VSX Cluster deployment & configuration - DemoPoint Academy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] good morning everyone and thank you for joining demo Point Academy sessions my name is Yael hacker and together with me is Shai Levine we are both from the Check Point solution Center and we're responsible for the demo point platform just in the session today we have partners and checkpoint SS from the US Canada and Latin America and I'm guessing that most of you are familiar with demo point already that you're using it already and what we thought was a good idea with demo point Academy sessions is to increase your knowledge and confidence with checkpoint technologies and specifically with different blueprints that we have to offer as part of them appoint and today we are going to present to you one of the blueprints called va6 workshop which will mainly focus on v6 cluster deployment and troubleshooting it's already recorded so you can also hear it later on and before we start I wanted to just a quick reminder for those of you who are less familiar with demo point just to show you where everything is placed so let me connect two partners map user center once I'm connected to user center I have this option demo Point environment for partners is not it is not automatically by default enabled so if you have new partners that would like to join this program feel free to send us their user centered email and we will enable this role to them as part of their user Center account once you are logged in you can see here all the different sessions that you already ran with your customers or for yourself you go to create environment to start demo you have two options the first option is running demo and here you have three different options you can use demo point as part of an event do customer demo or partner demo and another option that you have is training that you can speak in a class in front of a few students or prepare yourself for customers meeting or just learn and practice to feel much more confidence with the program with the platform I wanted to emphasize it here in this session that it is very important that you keep your tracking correctly you keep the usage track correctly this is very important for us we monitor that and we want to be able to show the correct value and usage from from the field so just for the testing I'll show you where where our demo is located so just for the exercise I chose the cloud region to be Europe and here in the list of different blueprints that I have you have cloud mobile advanced threat prevention under other you will have the v6 workshop that we're about to show you right now I will let shy from my team continue and do the demonstration important that if you have questions all along please write it in the Q&A and at the end and if Daphne who is also in this session from R&D responsible for the product will be able to answer all your questions live so enjoy and shy I'm doing stop share for you to take control yeah so hi everyone yeah do you hear me and you see me yes very well okay good so what I'm going to do now is to show you the Queen okay basic a step for deploying between the v6 a cluster and the deployer Fuchs deployed the virtual outer CBS in MDM MBS environment and after me I'm not going to cover all the step in this in the cookbook and after me me roughly which is the owner of the of the product for me R&D is going to answer four questions and show you some tips and tricks on the this basics a environment and talk about the use case and of course you can ask any question and anyway will answer your questions while I while I deliver this a wouldn't be no so in this environment basically with three gateways they're not configured they are just after the first time wisdom have an MBS with the PCM a a tree virtual a serval that are used as a web service and let's see form a cloud shell how it's a looks like this is the environment that you are going to get for my demo point they once you click on the tops you get a connected to the machines it's a VPN html5 most of the work is done from the client machine so I prefer to a connect to it via regular rbp not revered a the browser so in order to access it they go to the machine list click on the management and show more difference you have here the username at the pass over by the way the pass on this environment is always VPN one two three so in order to connect to are the key to the client machine click on this button and you can download the RDP file I'm already connected at the machine so I know I not need to do to take this step a again so in this environment again with three gateways they are all configure and the same and we are going to deploy this gateway inside a cave a six a cluster in order to connect to the machine just click on it and click inside the black screen the user is admin VPN one two tweaks and if I will switch to clash you will say the interfaces have six interfaces in each machine ETH one is the management interface it is zero so is the management interface and it's the same setup on each one of the Gateway so I will connect to to the management client which is this one and the first thing I'm going to do is open smart console and I'm going to connect to the MDS itself I'm not going to connect individually to each one of the CMA I'm going to connect to them yes because I want to show you they're all environments I'm connected to the MPS and inside MBS you see the tab we see MA they are already configured but there are no object inside of them have the Japan SEMA the main v6 and the USA I'm going to deploy the p6 cluster inside the main basics so I'm going to connect from here I will right-click on the main v6 and in connected a main v6 and I'm going to create the v6 cluster so remember I'm not creating a regular cluster and creating a v6 cluster so form from this menu I choose v6 a cluster we'll call it the v6 cluster I pick a 10111 104 and this is going to be 4 now a cluster Excel I will choose the custom configuration I will add the two nodes node 1 with Alpi 110 1 1 1 101 between 1 2 3 D D and 1 2 3 let's hope that we left sick yes we have sick now we'll add the second node 10111 by the way I am running it's all explained in the cookbook ok by the way you have all the material you had here in the resource tab you have the cookbook which is a step-by-step guide to follow all the step that I'm doing right now we have everything in the cookbook and if you want to get even more details and you want to see all the presentations were delivering during the training class you can download the materials in this zip file with all the PDF and the presentation we deliver resume the training class so like to deploy in the cluster VPN 1 2 3 VPN 1 2 3 ok we're sick I will click Next and we are not going to use the trunk interface you are going to use the dedicated interface to each area so you are not using the trunk here and we are going to use eth1 as a sync interface and it really matter which is which IP we choose I would take a 666 101 and for the other node 666 102 in Class E and I will choose all the default a policy I will enable all of the all of those rules this is access to the v6 cluster and it's going to take something like five minutes to deploy our already deployed inhale so you can say this is the v6 cluster and I have two nodes just remember that after you deploy it you need to open the manage license and package and you're going to receive here a red time because it doesn't pay he doesn't go into a very license so open package and license and from here from the license and contact ID license and you have a to license files it's a 10115 you have a two centralizes that you need to put on the CMA okay this is a central license that was generated for the CMA IP then just a click on then each one of the node and they click attach a license okay Larry easy it's also explaining the cookbook so I deploy the v6 cluster and I remind you again that I deployed it inside the the main v6 okay what I'm going to do now I reveal the topology that I want to build so I have the v6 cluster or the square here is the v6 cluster and I have nothing inside of it what I'm going to show you now is how to deploy it the future router inside the basics cluster and to deploy also vs inside Japan inside Japan CMA and in other years side a us ABS since both fears are going to use the virtual router I'm going to deploy this spiritual external router inside the main v6 okay so this is the first thing we are going to do is deploy the main feature allowed inside the main PA six CMA and he is going to have one IP address one interface that is connected to the router Internet okay with this idea may remember this IP and we are also going to set a default route on this router that is going to be the extent of the router internet so let's say do it and I will connect to the main v6 and from here I'm going to create v6 built roll out there I will call it external virtual router and I'm going to deploy it on top of the v6 cluster that we have just created and I'm going to add interface so I'm going to deploy this interface on a turnip number two and the IP address is going to be 172 sixteen one one netmask plus c in the cookbook 310 Class B but it doesn't really matter so this is the this is the IP and we are going to head also a default route the default route is to this this IP this is the IP of the router internet so it's 172 16 1 2 click Next and finish and once it once it will be ready I want to check the favor connectivity between the two routers I already know that this typically in this environment in cloud environment going to have a problem with the connectivity so I'm going to connect to the router Internet and I will try to ping to the virtual routers I already know that the initial policy default policy of the featural XML router does not going to allow pain but at least I'm going to see in lamb in layer two the matter so let's see if it's there already installed it's going to take another 10 seconds that's wait wait wait wait sharing the meantime there is a question asked about early RDP for other environments yeah it's not always available on other environments because it's dependent in the on the topology sometimes I need from this machine access to the Internet to go to the Gateway so I cannot also set the so it's dependable default route which is the default but in every environment basically you can you can access RDP if if it's not available you can change the default route so ok no change the default route because the demo will not work but you can add a static route check what is your IP and then add a static route we can take it offline if you want to understand how to do it just open an email and I will explain you how to do it so we can say that the virtual router was deployed and I'm going to check again I want to check on - to ping the forum you want to came from the router Internet to the virtual router so again the user is admin VP and 1 2 3 in 172 16 1 1 and pink I'm not going to it because I know that the initial policy does not allow pink but I'm going to check out and as you can see I don't have a connectivity on a layer 2 because I don't see the MAC address here so what I'm going to do this is a walk around ok to walk around is to change the interface this is just a penny happening in this environment on other environments you're not going to see it so I'm going to change to eat eternity safe configure and replace it back change it back to a timeout to say I don't know how but it's all the environment this is because it's running on a nested environments let's wait for it okay so we finish and now I'm going to change it back it's not happening all the times but from time to time it's happened and it's good it except and there may be here so I can show you how to fix it okay and we're good to go so let's run ping again I'm pink again and I will run out again and now I see the MAC address of the virtual router okay so we are ready to go to the next step so in the next step what we are going to do so we deploy just deployed official router and we check that where the connectivity between the external output control outer and now we are going to deploy the federal system the virtual the vs USA abs on top of the v6 cluster but we are going to do it now not on the main v6 not on the mainland SMA on the US I see me so I already opened same a DCMA and just to remind you if I'm going to the MDS I can click on it and connect to their domain this Amy so now I'm going to create from this CM a v6 virtual system I will call it us a vs and I'm going to deploy it on top of the v6 cluster I click Next and I need to create two interface one is lead to the internal network to the web server and one is lead to the future allowed ok ok so the regular is the internal network I will use eth3 it's 10 to 1 104 plus C and I will click here propagate route to the adjacent so the virtual router so well I won't need to create a static and not a static route on the virtual router is going to distribute the route to this in this internal network today to the virtual router click OK and now I'm going to create the interface the lead to the external router so it's leads to the external outer ok again it's Li this interface leads to the external virtual outer was here and the IP is going to be 170 217 107 and the last thing I'm going to do it to do it is to create a static route the default route to the virtual out there this is the default route and click here next and finish while I'm doing it deploying this one I will go to Japan CMA I am going to deploy it Japan appears ok so let's jump to Japan and I will create a v6 filtro system let's call it Japan vs we deploy it again on the basics cluster remember the basics cluster is on the main v6 click Next and I will create again the regular is going to belong I will use ETH for its a 10 3 1 1 o 104 104 just check what is the topology I can check it here and lock to Japan and see what is the different route out print it's 104 okay so 3 104 and classy and I'm going also to distribute the route and another interface that leads the virtual router and his IP is going to be 172 18 108 1 and default route let's go to the virtual order ok what why did Sadie plunder with switch to the USA and I want to allow I will allow all traffic or text in schools and I will select accept and I will install the policy here and let's wait for install policy install policy and I would switch to to Japan it's still deploying the vs after deployment of the vs I'm going also to allow any any accept in the policy accept and publish and install and if everything is go well I will have a pink form at the USA web server to Japan web server so let's say wait for a policy to install and which a connectivity by the way you remember that I told you that we don't have pink right so in order to enable pink I don't know if you know it or not of some of you know it you can go to the main CMA where is the future router installed and if you will open the policy let's say there is six faster policy you can see here the different policy a lower pink okay you can see echo request if you install the policy and you choose the targets the policy target you choose also to add the virtual router okay so you will have pink okay this is the default policy that it's creating while it's getting the basics clusters just deployed the same also today I to a do not walk let's have it that's the future router also here right again software installation of this policy should evolve into the virtual out there okay you say no way thinks this is how you do okay so after we install the policy balls in USA and Japan we install the police in USA noise from Japan we can you can log into u.s. a web server and we will paint to Japan it's a ten three one two oh one okay now we your Spain by the way for me it's also even in a very load environment that the policy once you deploy the vs and installed the policy the policy does not load so you want to see a ping here so check this issue you can install the second time it's also is always there solve the problem so the second time the box is also always of the problem but you also another option to troubleshoot and to see if air this is the issue you can just I will show you sec we will open ssh to v6 a gateway number two i think this is the active member okay so admin VPN 1-2-3 and just a check if this is the active member of CP h 8o a start cpha start will show you the active member and now I'm the local this is the oh I need to switch it on the middle number one so I will open an SSH connection to v6 get ye one which is the active member and this there is a very useful command the v6 start - - a V it will show you all the virtual components that are running so you can see the external a virtual router PSA USA vs japan us and you also see the idea of the system so for example if you want to login to to USA FBS we would switch - we asked in number - this is the environment of us USA and you see that I switch to USA vs and I came along IFA config you see that here's the IP of that that I gave if you don't if you don't sometimes you don't have pin you will see it the default IP ok so push policy again and T is going to fix it and also say here and vs6 start a - we can see that it got the policy got a standard policy the last thing that I want to show is what do you say if I will ping from a us a web server to Australia web server do you think I will ever think I will have a connectivity I'm telling you that you are not going to the connectivity because they they're out on the internet router he does not know the internal IP of a USA which just show it to you before we connect to the router Internet and I will see what are the routes as you can see it doesn't he doesn't is the internal IP just see the the interfaces that are connected to the router to the virtual router okay so a one option is to add the static routes on the external virtual router and another option is the is just create souls not hide not whatever you want on each one of the fears so if I will go to USA web and we try to ping to Japan so it to Australia with cellular show you it again okay trying to ping from USA to Australia so we need to go to this part okay and this outer does not know this network okay so I'm going to click to create static not so once this server is going to Australia web the source IP will be changed to the IP of the firewall okay so just let make sure that I'm not speaking nonsense and that we don't have a traffic so we'll king solid web server so us a web server I will ping to 172 31 1 201 okay and I don't have a connectivity so what I'm going to do now is create a knot so go to USA and I will create I will create the network USA USA learn and that is 10 to 1 o plus C ok and I will create I can create just I will show you more complicated a knot tool and create another to okay Japan okay because I want to create just a hiding at once the bucket destination is Japan you don't want to create an tool for all packets that also going to so I could start going to a stallion I don't want to create a map tool for packets that are going to Japan ok so I want to create not only to traffic that is known to Australia would say I don't want to create an Apple but translate the packet once it's going to Japan reps okay so just this direction is not good not good here I don't need not because they are routing between the two sides I as you remember once I create the beers I publish their networks from here and also the network from here in the pit when I consecrated the vs2 the virtual router ok so now I'm going to create a pan yes sorry Australia Australia lung and the IP in Australia is 172 31 1 2 + C and the last thing I'm going to create I'm going to create the this network interface I'm going to create this network this host because I want to hide this network behind this this IP and the firewall was created with with the internal so I cannot use this object while a LAN IP so let's call it a firewall externally and that is going to be 172 1717 1 0 7 1 and I'm going to create the natural so from USA learn to Australia I'm going to use the external object the firewall external okay but I'm not going to use static I cannot hide the land with the static I must change it to hide if not the policy will they fail to install okay and I'm going to install the policy after I install the policy I will ever I will have a ping from USA to Australia okay so now I think to a salvage service and it's doing a translation I think we cover the main three steps in the cookbook to complete the other step it's going to take another two hours or so so I just I think that I gave you the the basic confident to deal with this lab if you if you can send me a feedback we I can also prepare a lab with all the PS and the cluster is already prepared so we will have a two laps one for this one for training you are building everything from scratch and I create another one for more demos so let's say that the cluster will be already deployed and you adjust them maybe also the external virtual router and in the demo you just need to deploy the vs or if you want the other configuration and you can think about other relevant scenario just don't mean email and if I will say a lot of demand I will I will do the request of the changes mix so I think that they I finish with the demo let's say that's you can take it from here and if you want to do more drill down and show some tips and tricks and answer questions now it's all yours so thank you very much and Nev thank you shy and you I'm trying to unmute him nice yeah yeah yeah we really nice top shelf so you can show you screen up speak a bit louder names yeah can you hear me now yeah okay so hi everyone as I said I'm Nev I'm the team leader from R&D week louder a bit louder yes yes from R&D and I have actually been using this setup and the cookbook in general for our physics trainings I see from the participant here some of you actually been in in the session IV I've done so those of you who have been knows the and walk with the lab to begin with and so far it's been very productive both in in a straining you know you guys didn't know better and the good thing about the culture in general is that you have availability to to access it whatever so you can always train yourself so I'll start by a quick run of the cookbook of the labs we have currently we have the creation of the v6 cluster as decideed and adding the to VSS and rows with propagated routes also how we have a lab to create a manual and automatic math behind the vs connectivity using static and hide net later on we are converting clusters to vs LS adding on new crust remember so you can three members running in vs LS with remembers buying with distribution and failing over individual VSS and monitoring them we also have a reconfigure of members with predefined error that would place it ok so basically we set up to duplicated default routes on the gateway and when we try to reconfigure the configuration it fails and then you can troubleshoot it and see the or you can find out the error and see how you can handle the problematic issues and how you can use the trouble should define it to locate the problem and in the end we have a bit of basic troubleshooting for clusters so you can see what's going on and on your cluster monitoring setups now I'll show you just just to can get a alright quick understanding of how the who books looks with in each labs we have good indication of what do we also give you few few guidelines on what to look for for example you can open greedy beheaded and see the configuration ok you can see the vs repository and seed files of vs or conversely we ask you to look for specific stuff this is very good so you can understand not just how to operate the machines and flows but also to look and understand how the fees is happening under the hood ok now I'm saying this refer to the cookbook but it's not just about the cookbook itself okay because you can also use it for every PLC you want to do so first of all we should I show you how to use the MDS right and how to connect between different CMS but basics that doesn't have to work on an MDS environment you can do all the things you just did but keep it all on single domain if you don't familiar with MDS and you want to start working on basics on our secure but if you're smart console you can do it just on the MDS environment we have just login to a single domain create all the basics and VSS and virtual rather and switch and everything on a single domain okay another important note you should notice as I should told you some post installation might fail ok and then we in the cookbook we provide you some work around how to just reinstall it or internal virtual router just change the interface from one to another just to make sure it happens something that can happen on extremely loaded environment and since it's a current environment it can be overloaded especially if there's a training going on at the same time ok and for that reason also make sure you don't over stressed your machines this setup is not designed for a large environment ok I would not do a demo over 20 VSS or 50 VSS or you know 100 rooms on a single post installation ok this is something for basic see how the VSS work turn on blades and configure them ok and as I said if you have additional configuration you want or if you have additional no trainings you think that you should add for example maybe we'll add upgrade procedures ok or changing the private notes and so on if you have any additional information you you feel like not just having the deployment there just also adding more to the cookbook itself okay let us know and we can work it out of it now in addition to the cookbook itself in the training which is basically do your own training and get to know the product you can also do your own training if your expert in physics and you want to share your information with the customers or with your team members or with whoever you can use these to train additional people okay you can set up you can talk to yell and see if it's available to create for example as I do when I do se training in the United States we go and we create a cell lab for fifteen people and everyone just joining with your laptops everyone can connect to the workshop and have its own different set up and go train together we ll in addition we had a presentation we have a lab ready to go we don't have to go over the trouble of setting up free wares and installing hardware's and everything it's all in the cloud and very easy to to port from place to place okay another very very good way of using this setup and workshop and I hope hope it you do that is set up your own demos okay you can use it not just for the basics clusters and vases and so on and that we do in the cookbook you can set up to V aces and ed blades okay and set up specific topology that your customer is interested in and show it you don't have to set up a vmware and then go to the customer site and log into your setup or everything like that it's all portable and available in the cloud you can do whatever demo you want on this lap it's very flexible okay can if you want I can show you you can add in the Q&A I can show you some basic configurations that we can use and you don't need okay you already have a client in the house you can pass traffic through there very convenient to handle another very good way you can use the product is just to check the basics where I can find some limitation or available features and some of you may know v6 supports most of the checkpoint features but some of the features with Blackie certain blades are not available in bridge modes we don't have Q s and some small imitations right and some features we have some small functionalities that not yet supported and so on so you can always just use this setup to verify do we support anything do we not most of it is documented but sometimes it's much easier to just verify the product before you could start drill down to the permutations okay so mostly this is what I have as a as a guide I think and my recommendations to you to how to use this v6 water and environment if you have any more specific question regarding it you can edit in the Q&A and I can set it up need I wanted to take control and show one thing here as well you're done yes okay to me I have can you see my screen not yet [Music] yeah now we could okay so until we have questions if we have questions I wanted to have the two mailing lists in front of you and the first one is for checkpoints the second one is for partners and SK that we keep updating the recorded session will be updated on the SK and also I will send you in an email through the mailing list with all the information again to remind you if you have additional partners that are interested in them appoint send it to me directly to shy or to the mailing list and we will make sure they get the relevant role I see David is asking about if if s is are no longer using VMware internal labs so I guess they're using both depends on what they feel more confident with but we do see increase with the uses of demo point we're getting great feedback from the field from partners that is very helpful the fact that they don't need to build their own set up and waste time and hours of building their own configuration and just click play and use an existing environment save them lots of time it's very helpful and we do see major increase with the usage every month so continue using them a point we believe it is very helpful for you and also share any feedback that you have the next session that we're planning to do for them for the Academy are based on your feedback what you feel is less confidence with the product so we want to give you the training and we want to increase your confidence it's based on your feedback so continue sharing your feedback with us and we're trying to really have a good platform that will serve and be helpful for your day to day okay so if we don't have additional questions I think we're good I'll shine if anything that you want to add yeah no okay okay so thank you everyone and have a great day thank you bye bye [Music] you [Music]
Info
Channel: Check Point Software Technologies, Ltd.
Views: 14,376
Rating: undefined out of 5
Keywords: vsx cluster, VSX Cluster deployment & configuration, vsx configuration, virtual systems, virtual router, switches, routing, deployment, cyber, cyber security, cyber attacks, cyber security deployment, malware, ransomware, databreach, vsx, troubleshoot vsx, deploy vsx
Id: huyC1iXv9D4
Channel Id: undefined
Length: 51min 54sec (3114 seconds)
Published: Mon Jul 23 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.