Check Point Maestro Hyperscale Network Security - New Scalable Security Platform

    The Check Point company has quite quickly started the year 2019 by making several announcements at once. To tell about everything in one article does not work, so let's start with the most important thing - Check Point Maestro Hyperscale Network Security . Maestro is a new scalable platform that allows you to increase the "power" of the security gateway to "indecent" numbers and almost linearly. This is achieved naturally by load balancing between the individual gateways that work in a cluster as a single entity. Someone may say - " It was! There are already blade platforms 44000/64000 ". However, Maestro is a different matter. In this article, I will briefly try to explain what it is, how it works and how this technology will help save on network perimeter protection .

    It was - It became

    The easiest thing to understand is how the new scalable platform differs from the good old 44000/64000 is to look at the picture below:

    The difference is obvious.

    Old Check Point Platform 44000/64000

    As can be seen from the picture above, the first option is a fixed platform (chassis) into which a limited number of special “blade modules” ( Check Point SGM ) can be inserted . All this connects to the Security Switch Module (SSM), which balances traffic between gateways. The picture below shows in more detail the components of this platform:

    This is a great platform if you know exactly what kind of performance you need now and to what extent it can grow. However, due to the fixed form factor (12 or 6 blades) you are limited to further scaling. In addition, you are forced to use only SGM blades, without the possibility of connecting conventional uplinks that have a much wider model range. With the advent of Maestro Hyperscale Network Security, the situation is changing dramatically.

    New Check Point Maestro Hyperscale Network Security Platform

    Check Point Maestro was first introduced on January 22 at the CPX conference in Bangkok. The main characteristics can be seen in the picture below:

    As you can see, the main advantage of Check Point Maestro is the ability to use conventional gateways (appliance) for balancing. Those. we are no longer limited to SGM blades. It is possible to distribute the load between any devices starting from model 5600 (SMB models and Chassis 44000/64000 are not supported). The picture above shows the main indicators that can be achieved using a new platform. We can combine up to 31 in one computing resource ! gateway . Now your firewall might look like this:

    Maestro Hyperscale Orchestrator

    I’m sure many already have a question: “ What is this Orchestrator? “Well, meet. Maestro Hyperscale Orchestrator - this thing is responsible for load balancing. This device is installed operating systems Gaia R80.20 SP . Currently there are two Orchestrator models - MHO-140 and MHO-170 . Characteristics in the picture below:

    At first glance it may seem that this is a regular switch. In fact, this is a “switch + balancer + resource management system”. All in one box.
    Gateways are connected to these Orchestrators. In case balancers are fail-safe, then each gateway connects to each orchestra. “Optics” (sfp + / qsfp + / qsfp28 +) or DAC cable (Direct Attach Copper) can be used for the connection. In this case, the synchronization link should naturally be between the orchestrators:

    In the picture below you can see how the ports of these orchestrators are distributed:

    Security Groups

    In order for the load to be distributed between the gateways, these gateways must be in the same Security Group. A Security Group is a logical group of devices that functions as an active / active cluster. This group functions independently of other Security Groups. From the point of view of the management server, the Security Group looks like one device with one ip-address.
    If necessary, we can bring one or several gateways into a separate Security Group and use this group for other purposes, like a separate firewall from a management point of view. An example of use is shown in the picture below:

    An important limitation, in one Security Group, only identical gateways (model) can be used. Those. if you want to linearly grow the power of your security gateway (which is a cluster of multiple devices), then you must add exactly the same gateways. In the next software releases, this restriction should disappear.

    In the video below you can see the process of creating the Security Group. The procedure is intuitive.

    Again, if you compare the components of Maestro with the chassis platform, you get something like the following “was-became”:

    What is the benefit of a new platform?

    There are actually a lot of advantages, both from a technical point of view and from an economic point of view. I will paint in brief the most important ones:

    1. We are practically not limited in scaling. Up to 31 gateways within one Security Group.
    2. We can add gateways as needed. The minimum set for purchase is one orchestrator + two gateways. No need to lay the model "for growth."
    3. From the previous paragraph follows another plus. We no longer need to change the gateways, which have ceased to cope with the load. Previously, this problem was solved using the trade-in procedure - they handed over the old “iron” and got a new one at a discount. With such a scheme, financial “losses” are inevitable. New procedure with scaling eliminates this factor. You don’t need to donate anything, you can just continue to increase productivity with the help of additional hardware.
    4. The ability to combine existing resources for load sharing. For example, you can “drag” all your clusters onto the Maestro platform and assemble several Security Groups, depending on the load.

    Maestro Hyperscale Network Security Bundles

    Currently, there are several options for acquiring the so-called bundles with the Maestro platform. Solution based on 23800, 6800 and 6500 gateways:

    In this case, you can choose from two standard types of configuration:

    1. One orchestrator and two gateways;
    2. One orchestrator and three gateways.

    Here you can see the approximate prices. Naturally, you can additionally lay another orchestrator and as many gateways as you like. Further information on specifications can be requested here .
    The 6500 and 6800 are the latest models, which were also introduced earlier this year. But we will talk about them in more detail in the next article.

    When can I buy?

    There is no definite answer. At the moment there is no notification of the importation of these decisions to our country. As soon as the information on the terms appears, we will immediately make an announcement in our public pages ( vk , telegram , facebook ). In addition, in the near future, a webinar is planned, dedicated to the Check Point Maestro solution, where all technical features will be considered. And of course, you can ask questions. Stay tuned!


    Of course, the new Maestro Hyperscale Network Security platform is an excellent addition to Check Point hardware solutions. In fact, this product opens a new segment, for which not every information security vendor has a similar solution. Moreover, to date, Check Point Maestro has virtually no alternatives if it comes to providing such unprecedented “security power”. However, Maestro Hyperscale Network Security will be interesting not only for owners of data centers, but also for ordinary companies. Maestro can already be “watched” by those who own or intend to purchase devices starting with the 5600 model. In some cases, using Maestro Hyperscale Network Security can be a very profitable solution from both an economic and technical point of view.

    PS The article was prepared with the participation of Anatoly Masover , Scalable Platform Expert, Check Point Software Technologies.

    Also popular now: