Quad Port Card to a Downlink port on the first Orchestrator A b Connect a cable from Port 3 on the Quad Port Card to a Downlink port on the first Orchestrator A c Connect a cable from Port 2 on...

Page 12: ...age 63 Port Speed on a Switch Port Type on the Orchestrator Cable to Use 10 Gbps SFP SFP28 Ports 5 26 Fiber or DAC 40 Gbps QSFP QSFP28 Ports 49 55 Fiber DAC or Breakout 100 Gbps QSFP QSFP28 Ports 49 5...

Page 13: ...ith these default credentials n Username admin n Password admin Best Practice Change the default password If the SSH connection is interrupted after the password change log in again with the new passw...

Page 14: ...eway set static route default nexthop gateway address IPv4 Address on Example set static route default nexthop gateway address 192 168 10 1 on d Save the configuration save config 7 Connect the MGMT p...

Page 15: ...3 From the left navigation panel click Orchestrator More information The Topology section contains the table that shows these sections from left to right Pane Description Unassigned Gateways All dete...

Page 16: ...the assigned Management port eth X Mgmt Y on the Orchestrator front panel and your switch More information See n Port Mapping for the Quantum Maestro Orchestrator MHO 140 on page 20 n Connecting to t...

Page 17: ...uired settings 3 Configure the applicable rules in the Access Control Policy 4 Configure the applicable rules in the Threat Prevention Policy 5 Install the Access Control Policy on this Security Gatew...

Page 18: ...al and internal networks 8 RJ45 port for Console connection 3 Ports 17 30 are the Downlink ports lead to Security Appliances 9 Port 32 is the Synchronization port on the same Site leads to the peer Or...

Page 19: ...roups lead to the Check Point Management Server 6 System Health LEDs 2 Ports 3 16 are the Uplink ports 40 Gbps 100 Gbps lead to external and internal networks 7 Port 30 is the Synchronization port in...

Page 20: ...the Synchronization port in Dual Site leads to the peer Orchestrator on another Site 3 Ports 5 26 are the Uplink ports 1 Gbps 10 Gbps lead to external and internal networks 9 Management port Mgmt1 fo...

Page 21: ...ts with the Port Label from 1 to 48 1G or 10G l Ports with the Port Label from 49 51 53 and 55 4x10G 40G or 100G l Ports with the Port Label from 50 52 54 and 56 40G or 100G 4 Configure the port type...

Page 22: ...Hardware Components Quantum Maestro Getting Started Guide 22 6 Examine the port configuration show maestro port Port ID qsfp mode show maestro port Port ID type...

Page 23: ...5 to 26 colored blue To these ports you connect your external traffic and internal traffic networks You use DAC or Fiber cables with transceivers 4 Downlink ports 27 to 47 colored orange To these port...

Page 24: ...tor Gaia Portal and Gaia Clish 5 RJ45 port labeled 1 through which it is also possible to configure the Gaia Operating System on the Quantum Maestro Orchestrator Gaia Portal and Gaia Clish 6 Reset but...

Page 25: ...capabilities 100 MbE to 1 GbE Notes n For more information see the l Quantum Maestro Quick Start Guide for MHO 175 and MHO 140 l Quantum Maestro Quick Start Guide for MHO 170 and MHO 140 n In MHO 140...

Page 26: ...Ports Quantum Maestro Getting Started Guide 26 Orchestrator Model Location of the MGMT Port On the front panel On the rear panel MHO 175 N A MHO 170 N A MHO 140 N A...

Page 27: ...ossible to connect to this interface an external USB storage device for software upgrade or file management Do not use excessive force when inserting or removing the USB storage device to and from the...

Page 28: ...trator Model Location of the RS232 Console Port On the front panel On the rear panel MHO 175 N A MHO 170 N A MHO 140 N A You use this port for initial configuration and debugging Use a Terminal applic...

Page 29: ...e proper ventilation to maintain good airflow at ambient temperature n Unless otherwise specified Check Point products are designed to work in an environmentally controlled data center with low levels...

Page 30: ...fan units in the same rack need to have the same air flow direction A mismatch in the air flow affects the heat dissipation in the rack Static Rail Kit for MHO 170 and MHO 140 The Quantum Maestro Orc...

Page 31: ...l kit Item Description A 2 x Rack mount rails B 2 x Rack mount blades that slide into the rack mount rails A C 8 x M6 standard cage nuts and 8 x M6 standard Phillips pan head screws D 4 x Phillips fla...

Page 32: ...head screws D to secure the rack mount rails A to the Quantum Maestro Orchestrator You must use at least two of these screws on each side n You use the cage nuts and Phillips pan head screws C to secu...

Page 33: ...Maestro Orchestrator to which you choose to attach the rails determines the Quantum Maestro Orchestrator s adjustable side The Quantum Maestro Orchestrator s part to which the blades are attached sho...

Page 34: ...ht cage nuts C in the desired 1U slots of the rack Notes n The red frame on the image denotes the Quantum Maestro Orchestrator inside the rack n Install four cage nuts on each side of the Quantum Maes...

Page 35: ...eft and right rack mount rails A to the left and right sides of the Quantum Maestro Orchestrator 2 Use the Phillips flat head screws D to secure each rack mount rail A to each side of the Quantum Maes...

Page 36: ...s supporting the Quantum Maestro Orchestrator perform these steps Step Instructions 1 Mount the Quantum Maestro Orchestrator into the rack enclosure 2 Attach the mount rail ears E to the rack s posts...

Page 37: ...nt blade ears F face the rack s posts correctly 2 Slide the rack mount blades B inside the rack mount rails A to fit your rack s depth 3 Attach the mount blade ears F to the rack s posts 4 Use the fou...

Page 38: ...nnection is established When a logical connection is made the relevant port LED lights up To remove a cable disengage the locks and slowly pull the connector away from the port receptacle The LED indi...

Page 39: ...Mounting the Quantum Maestro Orchestrator MHO 140 and MHO 170 in a Rack Quantum Maestro Getting Started Guide 39 MHO 140 Cable Orientation...

Page 40: ...If after five minutes the System Status LED is lit in red color unplug the power cords and contact Check Point Support 4 Check the status of the Quantum Maestro Orchestrator LEDs see LED Notification...

Page 41: ...GbE port into four 10 GbE ports see Splitting the Ports with Breakout Cables below Splitting the Ports with Breakout Cables In This Section Breakout Cables 41 MHO 175 Splitting Options 43 MHO 170 Spl...

Page 42: ...Connecting Cables to Quantum Maestro Orchestrators Quantum Maestro Getting Started Guide 42...

Page 43: ...colored green into four SFP28 ports In MHO 175 all port LEDs are located on the right side There are 32 LEDs that correspond to the 32 physical ports You can connect 1 to 4 breakout cables to physical...

Page 44: ...assign these interfaces to Security Groups Example When you connect a breakout cable to the top port 8 interface eth1 29 you get Port Number on the Front Panel Interface Name in Gaia OS Port Name in G...

Page 45: ...able to port 8 interface eth1 29 then in this LED indication mode 1 the port LED 8 shows the state of the interface eth1 29 Port 1 8 1 2 Only the second LED from the left is lit 2 Port LEDs show the s...

Page 46: ...ports each When the top odd ports 1 to 29 colored green are in split mode the corresponding bottom QSFP28 even ports 2 to 30 are disabled colored red Important It is not supported to connect a breakou...

Page 47: ...d After you connect breakout cables to the supported top ports you get four additional interfaces starting from the original interface name You assign these interfaces to Security Groups Example When...

Page 48: ...same site Diagram Important It is possible to connect only two Quantum Maestro Orchestrators of the same model see MBS 5038 Best Practice Connect cables to the same Uplink and Downlink ports on the tw...

Page 49: ...n 1 Network 1 connected to ports on the Networking Device 3 2 Network 2 connected to ports on the Networking Device 3 3 Networking Device router or switch that connects your Network 1 and Network 2 to...

Page 50: ...terface ethX MgmtY on a Quantum Maestro Orchestrator to different Security Groups The assigned Management port has a different IP address and a different MAC address in each Security Group to which th...

Page 51: ...ro Orchestrator 16 to the Security Appliance 30 20 A DAC cable Fiber cable with transceivers or Breakout cable that connects a Downlink port on the first Quantum Maestro Orchestrator 15 to the Securit...

Page 52: ...curity Group 1 contains l Applicable Uplink ports to which the cables 10 and 11 are connected l Security Appliances 30 and 29 l Applicable management port or split interface to which the Management Se...

Page 53: ...e Dual Port Card to a Downlink port on the first Orchestrator A 2 Connect a cable from Port 2 on the Dual Port Card to a Downlink port on the second Orchestrator B Connecting cables between Downlink p...

Page 54: ...ard to a Downlink port on the first Orchestrator A 2 Connect a cable from Port 3 on the Quad Port Card to a Downlink port on the first Orchestrator A 3 Connect a cable from Port 2 on the Quad Port Car...

Page 55: ...s only on this Bond interface 2 Configure a second Bond interface 5 on two slave ports This Bond interface connects Network 2 to the Quantum Maestro Orchestrators Configure the applicable settings so...

Page 56: ...tum Maestro Orchestrator 16 Perform these steps 1 With cable 19 connect a Downlink port in our example Port 18 to the applicable port on the first Security Appliance 30 in the Security Group 1 31 2 Wi...

Page 57: ...ps For more information that applies to MHO 175 see n Connecting to the Management Port with DAC or Fiber Cables n Connecting to the Management Port with Breakout Cables For more information that appl...

Page 58: ...he Bond interfaces in the Security Group 1 a Connect to the Gaia Operating System on the Security Group 1 b Configure a Bond interface on the applicable two slave Uplink ports in our example Port 1 3...

Page 59: ...C cable Fiber cable with transceivers or Breakout cable n The sections below provide a high level description Connecting to the Management Ports with DAC or Fiber Cables Important When you connect two...

Page 60: ...o assign the same Management port interface ethX MgmtY on a Quantum Maestro Orchestrator to different Security Groups The assigned Management port has a different IP address and a different MAC addres...

Page 61: ...o MHO 140 Quantum Maestro Getting Started Guide 61 Connecting to the Uplink Ports with DAC or Fiber Cables Example of a connection to default Uplink ports 5 to 26 Example of a connection to default Up...

Page 62: ...network 2 that communicates with production network 1 1 through a Security Group configured on the Quantum Maestro Orchestrator 6 A DAC or Fiber cable with transceivers connected to an Uplink port in...

Page 63: ...rted Guide 63 Connecting to the Uplink Ports with Breakout Cables Important It is possible to connect breakout cables only to the top ports 49 51 53 and 55 When the specific top ports are in a split m...

Page 64: ...Security Group 30 6 A Breakout cable connected to an Uplink port in our example Port 49 on the first Quantum Maestro Orchestrator 8 See Breakout Cables on page 41 Notes n This cable splits the Uplink...

Page 65: ...colored blue dash lines show connections to the second Quantum Maestro Orchestrator 12 n It is possible to configure some of the Downlink ports as additional Uplink ports See the Maestro Administrati...

Page 66: ...Connecting Cables to MHO 140 Quantum Maestro Getting Started Guide 66 Connecting to the Downlink Ports with DAC or Fiber Cables Example of a connection to default Downlink ports 27 to 47...

Page 67: ...able with transceivers connected to a Downlink port in our example Port 34 on the second Quantum Maestro Orchestrator 2 and to the applicable port on the Expansion Line Card on the Security Appliance...

Page 68: ...orts as additional Downlink ports See the Maestro Administration Guide for your version Chapter Configuring Security Groups Section Configuration Procedure Section Configuring Security Groups in Gaia...

Page 69: ...s to the ports on the Quantum Maestro Orchestrator s front panel the default configuration Important The Gaia Operating System on the Quantum Maestro Orchestrator does not let you configure the networ...

Page 70: ...8 1 3 eth1 09 Port 1 3 1 19 dl73 Port 1 19 1 4 eth1 13 Port 1 4 1 20 dl77 Port 1 20 1 5 eth1 17 Port 1 5 1 21 dl81 Port 1 21 1 6 eth1 21 Port 1 6 1 22 dl85 Port 1 22 1 7 eth1 25 Port 1 7 1 23 dl89 Por...

Page 71: ...Port 2 19 1 4 eth2 13 Port 2 4 1 20 dl77 Port 2 20 1 5 eth2 17 Port 2 5 1 21 dl81 Port 2 21 1 6 eth2 21 Port 2 6 1 22 dl85 Port 2 22 1 7 eth2 25 Port 2 7 1 23 dl89 Port 2 23 1 8 eth2 29 Port 2 8 1 24...

Page 72: ...Port 1 X X for the first Quantum Maestro Orchestrator l eth2 XX and Port 2 X X for the second Quantum Maestro Orchestrator n The tables above show the default configuration before you connect breakout...

Page 73: ...t 1 18 1 3 eth1 05 Port 1 3 1 19 dl37 Port 1 19 1 4 eth1 07 Port 1 4 1 20 dl39 Port 1 20 1 5 eth1 09 Port 1 5 1 21 dl41 Port 1 21 1 6 eth1 11 Port 1 6 1 22 dl43 Port 1 22 1 7 eth1 13 Port 1 7 1 23 dl4...

Page 74: ...dl37 Port 2 19 1 4 eth2 07 Port 2 4 1 20 dl39 Port 2 20 1 5 eth2 09 Port 2 5 1 21 dl41 Port 2 21 1 6 eth2 11 Port 2 6 1 22 dl43 Port 2 22 1 7 eth2 13 Port 2 7 1 23 dl45 Port 2 23 1 8 eth2 15 Port 2 8...

Page 75: ...1 X X for the first Quantum Maestro Orchestrator l eth2 XX and Port 2 X X for the second Quantum Maestro Orchestrator n The tables above show the default configuration before you connect breakout cabl...

Page 76: ...1 6 eth1 06 Port 1 6 1 34 dl34 Port 1 34 1 7 eth1 07 Port 1 7 1 35 dl35 Port 1 35 1 8 eth1 08 Port 1 8 1 36 dl36 Port 1 36 1 9 eth1 09 Port 1 9 1 37 dl37 Port 1 37 1 10 eth1 10 Port 1 10 1 38 dl38 Po...

Page 77: ...on the Front Panel Interface Name in Gaia OS Port Name in Gaia OS 23 eth1 23 Port 1 23 1 51 eth1 53 Port 1 53 1 24 eth1 24 Port 1 24 1 52 eth1 55 Port 1 52 1 25 eth1 25 Port 1 25 1 53 eth1 57 Port 1...

Page 78: ...ort 2 34 1 7 eth2 07 Port 2 7 1 35 dl35 Port 2 35 1 8 eth2 08 Port 2 8 1 36 dl36 Port 2 36 1 9 eth2 09 Port 2 9 1 37 dl37 Port 2 37 1 10 eth2 10 Port 2 10 1 38 dl38 Port 2 38 1 11 eth2 11 Port 2 11 1...

Page 79: ...rt 2 27 1 55 eth2 61 Port 2 61 1 28 dl28 Port 2 28 1 56 eth2 63 Port 2 63 1 Table Second MHO 140 ports and interfaces continued Notes n When you connect two Quantum Maestro Orchestrators MHO 140 for r...

Reviews: