Más contenido relacionado Similar a Check Mates Maestro under the hood 2022.pptx (20) Check Mates Maestro under the hood 2022.pptx1. 1
©2022 Check Point Software Technologies Ltd.
Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist
September 29, 2022
Hyperscale Security
2. 2
©2022 Check Point Software Technologies Ltd.
• Maestro Traffic Handling
• Maestro Internal Networking
• Maestro Backplane Architecture
• Maestro Configuration Database
• Further Reading
Agenda
3. 3
©2022 Check Point Software Technologies Ltd.
• DISTRIBUTION
• CORRECTION LAYER
• HYPER-SYNC
TRAFFIC HANDLING
4. 4
©2022 Check Point Software Technologies Ltd.
Scalability of Quantum Maestro
• Maestro is active/active cluster where
all cluster members process traffic
• Orchestrators facilitate scalability by
evenly distributing the traffic load
across the cluster members
• Optimal distribution configuration is a
key to performance and scalability of a
Maestro solution.
Load
Connection
C
Connection
B
Connection
A
5. 5
©2022 Check Point Software Technologies Ltd.
Traffic Distribution
• Traffic load-balancing mechanism across Security Group members
• Distribution decision is based on IP-addresses and ports (if L4
mode is enabled)
• Each packet distributed at the interface level where it is first seen
• i.e. Outgoing and incoming traffic hits a different interface and can be
distributed to different SGMs (asymmetric distribution)
• Traffic flow is always handled by the same SGM. In case of
asymmetric distribution, correction layer forwards packets to the
owner of the flow.
6. 6
©2022 Check Point Software Technologies Ltd.
Distribution Modes
User Mode
• Packets are assigned to an SGM based on a destination IP-
address and source port*. Per interface.
Network Mode:
• Packets are assigned to an SGM based on a source IP-address
and destination port*. Per interface.
General Mode:
• Packets are assigned to an SGM based on source and destination
IP-address and ports*. Global per Security Group.
* = ports are only relevant if L4 distribution is enabled.
7. 7
©2022 Check Point Software Technologies Ltd.
Client
Server
Active
Backup
SGM #1
SGM #2
SGM #4
SGM #3 Sync
1.1.1.10:2345 -> 2.2.2.10:80
Convert source or destination IP to hash (depends on the distribution mode) in range
between 0 and 511. For example source IP: 1.1.1.10, Hash: 266 (this is the bucket number)
Lookup port number in the matrix accordingly to the hash value:
Send traffic to selected port, i.e. to SGM connected to this port
0 1 2 3 4 … 265 266 267 268 269 270 271 272 … 509 510 511
30 27 28 29 27 28 29 30 27 28 28 29
8. 8
©2022 Check Point Software Technologies Ltd.
Out of the Box Distribution
• Default distribution setting is called auto-topology*
• Each port is either in user mode or network mode depending on
the topology of the port defined in the gateway object
• Topology must be correctly defined to make the auto-topology
distribution to work correctly!
Internal Interfaces
in User Mode.
External Interfaces
in Network Mode.
No distribution in
the management
interface
* L4-mode enabled by default. Disable it unless recommended otherwise by Check Point.
9. 9
©2022 Check Point Software Technologies Ltd.
Distribution Scenarios
• Use auto-topology in perimeter gateways with hide NAT
• Internal interfaces in user mode, i.e. outgoing traffic (destination IP)
• External interface in network mode, i.e. incoming/return traffic (source IP)
• Each SGM has a full range of hide NAT ports available
• As a summary in auto-topology mode distribution is always based on the IP-
address in the Internet that does not change
• Use general mode in data center gateways that do not perform NAT
• Uses source and destination IP for distribution
• Each SGM has only a portion of hide NAT ports available
• Use manual user/network mode per port in complex scenarios
10. 10
©2022 Check Point Software Technologies Ltd.
1.1.1.10/24 2.2.2.10/24
request
response
1.1.1.254/24 2.2.2.254/24
1.1.1.10:2345 -> 2.2.2.10:80 2.2.2.254:2345 -> 2.2.2.10:80
Distribution with NAT
Auto-topology mode: Make the distribution decision based on the IP-address that does not
change (typically a server’s IP-address in the internet). Internal interface in user mode,
external interface in network mode.
11. 11
©2022 Check Point Software Technologies Ltd.
Distribution Mode Configuration
Current distribution mode: show distribution configuration
Change distribution mode: set distribution configuration
Set distribution per interface: set distribution interface
Distribution simulation: dxl calc
Distribution service utility: distutil
12. 12
©2022 Check Point Software Technologies Ltd.
What is Correction Layer?
Cluster Correction Layer (CCL) is a mechanism that handles
asymmetric connections in systems with several cluster members.
Goal: Allow traffic flow to be handled by a single cluster member,
even if the flow is asymmetric (Sk169154 for details)
Note: For Maestro in bridge mode see SK172164 for details.
13. 13
©2022 Check Point Software Technologies Ltd.
How Correction Layer works?
• SGM where the initial Client to Server (C2S) packets are
distributed becomes the owner of the connection in the
connections table.
• The owner calculates the SGM who will get the return packets of
the connection. This SGM is called a target.
• If the target is different from the owner, the connection is
determined asymmetric and the owner synchronizes connection to
the target.
• Target SGM won’t process packets it receives, but sends them to
the owner for processing.
14. 14
©2022 Check Point Software Technologies Ltd.
Correction Layer and Performance
• With correction, traffic will work regardless of the asymmetric
distribution
• Traffic flow is always handled end to end by the same SGM.
• A lot of corrected traffic will cause performance issues (10% is a
good threshold)
• If you have a lot of corrected traffic, tune the distribution mode (if
using auto-topology mode, make sure your topology is defined
correctly)
• Verify
- cphaprob corr
- asg_perf_hogs
15. 15
©2022 Check Point Software Technologies Ltd.
Hyper Sync
• Each connection is synchronized to two Security Group members (Active
and Backup). In case of Dual site – there’s a second Backup on Standby
site
• Provides guaranteed redundancy
• Provides scalability for large scale deployments by reducing Sync traffic
overhead
SGM1 SGM2 SGM3
1.1.1.1:1234 -> 2.2.2.1:80 1.1.1.1:1234 -> 2.2.2.1:80
1.1.1.10:2211 -> 2.2.2.20:22 1.1.1.10:2211 -> 2.2.2.20:22
3.5.6.3:4578 -> 2.2.2.1:80 3.5.6.3:4578 -> 2.2.2.1:80
3.5.6.33:4578 -> 2.2.2.10:8081 3.5.6.33:4578 -> 2.2.2.10:8081
… … …
16. 16
©2022 Check Point Software Technologies Ltd.
Client
Server
Active
Backup
SGM #1
SGM #2
SGM #4
SGM #3 Sync
FAILURE
Active
Backup Sync
17. 17
©2022 Check Point Software Technologies Ltd.
Performance numbers equal
across all blades if Distribution
is well tuned
SecureXL statistics
per SGM
CoreXL statistics per
SGM (Medium and
firewall path)
+------------------------------------------------------------------------------------------------------------------------------+
|Per SGM Distribution Summary |
+------------+------------+------------+------------+------------------+--------------------+----------------------+-----------+
|SGM ID |Throughput |Packet rate |Conn. rate |Concurrent Conn. |Accel. Cores usage |Instances Cores usage |Mem. usage |
| | | | | |(avg/min/max %) |(avg/min/max %) | |
+------------+------------+------------+------------+------------------+--------------------+----------------------+-----------+
|1_01 |871.6 M |228.8 |27.9 |1.4 |75/60/100 |51/49/55 |75% |
|1_02 |883.5 M |230.3 |27.9 |1.4 |70/53/100 |33/31/36 |75% |
|1_03 |893.8 M |231.3 |27.9 |1.4 |70/52/100 |41/39/44 |75% |
|1_04 |887.0 M |230.2 |27.8 |1.4 |66/46/100 |46/44/49 |75% |
|1_05 |874.7 M |228.8 |27.7 |1.4 |68/50/100 |49/46/51 |75% |
|1_06 |883.2 M |229.9 |27.9 |1.4 |69/52/100 |36/34/39 |75% |
+------------+------------+------------+------------+------------------+--------------------+----------------------+-----------+
|Total |5.3 G |399 |334.0 |292 |69/46/100 |43/31/55 |75% |
+------------+------------+------------+------------+------------------+--------------------+----------------------+-----------+
Monitoring Distribution – asg perf -v
18. 18
©2022 Check Point Software Technologies Ltd.
• INTERNAL NETWORKING
• MAESTRO DOWNLINK ARCHITECTURE
• ORCHESTRATOR CONFIGURATION DATABASE
MAESTRO ARCHITECTURE
19. 19
©2022 Check Point Software Technologies Ltd.
Uplinks And Downlinks
U
p
D
o
w
n
The actual interfaces used
by the Security Gateway
and are visible in
SmartConsole on the
gateway object
The abstraction layer of
Maestro, forming the
system Backplane, i.e. data
plane, sync, management
UPLINKS
DOWNLINKS
INTERNAL
EXTERNAL
[Protected] Distribution or modification is subject to approval
20. 20
©2022 Check Point Software Technologies Ltd.
Backplane
2 x or 4 x 10G/40G/100G
Direct Attach Cable (DAC)
Connected between each appliance
and the Orchestrator (Downlinks)
What about SFPs?
INTERNAL
EXTERNAL
[Protected] Distribution or modification is subject to approval
21. 21
©2022 Check Point Software Technologies Ltd.
Maestro Traffic and Connectivity Explained
Packets arrive at
MHO uplink ports
1
Packets are
matched against
a distribution
algorithm and
sent via the
downlinks to the
correct SGM
2
SGM processes
the traffic, syncs it
with a backup
SGM and sends it
back to the MHO
for outbound
3
INTERNAL
EXTERNAL
Blue = Downlink to
Orchestrator 1
Green = Downlink to
Orchestrator 2
Orange = Sync
Blue + Green = Redundancy
Pink = Uplinks
1
2
3
Red = Security Group
Management
22. 22
©2022 Check Point Software Technologies Ltd.
• CIN (chassis internal network) is internal network used for
monitoring and communication of the Maestro system.
• CIN is relevant per site
• Internal Range is 198.51.100+SG.m
• Allows SGMs to communicate with orchestrators
• VLAN 3900 + SG
Maestro Internal Network (CIN)
23. 23
©2022 Check Point Software Technologies Ltd.
• 192.0.2.0 is network for internal synchronization between
SGMs and configuration sync between the MHOs on the
same site (203.0.113 is used for inter-site sync)
• SGMs on site 1: 192.0.2.1 – 192.0.2.14
• SGMs on site 2: 192.0.2.15 – 192.0.2.28
• IP address of SGMs depends on the order they are added
to the security group
Maestro Sync Networks
24. 24
©2022 Check Point Software Technologies Ltd.
• In Maestro the network interfaces are NOT physically
installed on cluster members (except the downlinks)
• Each physical front panel port of the MHO is
represented as a network interface on an SGM by
virtualizing on the downlinks.
• Each MHO interface has it’s own VLAN-ID that the MHO
tags and the SGM strips out.
• Internal networks and corrected traffic have their own
VLAN-IDs as well.
• Tagging process is handled by Backplane Fabric Module
(BFM)
Virtual Interfaces
25. 25
©2022 Check Point Software Technologies Ltd.
INTERNAL
EXTERNAL
Security Groups
Logical group of appliances
providing active/active cluster
functionality segregate from
other security groups
SECURITY GROUP 1
SECURITY GROUP 1
SECURITY GROUP 1
SECURITY GROUP 1
SECURITY GROUP 1
[Protected] Distribution or modification is subject to approval
26. 26
©2022 Check Point Software Technologies Ltd.
Downlink architecture
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48 49 50
1 3
2 4
51 52 53 54 55 56
1 3
2 4
1 3
2 4
1 3
2 4
Check Point
Check Point
SO F T W A R E TE C H N O L O G I E S L T D .
LOM
CONSOLE
1 2 3 4
5 6 7 8
SYNC
MGMT
CONSOLE
1 2 3 4
10G
4
8
3
7
2
6
1
5
RESET
Traffic
Ports’
VLANs
(1023
+
port
number)
Correction
Layer
VLAN
(3700
+
SG)
CIN
VLAN
(3900
+
SG)
–
198.51.100+SG.m
SYNC
VLAN
(3800
+
SG)
–
192.0.2.m
Orchestrator tags traffic with a VLAN-ID
based on the port traffic is received on.
SGM strips the VLAN-ID
27. 27
©2022 Check Point Software Technologies Ltd.
Downlink Architecture
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48 49 50
1 3
2 4
51 52 53 54 55 56
1 3
2 4
1 3
2 4
1 3
2 4
Check Point
Check Point
SO F T W A R E T E C H N O L O G I E S L T D .
LOM
CONSOLE
1 2 3 4
5 6 7 8
SYNC
MGMT
CONSOLE
1 2 3 4
10G
4
8
3
7
2
6
1
5
RESET
VLAN
1024
(eth1-Mgmt1)
VLAN
3701
(Correction
Layer)
VLAN
3901
(CIN)
–
198.51.101.1
VLAN
3801
(SYNC)
–
192.0.2.1
SGM1
VLAN
1028
(eth1-05)
VLAN
1029
(eth1-06)
Check Point
SO F T W A R E T E C H N O L O G I E S L T D .
LOM
CONSOLE
1 2 3 4
5 6 7 8
SYNC
MGMT
CONSOLE
1 2 3 4
10G
4
8
3
7
2
6
1
5
RESET
VLAN
1024
(eth1-Mgmt1)
VLAN
3701
(Correction
Layer)
VLAN
3901
(CIN)
–
198.51.101.2
VLAN
3801
(SYNC)
–
192.0.2.2
SGM2
VLAN
1028
(eth1-05)
VLAN
1029
(eth1-06)
Example:
Security Group 1
28. 28
©2022 Check Point Software Technologies Ltd.
• Backplane interfaces are aggregated as BPEth0 and
BPEth1. Slave interfaces are ethsBPx-01-04.
• Max. of two slaves supported in current SW versions.
Backplane Configurations
29. 29
©2022 Check Point Software Technologies Ltd.
Backplane Configurations
BPEth0 BPEth1 BPEth0 BPEth1
2x10Gbps 4x10Gbps 2x40Gbps or 2x100Gbps
BPEth0
BPEth0
BPEth1
BPEth1
30. 30
©2022 Check Point Software Technologies Ltd.
Security Groups Database - /etc/sgdb.json
List of SGMs including serial numbers
Management interface settings
Traffic (uplink) interfaces
/etc/sgdb.json is located on all Orchestrators and Appliances.
On Orchestrators it includes information about all Security Groups.
On Appliances – about the Security Group relevant for the Appliance
31. 31
©2022 Check Point Software Technologies Ltd.
SMO Database
• Orchestrator defines internal networking parameters (CIN and
SYNC networks and VLANs) in Maestro
• This information is stored in SMO database located in
/etc/smodb.json-file on Orchestrators and Appliances
Orchestrator
Appliance
32. 32
©2022 Check Point Software Technologies Ltd.
Further Reading
• Secure Hybrid Data Center Solution Brief – Maestro sk168814
• Scalable Platforms – How to Configure Distribution Mode sk108842
• Configuration of Downlinks for Maestro appliances – sk158652
Notas del editor Correction layer requires cluster sync to be enabled on the service object in the policy SFP support:
SR transceivers up to 200m cable length
If customer goes for 300m cable length we can support it
Direct connection must exists between orchestrators and appliances (direct means: no patch panel, no L2 devices)