MHO140 Quick Start

24 April 2023
QUANTUM MAESTRO
Getting Started Guide

[Classification: Protected]
Table of Contents
Table of Contents
Introduction 4
Overview 4
Shipping Carton Contents 5
Features 6
Speed and Throughput 7
Ports, Power Supply Units, and Fan Units 7
Getting Started with MHO-140 - Single Site with Two Orchestrators 8
Part 1 - Installing the Hardware and Connecting Cables 8
Part 2 - Initial Configuration on each Orchestrator 12
Part 3 - Configuration of Security Groups 15
Part 1 - Creating a New Security Group 15
Part 2 - Configuring Gaia Settings on the New Security Group 16
Part 3 - Configuring a Security Gateway Object in SmartConsole 17
Part 4 - Monitoring the Security Group Members 17
Hardware Components 18
MHO-140 Front Panel 23
MHO-140 Rear Panel 24
Ports 25
Mounting the Quantum Maestro Orchestrator MHO-140 and MHO-170 in a Rack 29
Connecting Cables to Quantum Maestro Orchestrators 41
Splitting the Ports with Breakout Cables 41
Breakout Cables 41
MHO-175 Splitting Options 43
Single Site 48
Connecting Two Quantum Maestro Orchestrators for Redundancy 48
Diagram 48
Workflow 55
Connecting Cables to MHO-140 59
Connecting to the Management Ports with DAC or Fiber Cables 59
Connecting to the Uplink Ports with DAC or Fiber Cables 61
Connecting to the Uplink Ports with Breakout Cables 63
Quantum Maestro Getting Started Guide | 2

Table of Contents
Connecting to the Downlink Ports with DAC or Fiber Cables 66

Quantum Maestro Orchestrator Ports and Gaia OS Interfaces 69

Introduction
Introduction
In This Section:
Overview 4
Shipping Carton Contents 5
Features 6
Speed and Throughput 7
Ports, Power Supply Units, and Fan Units 7
Quantum Maestro Orchestrator is a scalable Network Security System built to secure the largest networks in
the world by orchestrating multiple Check Point Security Appliances into a unified system.
The Quantum Maestro Orchestrator provides:
n Security of infinite scale
n Redundancy - Quantum Maestro Orchestrator automatically distributes traffic between the Security
Appliances assigned to Security Groups
n Ability to connect more Security Appliances and use their resources easily in the existing Security
Groups
Overview
Quantum Maestro Orchestrator 1U systems are ideal for leaf and spine data center network solutions that
provide maximum flexibility, with port speeds from 1 Gbit/sec to 100 Gbit/sec per port, and port density that
enables full rack connectivity to any server at any speed. The ports allow a variety of blocking ratios that suit
all application requirements.
Quantum Maestro Orchestrator 1U systems enable the use of 1, 10, 40 and 100 GbE port speeds in a large
scale without the need to change power infrastructure facilities.

Introduction
Shipping Carton Contents

This section describes the contents of the shipping carton.
Table: Shipping Carton Contents
Item Description
Appliance Quantum Maestro Orchestrator
Rack Mounting Accessories n 2 static (fixed) rack mount rails

n 2 rack mount blades
n 2 rack mount ears
n 8 M6 standard cage nuts
n 8 M6 standard pan-head Phillips screws
n 4 flat head Phillips screws with a round patch
(6-32x1/4", 100-Deg, Patch 360)
Cables and Adapters n 2 power cables (Type C13-C14)

n 2 cable retainers
n 1 DB9 to RJ45 serial console cable
n 1 DAC cable, 3m
Documentation n Quick Start Guide

n Port Mapping
n User license agreement
Notes:
n DB9 connectors are also known as DE9 connectors.
n Before installing your new Quantum Maestro Orchestrator, unpack it and check the parts list to make
sure that all the parts are in the package.
Check the parts for visible damage that may have occurred during shipping.

Introduction
Features
n Throughput and processing capacity:
l MHO-175 - Throughput of up to 3200 Gbit/sec and processing capacity up to 4.76 Bpps
n Flat latency in the cut-through mode:
l MHO-175 - 425 ns
l MHO-170 - 300 ns
l MHO-140 - 300 ns
n Speeds of 1, 10, 40, and 100 GbE
n Dynamically-shared, flexible packet buffering:
l MHO-175 - 42 MB
l MHO-170 - 16 MB
l MHO-140 - 16 MB
n Lowest power, under 5 W per 100 GbE port
n Enhanced scalability
n 1+1 hot-swappable power supplies
n 4 N+1 hot-swap fans
n Color coded PSUs and fans

Introduction
Speed and Throughput

The table below lists maximum throughput and interface speed for each Quantum Maestro Orchestrator
model:
Orchestrator 10 GbE 40 / 100 GbE Maximal

Model SFP28 Interfaces QSFP28 Interfaces Throughput
MHO-175 128 32 3.2 Tbit/sec

(use QSFP to SFP
breakout cables)
MHO-170 64 32 3.2 Tbit/sec

(use QSFP to SFP
breakout cables)
MHO-140 Total 64 8 1.28 Tbit/sec

48 SFP+ 8 QSFP28
(use QSFP to SFP
breakout cables)
Quantum Maestro Orchestrator supports different interfaces and speed rates when you use QSFP to SFP
adapters, or hybrid cables. For more information, see "Splitting the Ports with Breakout Cables" on page 41.
Ports, Power Supply Units, and Fan Units

Orchestrator
MGMT Ports USB Ports Console Ports PSUs Fans
Model
MHO-175 1 on the front 1 on the front 1 on the front 2 units 4 units

panel panel panel
MHO-170 1 on the front 1 on the front 1 on the front 2 units 4 units

panel panel panel
MHO-140 2 on the rear 1 on the rear 1 on the rear 2 units 4 units

panel panel panel

Getting Started with MHO-140 - Single Site with Two Orchestrators
Getting Started with MHO-140 -

Single Site with Two Orchestrators
Part 1 - Installing the Hardware and Connecting
Cables
1. Mount the two Quantum Maestro Orchestrators MHO-140 in the racks on the site.
See "Mounting the Quantum Maestro Orchestrator MHO-140 and MHO-170 in a Rack" on page 29.
2. Install the Security Appliances for your Security Groups.
Procedure
a. Install the applicable Expansion Line Cards (if required) in the appliances.
See Installing and Removing Line Cards.
Maestro configuration supports only ports 10 Gbps or faster.
b. Mount appliances in their racks.
See the Getting Started Guide for your appliances in sk96246.
c. Power on the Security Appliances.
3. Connect a DAC cable between the dedicated Synchronization ports 48 on the two Orchestrators.
For more information, see "Port Mapping for the Quantum Maestro Orchestrator MHO-140" on
page 20.

4. Connect the required cables between the Security Appliances and the applicable 10 Gbps Downlink
ports 27 - 47 on each Orchestrator.
More information
Important:
n Maestro configuration supports only ports 10 Gbps or faster on Security
Appliances.
n To connect Security Appliances to these 10 Gbps Downlink ports, use a
Fiber cable or a DAC cable.
n To connect Fiber cables, you must use only the supported transceivers.
See sk92755 - Compatibility of transceivers for Check Point appliances.
See:
n "Port Mapping for the Quantum Maestro Orchestrator MHO-140" on page 20.
n "Connecting Two Quantum Maestro Orchestrators for Redundancy" on page 48.
Diagrams:
Connecting cables between Downlink ports on each Orchestrator and 2 ports on the
Dual Port Card on each Security Appliance
Illustration Instructions
On each Security Appliance (C) in

the Security Group:
a. Connect a cable from Port 1
on the Dual Port Card to a
Downlink port on the first
Orchestrator (A).
b. Connect a cable from Port 2
on the Dual Port Card to a
Downlink port on the second
Orchestrator (B).

Connecting cables between Downlink ports on each Orchestrator and 1 out of 4 ports on
the Quad Port Card on each Security Appliance

the Security Group:
on the Quad Port Card to a
Orchestrator (A).
Orchestrator (B).

Connecting cables between Downlink ports on each Orchestrator and 2 out of 4 ports on
the Quad Port Card on each Security Appliance
Important - In
R80.20SP, this
connection method is
supported only with the
R80.20SP Jumbo Hotfix
Accumulator (Take 105
and above) installed on
Orchestrators and
Security Groups.
the Security Group:
Orchestrator (A).
Orchestrator (A).
c. Connect a cable from Port 2
Orchestrator (B).
d. Connect a cable from Port 4
Orchestrator (B).
Legend
Item Description
A First Orchestrator.
B Second Orchestrator.
C Security Appliances in Security Groups.
A DAC cable connected to the dedicated Synchronization ports on the

Orchestrators.
Cables that connect odd ports on the Quad Port Card to the first Orchestrator.
Cables that connect even ports on the Quad Port Card to the second
Orchestrator.

5. Connect the required cables between the applicable Uplink ports 5 - 26, 49 - 55 on each Orchestrator
and your switches.
More information
Important - To connect Fiber cables, you must use only the supported
transceivers. See sk92755 - Compatibility of transceivers for Check Point
appliances.
See:
n "Port Mapping for the Quantum Maestro Orchestrator MHO-140" on page 20
n "Connecting to the Uplink Ports with DAC or Fiber Cables" on page 61
n "Connecting to the Uplink Ports with Breakout Cables" on page 63
Port Speed Port Type on the

Cable to Use
on a Switch Orchestrator
10 Gbps SFP+ / SFP28 Fiber or DAC

Ports 5 - 26
40 Gbps QSFP / QSFP28 Fiber, DAC, or Breakout

Ports 49 - 55
100 Gbps QSFP / QSFP28 Fiber, DAC, or Breakout

Ports 49 - 55
6. Power on each Orchestrator.

See "Step 7: Initial Power On" on page 40.
Part 2 - Initial Configuration on each

Orchestrator
Note - It is important in which order you configure the Orchestrators.
The first Orchestrator you configure becomes the "first" Orchestrator on this Site.
It synchronizes the configuration to the "second" Orchestrator on this Site.
Procedure
1. Connect the included Ethernet cable from your computer to the MGMT port labeled 0 on the rear
panel of the Orchestrator #1.
See "MHO-140 Rear Panel" on page 24.
You use this MGMT port only to manage the Orchestrator.

2. On your computer, configure a static IP address (see the documentation for your operating
system):
a. IP address - between 192.168.1.2 and 192.168.1.254
b. Subnet mask - 255.255.255.0
c. Default Gateway - empty
d. DNS Servers - empty
3. Open an SSH client and connect to this IP address - 192.168.1.1
4. Log in to Gaia Clish on the Orchestrator #1 with these default credentials:
n Username - admin
n Password - admin
Best Practice - Change the default password.
If the SSH connection is interrupted after the password change, log in again
with the new password.
More information
See the Gaia Administration Guide for your Orchestrator version:
n R81.20 Gaia Administration Guide
n R80.20SP Quantum Maestro Gaia Administration Guide
5. Activate the Orchestrator #1 - enter "y" when it asks you.

More information
This Orchestrator activation enables the Downlink ports and the Uplink ports.
For more information, see sk171784 - Activation of a Quantum Maestro Orchestrator.

6. Configure the IPv4 settings on the MGMT port on the Orchestrator #1 as required in your network.
Procedure
a. Configure the required IPv4 address and Mask Length:
set interface Mgmt1 ipv4-address <IPv4 Address> mask-length

<Length>
Example:
set interface Mgmt1 ipv4-address 192.168.10.22 mask-length 24
b. Change the state of the MGMT port to "on":
set interface Mgmt1 state on
c. Configure the required Default Gateway:
set static-route default nexthop gateway address <IPv4

Address> on
Example:
set static-route default nexthop gateway address 192.168.10.1

on
d. Save the configuration:
save config
7. Connect the MGMT port of the Orchestrator #1 to your network.

8. Make sure the connection from a computer on your network to Orchestrator #1 works.
More information
With a web browser, connect to this URL:
https://<IPv4 Address you configured on the MGMT port>
Example:
https://192.168.10.22
Notes:
n There is no Gaia First Time Configuration Wizard on
Orchestrators.
n You do not need to install a license on Orchestrators.
9. Repeat Steps 1 - 8 for the Orchestrator #2.

You must configure a different IPv4 address than that of the Orchestrator #1.

Part 3 - Configuration of Security Groups

Follow the Getting Started Guide section in the Maestro Administration Guide for your version:
n R81.20 Quantum Maestro Administration Guide
n R81.10 Quantum Maestro Administration Guide
n R81 Quantum Maestro Administration Guide
n R80.30SP Quantum Maestro Administration Guide
n R80.20SP Quantum Maestro Administration Guide
THIS INFORMATION WILL BE ADDED TO THE MAESTRO ADMIN GUIDE FOR EACH VERSION
Part 1 - Creating a New Security Group

1. Connect with a web browser to Gaia Portal on the "first" Orchestrator.
https://<IPv4 Address you configured on the Orchestrator MGMT port>
Example:
https://192.168.10.22
2. Log in.
3. From the left navigation panel, click Orchestrator.
More information
The Topology section contains the table that shows these sections (from left to right):
Pane Description
Unassigned All detected Security Appliances that are not part of configured Security
Gateways Groups.
Topology Configured Security Groups with their assigned Security Appliances

and ports.
Unassigned All interfaces on Orchestrators that are not part of configured Security
Interfaces Groups.
4. In the middle pane Topology, at the top, right-click Security Groups and click New Security Group.
5. In the Security Group <X> configuration window, enter the required information, including the First
Time Wizard, and click OK.
6. From the left pane Unassigned Gateways, drag and drop at least one Security Appliance to the
Security Group’s Gateways section.
7. From the right pane Unassigned Interfaces, drag and drop at least one Management port (eth<X>-
Mgmt<Y>) to the Security Group’s Interfaces section.

More information
See:
n "MHO-140 ports on the front panel and their default names in Gaia" on page 76
8. From the right pane Unassigned Interfaces, drag and drop the required Uplink ports to the Security
Group’s Interfaces section.
9. At the bottom of this page, click Apply.
10. Wait for the Orchestrator to create the new Security Group.
This process takes approximately 10 minutes, and it automatically reboots the assigned Security
Appliances.
11. Connect a cable between the assigned Management port (eth<X>-Mgmt<Y>) on the Orchestrator
front panel and your switch.
More information
See:
n "Connecting to the Management Ports with DAC or Fiber Cables" on page 59
Part 2 - Configuring Gaia Settings on the New Security Group

1. Connect with a web browser to Gaia Portal on the Security Group (through the assigned Management
port eth<X>-Mgmt<Y>).
https://<IPv4 Address of Security Group>
Example:
https://192.168.10.66
2. Log in.
3. Configure the applicable interfaces and other settings.
More information
See the Gaia Administration Guide for your version:

n R81 Gaia Administration Guide

Part 3 - Configuring a Security Gateway Object in SmartConsole

1. Connect with SmartConsole to the applicable Security Management Server / Domain Management
Server that must manage this Security Group.
2. Create a new Security Gateway and configure the required settings.
3. Configure the applicable rules in the Access Control Policy.
4. Configure the applicable rules in the Threat Prevention Policy.
5. Install the Access Control Policy on this Security Gateway object.
6. Install the Threat Prevention Policy on this Security Gateway object.
Part 4 - Monitoring the Security Group Members

1. Connect to the command line on the Security Group with an SSH client to:
<IPv4 Address of Security Group>
2. Run this command:
asg monitor
3. Wait for each Security Group Members to show its state as "ACTIVE".
This can take 6-7 minutes.

Hardware Components
Hardware Components
This section provides a description of hardware components of Quantum Maestro Orchestrators.
Port Mapping for the Quantum Maestro Orchestrator MHO-175
Legend
Item Description Item Description
1 Port 1 is the Management port for 7 Management port (Mgmt1) for the
Security Groups Gaia OS on the Orchestrator
(leads to the Check Point
Management Server)
2 Ports 2 – 16 are the Uplink ports 40 8 RJ45 port for Console connection
Gbps / 100 Gbps
(lead to external and internal
networks)
3 Ports 17 – 30 are the Downlink ports 9 Port 32 is the Synchronization

(lead to Security Appliances) port on the same Site
(leads to the peer Orchestrator on
the same Site
4 Port 31 is the Synchronization port in 10 Button to select indication states

Dual Site for the splitting control LEDs
another Site)
In the Split mode, the 4th split is Sync
and other splits are Downlinks
5 Micro USB 2.0 port 11 Splitting control LEDs that show

the indication state for Port LEDs:
n State of which port to show
(without a split cable).
n State of which split port to
show (in 1-to-2 split, or 1-
to-4 split).

Hardware Components
Legend (continued)
6 System Health LEDs 12 Port LEDs that show the status of

all ports (including the split ports)
Legend
1 Ports 1 - 2 are the Management port for 6 System Health LEDs

Security Groups
(lead to the Check Point Management
Server)
2 Ports 3 – 16 are the Uplink ports 40 7 Port 30 is the Synchronization

Gbps / 100 Gbps port in Dual Site
(lead to external and internal networks) (leads to the peer Orchestrator
on another Site)
3 Ports 17 – 29, and 31 are the Downlink 8 Port 32 is the Synchronization

ports port on the same Site
(lead to Security Appliances) (leads to the peer Orchestrator
on the same Site)
4 Management port (Mgmt1) for the Gaia 9 RJ45 port for Console
OS on the Orchestrator connection
5 USB 2.0 port

Hardware Components
Legend
1 Ports 1 - 4 are the Management 7 Port 48 is the Synchronization port

port for Security Groups on the same Site
(lead to the Check Point (leads to the peer Orchestrator on
Management Server) the same Site)
2 System Health LEDs 8 Port 56 is the Synchronization port in

Dual Site
another Site)
3 Ports 5 – 26 are the Uplink ports 1 9 Management port (Mgmt1) for the
Gbps / 10 Gbps Gaia OS on the Orchestrator
networks)
4 Ports 27 – 47 are the Downlink 10 Management port (Mgmt2) for the

ports Gaia OS on the Orchestrator
(lead to Security Appliances)
5 Ports 49 – 55 are the Uplink ports 11 USB 2.0 port

40 Gbps / 100 Gbps
networks)
6 LEDs that show the state of the 12 RJ45 port for Console connection
split ports
when connecting Breakout cables

Hardware Components
Changing the default type of an Orchestrator port
1. Connect to the command line on the first Orchestrator in your environment.

2. Log in to Gaia Clish.
3. If you connected a breakout cable to a port, then configure the applicable QSFP mode:
set maestro port <Port ID> qsfp-mode {1G | 10G | 4x10G | 40G | 100G}
Important:
n "<Port ID>" specifies the port to configure.
The format is three numbers separated with a slash:

<Orchestrator ID>/<Port Label on Front Panel>/<Port
Split ID>
n On MHO-175 ports, you can configure only these modes:
l 4x10G, 40G, or 100G
n On MHO-170 ports, you can configure only these modes:

l Ports with odd <Port Label> numbers (1, 3, 5, and so on) - 4x10G,
40G, or 100G
l Ports with even <Port Label> numbers (2, 4, 6, and so on) - 40G or
100G
n On MHO-140 ports, you can configure only these port modes:
l Ports with the <Port Label> from 1 to 48 - 1G or 10G
l Ports with the <Port Label> from 49, 51, 53, and 55 - 4x10G, 40G, or
100G
l Ports with the <Port Label> from 50, 52, 54, and 56 - 40G or 100G
4. Configure the port type:
set maestro port <Port ID> type {downlink | uplink | management |

site_sync}
Important:
n On MHO-175, you can configure only these port types:
l Port 1 only as management or as downlink
l Ports 2 and higher only as uplink, downlink, site_sync, or
ssm_sync (for intra-site sync redundancy)

l Port 1 and Port 2 only as management or as downlink

l Ports 1 - 4 only as management or as downlink

n You cannot change the type of the dedicated Internal Synchronization
port:
l MHO-175 - Port 32
l MHO-170 - Port 32
l MHO-140 - Port 48
5. Save the configuration:
save config

Hardware Components
6. Examine the port configuration:
show maestro port <Port ID> qsfp-mode
show maestro port <Port ID> type

MHO-140 Front Panel
MHO-140 Front Panel
Important - This section describes the default configuration. It is possible to change the
port type (Management, Uplink, and Downlink) in the Gaia Operating System on the
Quantum Maestro Orchestrator. See the Maestro Administration Guide for your
version > Chapter Configuring Security Groups > Section Configuration Procedure >
Section Configuring Security Groups in Gaia Clish > Section Configuring the Port
Settings.
Item Description
1 LEDs. See LEDs.
2 Ports from 1 to 4 (colored green), through which you manage the Security Groups.
To these ports you connect:
n Check Point Management Servers.
n Clients, from which you connect to the Gaia Operating System (Gaia Portal and Gaia
Clish) on the Security Appliances connected to the Downlink ports (4).
3 1 Gbps / 10 Gbps Uplink ports 5 to 26 (colored blue).

To these ports you connect your external traffic and internal traffic networks.
You use DAC or Fiber cables (with transceivers).
4 Downlink ports 27 to 47 (colored orange).

To these ports you connect your Check Point Security Appliances.
5 40 Gbps / 100 Gbps Uplink ports 49 to 56 (colored yellow).

To these ports you connect your external traffic and internal traffic networks.
6 LEDs that show the state of the split interfaces when you connect with Breakout cables to the
40 / 100 GbE Uplink ports (5).
7 Synchronization port 48 (colored purple).

You connect a DAC cable between ports 48 on two Quantum Maestro Orchestrators MHO-140
for redundancy on the same site.
Notes:
n It is possible to connect DAC or Fiber cable (with transceivers) to each port (from 1
to 56).
n It is possible to connect Breakout cables only to the top ports 49, 51, 53, and 55.
In this case, the bottom ports 50, 52, 54, and 56 are disabled.
See "MHO-140 Splitting Options" on page 47.

MHO-140 Rear Panel
MHO-140 Rear Panel
Item Description
1 First Power Supply Unit. See Replacing Power Supply Units.
2 Fan Units 1, 2, 3 and 4 (from left to right). See Replacing Fan Units.
3 Second Power Supply Unit. See Replacing Power Supply Units.
4 RJ45 port labeled 0, through which you configure the Gaia Operating System on the Quantum
Maestro Orchestrator (Gaia Portal and Gaia Clish).
5 RJ45 port labeled 1, through which it is also possible to configure the Gaia Operating System
on the Quantum Maestro Orchestrator (Gaia Portal and Gaia Clish).
6 Reset button labeled R. See Reset Button.
7 RJ45 port with the label CONSOLE. See "Console Port" on page 28.
To this port you connect a client, from which you connect to the Gaia Operating System on the
Quantum Maestro Orchestrator (in Gaia Clish).
8 System Status LED.
9 Fan Status LED.
10 USB 2.0 port. See "USB Port" on page 27.
For more information about the RJ45 ports labeled 0 and 1, see "MGMT Ports" on page 25.

Ports
Ports
This section described different hardware ports.
MGMT Ports
The RJ45 Ethernet ports with the label MGMT or provide access to the Gaia OS on the Quantum
Maestro Orchestrator.
By default, this port is configured with these settings:
n IP address 192.168.1.1 and Net Mask 255.255.255.0
n Auto-negotiation capabilities (100 MbE to 1 GbE)
Notes:
n For more information, see the:
l Quantum Maestro Quick Start Guide for MHO-175 and MHO-140.
l Quantum Maestro Quick Start Guide for MHO-170 and MHO-140.
n In MHO-140, the second MGMT port is not configured with an IP address.
n To change the default IP address:
1. Connect to the Quantum Maestro Orchestrator over the RJ45 console port.
2. Log in to Gaia Clish.
3. Configure the applicable IPv4 settings on the interface Mgmt1.
In MHO-140, the interface Mgmt2 is optional.
n Make sure to use only FCC-compliant Ethernet cables.

Ports
Location of the MGMT Port

Orchestrator
Model
On the front panel On the rear panel
MHO-175 N/A
MHO-170 N/A
MHO-140 N/A

Ports
USB Port
The USB interface is USB 2.0 compliant (USB 1.0 is not supported).
It is possible to connect to this interface an external USB storage device for software upgrade or file
management.
Do not use excessive force, when inserting or removing the USB storage device to and from the
connector.
Location of the USB Port

Orchestrator
Model
MHO-175 N/A
MHO-170 N/A
MHO-140 N/A

Ports
Console Port
The port with the label or CONSOLE is an RJ45 console port that provides access to the Gaia
OS on the Quantum Maestro Orchestrator.
Location of the RS232 (Console) Port

Orchestrator
Model
MHO-175 N/A
MHO-170 N/A
MHO-140 N/A
You use this port for initial configuration and debugging.

Use a Terminal application, such as PuTTY, SecureCRT, MobaXterm, and so on.
Use these settings to connect a PC to the RJ45 console port:
Parameter Setting
Baud Rate 9600
Data bits 8
Stop bits 1
Parity None
Flow Control None

Mounting the Quantum Maestro Orchestrator MHO-140 and MHO-170 in a Rack
Mounting the Quantum Maestro

Orchestrator MHO-140 and MHO-
170 in a Rack
This section provides the information necessary to mount the Quantum Maestro Orchestrator MHO-140 or
MHO-170 in a rack.
Installation and Initialization
Installation and initialization of the Quantum Maestro Orchestrator requires attention to the normal
mechanical, power, and thermal precautions for rack-mounted equipment.
Important:
n The rack mounting holes conform to the EIA-310 standard for racks with
length 50-60 cm (19.7-23.6 inches).
Take precautions to guarantee proper ventilation to maintain good airflow at
ambient temperature.
n Unless otherwise specified, Check Point products are designed to work in an
environmentally controlled data center with low levels of gaseous and dust
(particulate) contamination.
The installation procedure for the Quantum Maestro Orchestrator involves these phases:
Phase Instructions
1 Make sure that none of the shipping carton contents is missing or damaged.
See "Shipping Carton Contents" on page 5.
2 Follow the Safety Warnings.
3 Pay attention to the airflow consideration within the Quantum Maestro Orchestrator and
rack.
See "Airflow in MHO-170 and MHO-140" on the next page.
4 Mount the Quantum Maestro Orchestrator into a rack enclosure.

See "Static Rail Kit for MHO-170 and MHO-140" on the next page.
5 Power on the Quantum Maestro Orchestrator.

See "Step 7: Initial Power On" on page 40.

Airflow in MHO-170 and MHO-140
The fan units in the Quantum Maestro Orchestrator generate the airflow from the front panel (intake) to
the rear panel:
Important:
n All systems in the same rack should be planned with the same airflow
direction.
n All fan units in the same rack need to have the same air flow direction.
A mismatch in the air flow affects the heat dissipation in the rack.
Static Rail Kit for MHO-170 and MHO-140
The Quantum Maestro Orchestrators are sold with the static rail kit.
Important - At least two people are required to mount the Quantum Maestro
Orchestrator safely in the rack.
Installation Rail Kit:
Rack Size and Rack Depth Range Comments
60 to 80 cm (23.6 - 31.5 inches) When installed in the rack before shipping
61 to 86.3 cm (24 - 34 inches) When installed in the rack at the customer site

Parts in the static rail kit:
Legend
Item Description
A 2 x Rack mount rails
B 2 x Rack mount blades that slide into the rack mount rails (A)
C 8 x M6 standard cage nuts, and 8 x M6 standard Phillips pan-head screws
D 4 x Phillips flat-head screws with a round patch, Head 100 Degree, Type I, Size 6-32,
Length 1/4 inch
E Rack mount rail ears
F Rack mount blade ears

Notes:
n You use the Phillips flat head screws (D) to secure the rack mount rails (A) to the Quantum
You must use at least two of these screws on each side.
n You use the cage nuts and Phillips pan-head screws (C) to secure the rack mount rail ears (E) to
the rack.
n You use the cage nuts and Phillips pan-head screws (C) to secure the rack mount blade ears (F)
to the rack.

Before you mount the Quantum Maestro Orchestrator to the rack, plan the way you wish to place it:
Pay attention to the airflow within the rack cooling, connector, and cabling options.
While you plan how to place the Quantum Maestro Orchestrator, review these points:
n Make sure the Quantum Maestro Orchestrator air flow is compatible with your installation
selection.
It is important to keep the airflow within the rack in the same direction.
n Note that the part of the Quantum Maestro Orchestrator, to which you choose to attach the rails,
determines the Quantum Maestro Orchestrator's adjustable side.
The Quantum Maestro Orchestrator's part, to which the blades are attached, should be adjacent to
the cabinet.
Installation Option 1 - Attaching the mount rail ears (E) near the rear panel
Installation Option 2 - Attaching the mount rail ears (E) near the front panel
n In case there are cables that cannot bend within the rack, or in case more space is needed for
cable bending radius, it is possible to recess the connector side or the rear panel side by 8.9 cm
(3.5 inches), by optional placement of the Quantum Maestro Orchestrator's rails.
n If you mount the rack blades as depicted in Installation Option 2 above, it lets you slide the PSUs
and Fan Units in and out easier.

Step 1: Installing the Cage Nuts
Install eight cage nuts (C) in the desired 1U slots of the rack.
Notes:
n The red frame on the image denotes the Quantum Maestro Orchestrator inside the rack.
n Install four cage nuts on each side of the Quantum Maestro Orchestrator.
n Each rack 1U (unit) consists of three holes.
Install the cage nuts vertically, so that its ears engage the top and bottom holes only.
Example:

Step 2: Attaching the Rack Mount Rails
Step Instructions
1 Attach the left and right rack mount rails (A) to the left and right sides of the Quantum
2 Use the Phillips flat-head screws (D) to secure each rack mount rail (A) to each side of the
Quantum Maestro Orchestrator.
Important - You must use at least two of these screws on each side.
3 Tighten the screws with a torque of 1.5±0.2 Nm.
Example (the mount rail ears are near the front panel):

Step 3: Attaching the Rack Mount Rails to the Rack
While your installation partner is supporting the Quantum Maestro Orchestrator, perform these steps:
Step Instructions
1 Mount the Quantum Maestro Orchestrator into the rack enclosure.
2 Attach the mount rail ears (E) to the rack's posts at the level of the designated cage nuts.
3 Secure the mount rail ears (E) to the rack's posts with four Phillips pan-head screws (C) in
the designated cage nuts.
4 Do not tighten the screws yet.
Example:

Step 4: Sliding the Blades in the Rails
While your installation partner is supporting the Quantum Maestro Orchestrator, perform these steps:
Step Instructions
1 Slide each rack mount blade (B) into the corresponding rack mount rail (A).
Note - Make sure the mount blade ears (F) face the rack's posts correctly.
2 Slide the rack mount blades (B) inside the rack mount rails (A) to fit your rack's depth.
3 Attach the mount blade ears (F) to the rack's posts.
4 Use the four Phillips pan head screws (C) to secure each mount blade ear (F) to each side
of the rack.
5 Do not tighten the screws yet.
Example:
Step 5: Tightening the Screws
While your installation partner is supporting the Quantum Maestro Orchestrator, tighten the eight Phillips
pan-head screws (C) you inserted in the previous steps.
To tighten the screws, use a torque of 4.5±0.5 Nm.

Step 6: Cable Installation
It is possible to insert or remove all network cables while the Quantum Maestro Orchestrator is powered
on.
To insert a cable, press the connector into the port receptacle until the connector is firmly seated. The
LED indicator, corresponding to each data port, light up when the physical connection is established.
When a logical connection is made, the relevant port LED lights up.
To remove a cable, disengage the locks and slowly pull the connector away from the port receptacle. The
LED indicator for that port turns off, when the cable is unplugged.
Note - For more information about Port LEDs, see Port LEDs.
Do not force the cable into the cage with more than 40 Newtons (4 kilogram-force / 9.0 pound-force).
Greater insertion force may damage the cable, or the cage.
The MHO-170 and MHO-140 include ports of different types. The two images below for cable orientation
do not apply to the SFP28 ports.
MHO-170 Cable Orientation

MHO-140 Cable Orientation

Step 7: Initial Power On
The power cords should be standard 3-wire AC power cords including a safety ground and rated for 15A
or higher.
Check all boards, power supplies, and fan tray modules for proper insertion before plugging in a power
cable.
The Quantum Maestro Orchestrator powers on automatically, when an AC power is applied.
Step Instructions
1 Plug in the first power cable to the first PSU.
2 Plug in the second power cable to the second PSU.
3 Wait for the System Status LED to turn green (see System Status LED).
It can take up to five minutes to power on the Quantum Maestro Orchestrator.
If after five minutes the System Status LED is lit in red color, unplug the power cords and
contact Check Point Support.
4 Check the status of the Quantum Maestro Orchestrator LEDs (see LED Notifications).
All of the LEDs must show status lights that are consistent with normal operation (initially
flashes, and then lights in a steady color).
Orchestrator Expected State of System LEDs
Model Five Minutes After Power On
MHO-170
MHO-140
Important:
n After you insert a power cable and confirm the System Status LED is lit in
steady green color, make sure that the Fan Status LED is also lit in steady
green color.
n If the Fan Status LED is not green (see Fan Status LED):
1. Unplug the power cable.
2. Make sure that the mating connector of the fan unit is free of any dirt
and obstacles.
3. Make sure that the fan unit is inserted properly.
If no obstacles were found, and the problem persists, contact Check
Point Support.

Connecting Cables to Quantum Maestro Orchestrators
Connecting Cables to Quantum

Maestro Orchestrators
This section describes how to connect cables to Quantum Maestro Orchestrators.
It is possible to deploy Quantum Maestro Orchestrators in these ways:
n On a single site (see "Single Site" on page 48).
n On two different sites (see Dual Site).
It possible to use breakout cables to split the supported 100 / 40 GbE port into four 10 GbE ports (see
"Splitting the Ports with Breakout Cables" below).
Splitting the Ports with Breakout Cables

In This Section:
Breakout Cables 41
Breakout Cables
Quantum Maestro Orchestrators have 100 / 40 GbE ports.
With a breakout cable, it is possible to split the supported 100 / 40 GbE port into four 10 GbE ports.
Insert the splitter cables to convert each applicable QSFP28 100 GbE port into four SFP28 10 GbE ports.
Important - The breakout cable that splits 100 GbE port into four 25 GbE ports is not supported.
Example of a breakout cable:


MHO-175 Splitting Options

Explanations
It is possible to split each of the QSFP28 ports 1 to 32 (colored green) into four SFP28 ports.
In MHO-175, all port LEDs are located on the right side.

There are 32 LEDs that correspond to the 32 physical ports.
You can connect 1-to-4 breakout cables to physical ports and get a maximum of 128 logical ports.
Item Description
1 Button to
select the LED
indication
mode.
2 LEDs that
show the
selected LED
indication
mode.
3 LEDs that
show the port
states.

After you connect a breakout cable to a physical port, you get four additional interfaces starting from the
original interface name. You assign these interfaces to Security Groups.
Example - When you connect a breakout cable to the top port 8 (interface "eth1-29"), you get:
Port
Number Interface Port
on the Name Name
Front in Gaia OS in Gaia OS
Panel
8 eth1-29 Port 1/8/1
eth1-30 Port 1/8/2
eth1-31 Port 1/8/3
eth1-32 Port 1/8/4
Note - For more information about the ports and interface names in Gaia, see
"Quantum Maestro Orchestrator Ports and Gaia OS Interfaces" on page 69.

To see the state of split ports, it is necessary to use the control button to select the LED indication mode.
The control button (item 1) selects one of the five available LED indication modes in a cycle.
The four LEDs in the section SPLIT /1 /2 /3 /4 (item 2) show the current LED indication mode.
The port LEDs (item 3) show the port state - link (up or down) and traffic (flowing or not).
Indication LEDs in the section

Description
Mode "SPLIT"
0 All LEDs are off Port LEDs show the state of physical ports.
Use this indication mode when no breakout cables are
connected.
/1 Only the first LED from Port LEDs show the state of the first split port of the
the left is lit (/1) physical port.
Example:
If you connect a breakout cable to port 8 (interface eth1-
29), then in this LED indication mode /1,
the port LED 8 shows the state of the interface eth1-29
(Port 1/8/1).
/2 Only the second LED Port LEDs show the state of the second split port of the
from the left is lit (/2) physical port.
Example:
(Port 1/8/2).
/3 Only the third LED from Port LEDs show the state of the third split port of the
the left is lit (/3) physical port.
Example:
(Port 1/8/3).
/4 Only the fourth LED Port LEDs show the state of the fourth split port of the
from the left is lit (/4) physical port.
Example:
(Port 1/8/4).

Important:
n After you connect a breakout cable to port 31, the Dual Site External
Synchronization works on the 4th split of this port:
l On the first Orchestrator - Port 1/31/4
l On the second Orchestrator - Port 2/31/4
n After you connect a breakout cable to port 32, the Single Site Internal
Synchronization works on the 4th split of this port:
l On the first Orchestrator - Port 1/32/4
l On the second Orchestrator - Port 2/32/4

Explanations
It is possible to split only the top QSFP28 odd ports 1 to 29 (colored green) into four SFP28 ports, each.
When the top odd ports 1 to 29 (colored green) are in split mode, the corresponding bottom QSFP28
even ports 2 to 30 are disabled (colored red).
Important - It is not supported to connect a breakout cable to Port 31 because it

disables the dedicated synchronization Port 32.
After you connect breakout cables to the top ports, you get four additional interfaces starting from the
original interface name. You assign these interfaces to Security Groups.
Example - When you connect a breakout cable to the top port 15 (interface "eth1-29"), you get:
Port
on the Name Name
Panel
15 eth1-29 Port 1/15/1
eth1-30 Port 1/15/2
eth1-31 Port 1/15/3
eth1-32 Port 1/15/4


Explanations
It is possible to split only the top QSFP28 ports 49, 51, 53, and 55 (colored green) into four SFP28 ports,
each.
When the top ports (colored green) are in a split mode, the corresponding bottom QSFP28 ports 50, 52,
54, and 56 are disabled (colored red).
After you connect breakout cables to the supported top ports, you get four additional interfaces starting
from the original interface name. You assign these interfaces to Security Groups.
Example - When you connect a breakout cable to the top port 49 (eth1-49), you get:
Port
on the Name Name
Panel
49 eth1-49 Port 1/49/1
eth1-50 Port 1/49/2
eth1-51 Port 1/49/3
eth1-52 Port 1/49/4

Single Site
Single Site
This section describes how to connect cables to Quantum Maestro Orchestrators on the same site.
Connecting Two Quantum Maestro Orchestrators for

Redundancy
In This Section:
This section describes the connection of two Quantum Maestro Orchestrators for Redundancy on the same
site.
Best Practice - For redundancy, install and connect two Quantum Maestro
Orchestrators on the same site.
Diagram
Important - It is possible to connect only two Quantum Maestro Orchestrators of the

same model (see MBS-5038).
Best Practice - Connect cables to the same Uplink and Downlink ports on the two
Quantum Maestro Orchestrators (for example, if you connected to an Uplink port 4 on
one Quantum Maestro Orchestrator, then you must connect to an Uplink port 4 on the
other Quantum Maestro Orchestrator).
Notes:
n This logical diagram is based on MHO-170, but applies equally to all Quantum Maestro Orchestrator
models.
n This logical diagram shows two example Security Groups that contain two Security Appliances and
two Uplink ports each.

Single Site
Example for MHO-170:
Explanations
Table: Explanations
Item Description
1 Network 1 connected to ports on the Networking Device (3).
3 Networking Device (router or switch) that connects your Network 1 and Network 2 to the
Quantum Maestro Orchestrators (15 and 16) with Bond interfaces (Link Aggregation).

Single Site
Table: Explanations (continued)

Item Description
4 Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (15 and
16).
This Bond interface provides a redundant Uplink connection for the traffic inspected by the
Security Appliances (29 and 30) in the applicable Security Group (31).
5 Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (15 and
16).
Security Appliances (26 and 27) in the applicable Security Group (28).
6 SmartConsole Client that connects to the Management Server (7).
7 Management Server that manages Security Groups configured on the Quantum Maestro
Orchestrators (15 and 16).
8 Layer 2 switch.
9 A Breakout cable connected to the Management port 1. See "Splitting the Ports with
Breakout Cables" on page 41.
Note - You assign this Management port (or these split interfaces) to the
applicable Security Groups. Shared Management feature allows to assign the
same Management port (interface ethX-MgmtY) on a Quantum Maestro
Orchestrator to different Security Groups. The assigned Management port has a
different IP address and a different MAC address in each Security Group, to
which this port is assigned.
10 A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a first slave
of the first Bond (4) on the Networking Device (3) to the first Quantum Maestro Orchestrator
(15).
11 A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second
slave of the first Bond (4) on the Networking Device (3) to the second Quantum Maestro
Orchestrator (16).
12 A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a first slave
of the second Bond (5) on the Networking Device (3) to the first Quantum Maestro
Orchestrator (15).
13 A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second
slave of the second Bond (5) on the Networking Device (3) to the second Quantum Maestro
Orchestrator (16).
14 Client you can use to configure the Gaia Operating System on the Security Appliances in
Security Groups.
You connect:
n Over SSH to the command line (Gaia Clish) of Security Groups.
n With a web browser to the Gaia Portal of Security Groups.

Single Site

Item Description
15 First Quantum Maestro Orchestrator:

n Connects Network 1 and Network 2 to the Security Appliances (26, 27, 29, and 30).
n Distributes the traffic between the Security Appliances in the Security Groups.
16 Second Quantum Maestro Orchestrator:

n Connects Network 1 and Network 2 to the Security Appliances (26, 27, 29, and 30).
n Distributes the traffic between the Security Appliances in the Security Groups.
17 A DAC that connects the dedicated Synchronization ports on the Quantum Maestro
Orchestrators (15 and 16).
Important:
n This connection is only used to synchronize the configuration of Security
Groups between the Quantum Maestro Orchestrators.
n MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
n MHO-140 requires a 10 GbE DAC cable.
18 A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink
port on the first Quantum Maestro Orchestrator (15) to the Security Appliance (30).
port on the second Quantum Maestro Orchestrator (16) to the Security Appliance (30).
26 Security Appliance 2 in the Security Group 2 (28).
28 All Security Appliances assigned to the Security Group 2.

Single Site

Item Description
Notes:
n Both Quantum Maestro Orchestrators work together (Active / Active).
n Cables colored red show management traffic flow.
n Cables colored green (solid lines) show connections to the first Quantum
Maestro Orchestrator (15).
n Cables colored blue (dash lines) show connections to the second Quantum
n When you assign a Security Appliance to a Security Group, the Quantum
Maestro Orchestrators determine the applicable Downlink ports automatically.
n The Quantum Maestro Orchestrators create Link Aggregation for the
applicable Downlink ports automatically.
n Security Group 1 contains:
l Applicable Uplink ports, to which the cables 10 and 11 are connected.
l Security Appliances 30 and 29.
l Applicable management port (or split interface), to which the
Management Server 7 is connected.

n Security Group 2 contains:
l Applicable Uplink ports, to which the cables 12 and 13 are connected.
l Security Appliances 27 and 26.
l Applicable management port (or split interface), to which the
Management Server 7 is connected.
Important:
n See the Release Notes for your version for the list of the required Check
Point cards on the Security Appliances.
n You must connect the same number of cables from each Quantum Maestro
Orchestrator to all Security Appliances in the same Security Group.
Otherwise, the Quantum Maestro Orchestrators are not able to distribute the
traffic equally between the Security Appliances in the same Security Group.
n It is possible to connect a maximum of two Downlink ports from each Quantum
Maestro Orchestrator to each Security Appliance.

Single Site
Connecting cables between the Quantum Maestro Orchestrators and Security Appliances
Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 2 ports on
the Dual Port Card on each Security Appliance
On each Security Appliance (C) in the

Security Group:
1. Connect a cable from Port 1 on the
Dual Port Card to a Downlink port on
the first Orchestrator (A).
Dual Port Card to a Downlink port on
the second Orchestrator (B).
Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 1 out of 4
ports on the Quad Port Card on each Security Appliance

Security Group:
Quad Port Card to a Downlink port on

Single Site
Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 2 out of 4
ports on the Quad Port Card on each Security Appliance
Important - In R80.20SP, this

connection method is supported
only with the R80.20SP Jumbo
Hotfix Accumulator (Take 105 and
above) installed on Orchestrators
and Security Groups.
Security Group:
Legend
Item Description
A First Orchestrator.
B Second Orchestrator.
C Security Appliances in Security Groups.
A DAC cable connected to the dedicated Synchronization ports on the Orchestrators.
Cables that connect odd ports on the Quad Port Card to the first Orchestrator.
Cables that connect even ports on the Quad Port Card to the second Orchestrator.

Single Site
Best Practice for Security Appliances 23000 series:

Install the expansion cards in this order:
1. Expansion Slot 3
2. Expansion Slot 4
3. Expansion Slot 5
4. Expansion Slot 1
5. Expansion Slot 2
Use Slots 1 and 2 only after all other slots are populated.
Overview of the expansion slots on the front panel:
LCD Slot 4 Slot 5 Storage
Devices
Slot 1 Slot 2 Slot 3 Appliance

Ports
Workflow
Table: Workflow
Step Device Instructions
1 On the Perform these steps (refer to the device vendor documentation):

Networking
Device (3) 1. Configure a first Bond interface (4) on two slave ports.
This Bond interface connects Network 1 to the Quantum Maestro
Orchestrators.
Configure the applicable settings, so that the traffic from and to
Network 1 passes only on this Bond interface.
2. Configure a second Bond interface (5) on two slave ports.
This Bond interface connects Network 2 to the Quantum Maestro
Orchestrators.
Configure the applicable settings, so that the traffic from and to
Network 2 passes only on this Bond interface.
3. With a cable (10), connect the first slave interface of the first Bond
(4) interface to an Uplink port (in our example, Port 3) on the first
Quantum Maestro Orchestrator (15).
4. With a cable (11), connect the second slave interface of the first
Bond (4) interface to an Uplink port (in our example, Port 3) on the
second Quantum Maestro Orchestrator (16).
5. With cable (12), connect the first slave interface of the second Bond
interface (5) to an Uplink port (in our example, Port 9) on the first
6. With cable (13), connect the second slave interface of the second
Bond interface (5) to an Uplink port (in our example, Port 9) on the
second Quantum Maestro Orchestrator (16).

Single Site
Table: Workflow (continued)

2 On the first Perform these steps:

Quantum
Maestro 1. With cable (18), connect a Downlink port (in our example, Port 18)
Orchestrator to the applicable port on the first Security Appliance (30) in the
(15) Security Group 1 (31).
2. With cable (20), connect a Downlink port (in our example, Port 22)
to the applicable port on the second Security Appliance (29) in the
Security Group 1 (31).
to the applicable port on the first Security Appliance (27) in the
See these sections:
n "Connecting cables between Downlink ports on each Quantum
Maestro Orchestrator and 2 ports on the Dual Port Card on each
Security Appliance" on page 53
Maestro Orchestrator and 1 out of 4 ports on the Quad Port Card on
each Security Appliance" on page 53
3 On the second Perform these steps:

Quantum
Maestro 1. With cable (19), connect a Downlink port (in our example, Port 18)
Orchestrator to the applicable port on the first Security Appliance (30) in the
(16) Security Group 1 (31).
to the applicable port on the first Security Appliance (27) in the
See these sections:
Maestro Orchestrator and 2 ports on the Dual Port Card on each
Maestro Orchestrator and 1 out of 4 ports on the Quad Port Card on
each Security Appliance" on page 53
4 On both Connect a DAC cable (17) between the dedicated synchronization port (in
Quantum our example, Port 32) on the first Quantum Maestro Orchestrator (15) and
Maestro the dedicated synchronization port (in our example, Port 32) on the
Orchestrators second Quantum Maestro Orchestrator (16).
(15 and 16)

Single Site

5 On the first With cable (9), connect the Management Server to the Management port
Quantum (in our example, Port 1).
Maestro In our example, we used a Breakout cable because we have two Security
Orchestrator Groups.
(15) For more information that applies to MHO-175, see:
n Connecting to the Management Port with DAC or Fiber Cables
n Connecting to the Management Port with Breakout Cables
For more information that applies to MHO-170, see:
n Connecting to the Management Ports with DAC or Fiber Cables
n Connecting to the Management Ports with Breakout Cables
For more information that applies to MHO-140, see:
n "Connecting to the Management Ports with DAC or Fiber Cables"
on page 59

Single Site

6 One of the two Perform these steps:

Quantum
Maestro 1. Connect to the Gaia Operating System on the Quantum Maestro
Orchestrators Orchestrator.
(15 or 16) You connect through a dedicated port:
n In MHO-175 and MHO-170 - the MGMT port on the front
panel (top right corner).
n
In MHO-140 - one of the ports on the rear panel.
2. Create the Security Group 1.
Assign these:
n The two Security Appliances 30 and 29
n The two applicable Uplink ports (in our example, Port 1/3/1
and Port 2/3/1)
n The applicable management port (or split interface) on the
Quantum Maestro Orchestrator (in our example, the split
Port 1/1/1)
See the Maestro Administration Guide for your version > Chapter
Configuring Security Groups.
3. Configure the Bond interfaces in the Security Group 1:
a. Connect to the Gaia Operating System on the Security
Group 1.
b. Configure a Bond interface on the applicable two slave
Uplink ports (in our example, Port 1/3/1 and Port 2/3/1).
This Bond interface provides a redundant Uplink connection
for the traffic inspected by the Security Appliances (30 and
29).
Configuring Security Groups > Chapter Configuring Security
Groups > Section Configuring Gaia Settings of a Security Group.
For information about the configuration of Bond interfaces, see the
Gaia Administration Guide for your version.
4. Repeat Steps 2 and 3 to create and configure the Security Group 2:
Assign these:
n The two Security Appliances 27 and 26
n The two applicable Uplink ports (in our example, Port 1/9/1
and Port 2/9/1)
n The applicable management port (or split interface) on the
Quantum Maestro Orchestrator (in our example, the split
Port 1/1/2)

Connecting Cables to MHO-140

In This Section:
Notes:
n The different diagrams below show connections to different ports on the Quantum
Maestro Orchestrators.
n It is possible to connect to the Quantum Maestro Orchestrator ports with a DAC
cable, Fiber cable (with transceivers), or Breakout cable.
n The sections below provide a high-level description.
Connecting to the Management Ports with DAC or Fiber Cables
Important - When you connect two Quantum Maestro Orchestrators for redundancy, the
Check Point Management Server connects only to one of the Quantum Maestro
Orchestrators.
Example:
Note - The default Management ports are Ports 1-4. This diagram shows the connection to the Management
port 1. The same applies to the Management ports 2, 3 and 4.

Explanations
Item Description
1 SmartConsole Client for the Check PointManagement Server (2).
2 Check Point Management Server.
3 Layer 2 switch.
4 A DAC cable or Fiber cable (with transceivers) connected to the Management port 1.
Note - You assign this Management port to the applicable Security Groups.
Shared Management feature allows to assign the same Management port
(interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different
Security Groups. The assigned Management port has a different IP address and
a different MAC address in each Security Group, to which this port is assigned.
5 Client you can use to configure the Gaia Operating System on the Security Appliances in
Security Groups, which you manage through Port 1 with the Management Server (2).
You connect:
n Over SSH to the command line (Gaia Clish) of a Security Group.
n With a web browser to the Gaia Portal of a Security Group.
6 The first Quantum Maestro Orchestrator.

Connecting to the Uplink Ports with DAC or Fiber Cables

Example of a connection to default Uplink ports 5 to 26:
Example of a connection to default Uplink ports 49 to 56:

Explanations
Item Description
1 Production network 1 that communicates with production network 2 (5) through a Security
Group configured on the Quantum Maestro Orchestrator.
2 Layer 2 switch.
3 A DAC or Fiber cable (with transceivers) connected to an Uplink port (in our example, Ports
7 and 49).
4 One of Quantum Maestro Orchestrators.
5 Production network 2 that communicates with production network 1 (1) through a Security
Group configured on the Quantum Maestro Orchestrator.
6 A DAC or Fiber cable (with transceivers) connected to an Uplink port (in our example, Ports
16 and 56).
7 Layer 2 switch.
Notes:
n You assign the Uplink ports to the applicable Security Group.
n It is possible to configure some of the Downlink ports as additional Uplink
ports.
Configuring Security Groups > Section Configuration Procedure > Section
Configuring Security Groups in Gaia Clish > Section Configuring the Port
Settings.

Connecting to the Uplink Ports with Breakout Cables
Important - It is possible to connect breakout cables only to the top ports 49, 51, 53, and
55. When the specific top ports are in a split mode, the corresponding bottom ports are
disabled.
Example:

Explanations
Item Description
3 Networking Device (router or switch) that connects your Network 1 and Network 2 to the
Quantum Maestro Orchestrators (6 and 8) with Bond interfaces (Link Aggregation).
4 Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (8 and 10).
Security Appliances in the applicable Security Group (31).
5 Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (8 and 10).
Security Appliances in the applicable Security Group (30).
6 A Breakout cable connected to an Uplink port (in our example, Port 49) on the first
See "Breakout Cables" on page 41.
Notes:
n This cable splits the Uplink port into four interfaces.
You assign the new interfaces to the applicable Security Groups.
n This connection disables the bottom Uplink port (in our example, Port 50).
7 A Breakout cable connected to an Uplink port (in our example, Port 55) on the second
See "Breakout Cables" on page 41.
Notes:
n This cable splits the Uplink port into four interfaces.
You assign the new interfaces to the applicable Security Groups.
n This connection disables the bottom Uplink port (in our example, Port 56).
8 First Quantum Maestro Orchestrator.
9 A 10 GbE DAC cable connected to the dedicated Synchronization ports 48 on the Quantum
Important - This connection is only used to synchronize the configuration of

Security Groups between the Quantum Maestro Orchestrators.
10 Second Quantum Maestro Orchestrator.

Notes:
n Cables colored green (solid lines) show connections to the first Quantum
n Cables colored blue (dash lines) show connections to the second Quantum
n It is possible to configure some of the Downlink ports as additional Uplink
ports.
Settings.

Connecting to the Downlink Ports with DAC or Fiber Cables

Example of a connection to default Downlink ports 27 to 47:

Explanations
Table: Explanations
Item Description
1 The first Quantum Maestro Orchestrator.
2 The second Quantum Maestro Orchestrator.
3 A 10 GbE DAC cable connected to the dedicated Synchronization ports on the Quantum
Important - This connection is only used to synchronize the configuration of

Security Groups between the Quantum Maestro Orchestrators.
4 A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our
example, Port 30) on the first Quantum Maestro Orchestrator (1) and to the applicable port
on the Expansion Line Card on the Security Appliance 16.
example, Port 30) on the second Quantum Maestro Orchestrator (2) and to the applicable
port on the Expansion Line Card on the Security Appliance 16.
12 A Security Appliance that is assigned to the Security Group 2 (14).


Item Description
Notes:
n Port 48 (colored purple) is the dedicated synchronization port to connect two
MHO-140 for redundancy on the same site.
n It is possible to configure some of the Uplink ports as additional Downlink
ports.
Settings.
n The Quantum Maestro Orchestrators create Link Aggregation for the
applicable Downlink ports automatically.
n See these sections:
l "Connecting cables between Downlink ports on each Quantum Maestro
Orchestrator and 2 ports on the Dual Port Card on each Security

Appliance" on page 53
l "Connecting cables between Downlink ports on each Quantum Maestro
Orchestrator and 1 out of 4 ports on the Quad Port Card on each


Quantum Maestro Orchestrator Ports and Gaia OS Interfaces
Quantum Maestro Orchestrator

Ports and Gaia OS Interfaces
The tables below show how the Gaia Operating System on the Quantum Maestro Orchestrator assigns the
interface names to the ports on the Quantum Maestro Orchestrator's front panel (the default configuration).
Important - The Gaia Operating System on the Quantum Maestro Orchestrator does not
let you configure the network settings for the Uplink or Downlink ports. You configure all
the applicable network settings for the Uplink ports in the Gaia Operating System of the
applicable Security Group (for example, IP addresses, Bond interfaces). There are no
network settings for the Downlink ports.

MHO-175 ports on the front panel and their default names in Gaia
First MHO-175 Quantum Maestro Orchestrator

Table: First MHO-175 ports and interfaces
Port Port
Number Interface Port Number Interface Port
on the Name Name on the Name Name
Front in Gaia OS in Gaia OS Front in Gaia OS in Gaia OS
Panel Panel
1 eth1-Mgmt1 Port 1/1/1 17 dl65 Port 1/17/1
2 eth1-05 Port 1/2/1 18 dl69 Port 1/18/1
3 eth1-09 Port 1/3/1 19 dl73 Port 1/19/1
4 eth1-13 Port 1/4/1 20 dl77 Port 1/20/1
5 eth1-17 Port 1/5/1 21 dl81 Port 1/21/1
6 eth1-21 Port 1/6/1 22 dl85 Port 1/22/1
7 eth1-25 Port 1/7/1 23 dl89 Port 1/23/1
8 eth1-29 Port 1/8/1 24 dl93 Port 1/24/1
9 eth1-33 Port 1/9/1 25 dl97 Port 1/25/1
10 eth1-37 Port 1/10/1 26 dl101 Port 1/26/1
11 eth1-41 Port 1/11/1 27 dl105 Port 1/27/1
12 eth1-45 Port 1/12/1 28 dl109 Port 1/28/1
13 eth1-49 Port 1/13/1 29 dl113 Port 1/29/1
14 eth1-53 Port 1/14/1 30 dl117 Port 1/30/1
15 eth1-57 Port 1/15/1 31 dl121 Port 1/31/1
16 eth1-61 Port 1/16/1 32 eth1-Sync Port 1/32/1

Second MHO-175 Quantum Maestro Orchestrator

Table: Second MHO-175 ports and interfaces
Port Port
Panel Panel
2 eth2-05 Port 2/2/1 18 dl69 Port 2/18/1
3 eth2-09 Port 2/3/1 19 dl73 Port 2/19/1
4 eth2-13 Port 2/4/1 20 dl77 Port 2/20/1
5 eth2-17 Port 2/5/1 21 dl81 Port 2/21/1
6 eth2-21 Port 2/6/1 22 dl85 Port 2/22/1
7 eth2-25 Port 2/7/1 23 dl89 Port 2/23/1
8 eth2-29 Port 2/8/1 24 dl93 Port 2/24/1
9 eth2-33 Port 2/9/1 25 dl97 Port 2/25/1
10 eth2-37 Port 2/10/1 26 dl101 Port 2/26/1
11 eth2-41 Port 2/11/1 27 dl105 Port 2/27/1
12 eth2-45 Port 2/12/1 28 dl109 Port 2/28/1
13 eth2-49 Port 2/13/1 29 dl113 Port 2/29/1
14 eth2-53 Port 2/14/1 30 dl117 Port 2/30/1
15 eth2-57 Port 2/15/1 31 dl121 Port 2/31/1

Notes
n When you connect two Quantum Maestro Orchestrators MHO-175 for redundancy, Gaia OS
shows:
l eth1-XX and Port 1/X/X for the first Quantum Maestro Orchestrator.
l eth2-XX and Port 2/X/X for the second Quantum Maestro Orchestrator.
n The tables above show the default configuration before you connect breakout cables.
After you connect breakout cables to the upper ports, you get four additional interfaces starting
from the original interface name.
n It is possible to configure Port 1 only as management or as downlink.


Port Port
Panel Panel
3 eth1-05 Port 1/3/1 19 dl37 Port 1/19/1
4 eth1-07 Port 1/4/1 20 dl39 Port 1/20/1
5 eth1-09 Port 1/5/1 21 dl41 Port 1/21/1
6 eth1-11 Port 1/6/1 22 dl43 Port 1/22/1
7 eth1-13 Port 1/7/1 23 dl45 Port 1/23/1
8 eth1-15 Port 1/8/1 24 dl47 Port 1/24/1
9 eth1-17 Port 1/9/1 25 dl49 Port 1/25/1
10 eth1-19 Port 1/10/1 26 dl51 Port 1/26/1
11 eth1-21 Port 1/11/1 27 dl53 Port 1/27/1
12 eth1-23 Port 1/12/1 28 dl55 Port 1/28/1
13 eth1-25 Port 1/13/1 29 dl57 Port 1/29/1
14 eth1-27 Port 1/14/1 30 dl59 Port 1/30/1
15 eth1-29 Port 1/15/1 31 dl61 Port 1/31/1


Port Port
Panel Panel
3 eth2-05 Port 2/3/1 19 dl37 Port 2/19/1
4 eth2-07 Port 2/4/1 20 dl39 Port 2/20/1
5 eth2-09 Port 2/5/1 21 dl41 Port 2/21/1
6 eth2-11 Port 2/6/1 22 dl43 Port 2/22/1
7 eth2-13 Port 2/7/1 23 dl45 Port 2/23/1
8 eth2-15 Port 2/8/1 24 dl47 Port 2/24/1
9 eth2-17 Port 2/9/1 25 dl49 Port 2/25/1
10 eth2-19 Port 2/10/1 26 dl51 Port 2/26/1
11 eth2-21 Port 2/11/1 27 dl53 Port 2/27/1
12 eth2-23 Port 2/12/1 28 dl55 Port 2/28/1
13 eth2-25 Port 2/13/1 29 dl57 Port 2/29/1
14 eth2-27 Port 2/14/1 30 dl59 Port 2/30/1
15 eth2-29 Port 2/15/1 31 dl61 Port 2/31/1

Notes
shows:
n It is possible to configure Port 1 and Port 2 only as management or as downlink.


Port Port
Panel Panel
5 eth1-05 Port 1/5/1 33 dl33 Port 1/33/1
6 eth1-06 Port 1/6/1 34 dl34 Port 1/34/1
7 eth1-07 Port 1/7/1 35 dl35 Port 1/35/1
8 eth1-08 Port 1/8/1 36 dl36 Port 1/36/1
9 eth1-09 Port 1/9/1 37 dl37 Port 1/37/1
10 eth1-10 Port 1/10/1 38 dl38 Port 1/38/1
11 eth1-11 Port 1/11/1 39 dl39 Port 1/39/1
12 eth1-12 Port 1/12/1 40 dl40 Port 1/40/1
13 eth1-13 Port 1/13/1 41 dl41 Port 1/41/1
14 eth1-14 Port 1/14/1 42 dl42 Port 1/42/1
15 eth1-15 Port 1/15/1 43 dl43 Port 1/43/1
16 eth1-16 Port 1/16/1 44 dl44 Port 1/44/1
17 eth1-17 Port 1/17/1 45 dl45 Port 1/45/1
18 eth1-18 Port 1/18/1 46 dl46 Port 1/46/1
19 eth1-19 Port 1/19/1 47 dl47 Port 1/47/1
21 eth1-21 Port 1/21/1 49 eth1-49 Port 1/49/1
22 eth1-22 Port 1/22/1 50 eth1-51 Port 1/50/1

Table: First MHO-140 ports and interfaces (continued)

Port Port
Panel Panel
23 eth1-23 Port 1/23/1 51 eth1-53 Port 1/53/1
24 eth1-24 Port 1/24/1 52 eth1-55 Port 1/52/1
25 eth1-25 Port 1/25/1 53 eth1-57 Port 1/57/1
26 eth1-26 Port 1/26/1 54 eth1-59 Port 1/54/1
27 dl27 Port 1/27/1 55 eth1-61 Port 1/61/1
28 dl28 Port 1/28/1 56 eth1-63 Port 1/63/1


Port Port
Panel Panel
5 eth2-05 Port 2/5/1 33 dl33 Port 2/33/1
6 eth2-06 Port 2/6/1 34 dl34 Port 2/34/1
7 eth2-07 Port 2/7/1 35 dl35 Port 2/35/1
8 eth2-08 Port 2/8/1 36 dl36 Port 2/36/1
9 eth2-09 Port 2/9/1 37 dl37 Port 2/37/1
10 eth2-10 Port 2/10/1 38 dl38 Port 2/38/1
11 eth2-11 Port 2/11/1 39 dl39 Port 2/39/1
12 eth2-12 Port 2/12/1 40 dl40 Port 2/40/1
13 eth2-13 Port 2/13/1 41 dl41 Port 2/41/1
14 eth2-14 Port 2/14/1 42 dl42 Port 2/42/1
15 eth2-15 Port 2/15/1 43 dl43 Port 2/43/1
16 eth2-16 Port 2/16/1 44 dl44 Port 2/44/1
17 eth2-17 Port 2/17/1 45 dl45 Port 2/45/1
18 eth2-18 Port 2/18/1 46 dl46 Port 2/46/1
19 eth2-19 Port 2/19/1 47 dl47 Port 2/47/1
21 eth2-21 Port 2/21/1 49 eth2-49 Port 2/49/1
22 eth2-22 Port 2/22/1 50 eth2-51 Port 2/50/1

Table: Second MHO-140 ports and interfaces (continued)

Port Port
Panel Panel
23 eth2-23 Port 2/23/1 51 eth2-53 Port 2/53/1
24 eth2-24 Port 2/24/1 52 eth2-55 Port 2/52/1
25 eth2-25 Port 2/25/1 53 eth2-57 Port 2/57/1
26 eth2-26 Port 2/26/1 54 eth2-59 Port 2/54/1
27 dl27 Port 2/27/1 55 eth2-61 Port 2/61/1
28 dl28 Port 2/28/1 56 eth2-63 Port 2/63/1
Notes
shows:
n It is possible to configure Ports 1 - 4 only as management or as downlink.

MHO140 Quick Start

Uploaded by

Copyright:

Available Formats

MHO140 Quick Start

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MHO140 Quick Start

Uploaded by

Copyright:

Available Formats

24 April 2023

Getting Started Guide

Quantum Maestro Getting Started Guide | 2

Connecting to the Downlink Ports with DAC or Fiber Cables 66

Quantum Maestro Getting Started Guide | 3

Quantum Maestro Getting Started Guide | 4

Shipping Carton Contents

Appliance Quantum Maestro Orchestrator

Rack Mounting Accessories n 2 static (fixed) rack mount rails

Cables and Adapters n 2 power cables (Type C13-C14)

Documentation n Quick Start Guide

Quantum Maestro Getting Started Guide | 5

Quantum Maestro Getting Started Guide | 6

Speed and Throughput

Orchestrator 10 GbE 40 / 100 GbE Maximal

MHO-175 128 32 3.2 Tbit/sec

MHO-170 64 32 3.2 Tbit/sec

MHO-140 Total 64 8 1.28 Tbit/sec

Ports, Power Supply Units, and Fan Units

MHO-175 1 on the front 1 on the front 1 on the front 2 units 4 units

MHO-170 1 on the front 1 on the front 1 on the front 2 units 4 units

MHO-140 2 on the rear 1 on the rear 1 on the rear 2 units 4 units

Quantum Maestro Getting Started Guide | 7

Getting Started with MHO-140 -

Quantum Maestro Getting Started Guide | 8

On each Security Appliance (C) in

Quantum Maestro Getting Started Guide | 9

On each Security Appliance (C) in

Quantum Maestro Getting Started Guide | 10

C Security Appliances in Security Groups.

A DAC cable connected to the dedicated Synchronization ports on the

Quantum Maestro Getting Started Guide | 11

Port Speed Port Type on the

10 Gbps SFP+ / SFP28 Fiber or DAC

40 Gbps QSFP / QSFP28 Fiber, DAC, or Breakout

100 Gbps QSFP / QSFP28 Fiber, DAC, or Breakout

6. Power on each Orchestrator.

Part 2 - Initial Configuration on each

Quantum Maestro Getting Started Guide | 12

5. Activate the Orchestrator #1 - enter "y" when it asks you.

Quantum Maestro Getting Started Guide | 13

a. Configure the required IPv4 address and Mask Length:

set interface Mgmt1 ipv4-address <IPv4 Address> mask-length

set interface Mgmt1 ipv4-address 192.168.10.22 mask-length 24

b. Change the state of the MGMT port to "on":

set interface Mgmt1 state on

c. Configure the required Default Gateway:

set static-route default nexthop gateway address <IPv4

set static-route default nexthop gateway address 192.168.10.1

d. Save the configuration:

7. Connect the MGMT port of the Orchestrator #1 to your network.

With a web browser, connect to this URL:

https://<IPv4 Address you configured on the MGMT port>

9. Repeat Steps 1 - 8 for the Orchestrator #2.

Quantum Maestro Getting Started Guide | 14

Part 3 - Configuration of Security Groups

Part 1 - Creating a New Security Group

https://<IPv4 Address you configured on the Orchestrator MGMT port>