3. Typical Check Point Maestro deployment scenario

In the last two articles ( first , second ), we examined the operating principle of Check Point Maestro , as well as the technical and economic advantages of this solution. Now I would like to go to a specific example and describe a possible implementation scenario for Check Point Maestro. I will show a typical specification, as well as a network topology (L1, L2, and L3 circuits) using Maestro. In fact, you will see a ready-made standard project.



Suppose we decide that we will use the scalable Check Point Maestro platform. To do this, take a bundle of three 6500 gateways and two orchestrators (for complete fault tolerance) - CPAP-MHS-6503-TURBO + CPAP-MHO-140 . The physical connection diagram (L1) will look like this:







Please note that it is mandatory to connect Management ports of the orchestrators, which are located on the rear panel.



I suspect that a lot of things from this picture may not be very clear, so I will immediately give a typical diagram of the second level of the OSI model:







A few key points in the scheme:

• Two orchestrators are usually installed between core switches and external switches. Those. physical isolation of the Internet segment.
• It is assumed that the “core” is the stack (or VSS) of the two switches on which the PortChannel of 4 ports is organized. For Full HA, each orchestrator connects to each switch. Although you can use one link at a time, as is done with VLAN 5 - management network (red links).
• The links responsible for the transmission of productive traffic (yellow) are connected to 10 gigabit ports. For this, SFP modules are used - CPAC-TR-10SR-B
• In a similar (Full HA) way, orchestrators are connected to external switches (blue links), but using gigabit ports and the corresponding SFP modules - CPAC-TR-1T-B .

The gateways themselves are connected to each of the orchestrators using special DAC cables that are included ( Direct Attach Cable (DAC), 1m - CPAC-DAC-10G-1M ):







As you can see from the diagram, there should be a synchronization connection (pink link) between the oratoriums. The required cable is also included. The final specification is as follows:







Unfortunately I can not publish prices in the public domain. But you can always request them for your project .



As for the L3 circuit, it looks a lot simpler:







As you can see, all gateways on the third level look like a single device. At the same time, access to orchestrators is only through the Management Network.



This concludes our short article. If you have questions about the schemes or you need the source, then leave comments or write to the mail .



In the next article we will try to show how Check Point Maestro deals with balancing and conduct load testing. So stay tuned ( Telegram , Facebook , VK , TS Solution Blog )!



PS I express gratitude to Anatoly Masover and Ilya Anokhin (Check Point company) for their help in preparing these schemes!