topic Backing up Maestro SMO/SGMs in Hyperscale Firewall (Maestro)

Backing up Maestro SMO/SGMs

danmn — Fri, 10 Feb 2023 11:56:39 GMT

I need some help with the backup procedure/what should be backed up on SGMs in a Maestro deployment. The documentation isn't particularly helpful when it comes to backing up SGMs and just links to the Gaia backup documentation. I understand the backup procedure for an Orchestrator, but;

Is switching to the SMO in each group, and then doing the 3 standard Gaia backups (OS, System, Snapshot) from clish (not gclish?) and then scping them up to the Orchestrator in Expert mode enough to consider that Security Group backed up? Or should the same 3 backups be captured from every gateway in the group?
Is it even possible to scp 'up'? using the account that was used to login to the Orchestrator to then copy off device? I found an sk that mentions creating an scpuser on the SMO/SGM and 'pulling' the file using the Orchestrator, but I've rather avoid having to create another account if I can.

Thanks.

Re: Backing up Maestro SMO/SGMs

Dario_Perez — Fri, 10 Feb 2023 13:03:19 GMT

since all SGM have the same config, is not necessary create a backup for each SGM. the best is snapshot from local clish from SMO

to export the snapshot you can use the webui for SMO to download it or use scp but that user needs expert user /bin/bash to be able to open with winscp or transfer to other device outside the SGM

Re: Backing up Maestro SMO/SGMs

Chris_Atkinson — Fri, 10 Feb 2023 13:33:08 GMT

Some SK referenced in the following thread might also be useful for you:

https://community.checkpoint.com/t5/Maestro/Maestro-Backup-Recommendations/td-p/154332

Re: Backing up Maestro SMO/SGMs

danmn — Fri, 10 Feb 2023 13:47:46 GMT

Thank you.

I'm working on automating the process of creating, pulling, and cleaning up the backups so I won't be able to use the Web UI unfortunately.

The documentation is lacking some of the command outputs and I don't actually have access to a Maestro deployment to test outputs, and I won't know how many Security Groups/SMOs there are ahead of time... is there a useful command that lists all the Security Groups, ideally with the internal management IPs, from the Orchestrator? the lldp command doesn't contain groups, but does contain IPs. I believe the 'show maestro security-group' command requires a group ID (which I won't know) so it can't list them all. The only way I've found so far is by pulling the info from the sgdb.json, but that doesn't have IP addresses unfortunately.

Also, is there any difference between members in the same group on different chassis? The sgdb.json file has members under a group like 1_1, 1_2, then, 2_1, 2_2.... do I need the backup from 1_1 and 2_1? or will 1_1 suffice?

Thanks for your help.

Re: Backing up Maestro SMO/SGMs

Catalin_Ciubot2 — Mon, 22 Sep 2025 18:58:19 GMT

Hello,

I'm wondering what you did because I have the same intention, automation.

Not only the doc is lacking but is contradictory. Some official sources states that the snapshot is recommended but the cli is giving the impression that is a restoring point.

I'm wondering if the old fashion way is still usable. Meaning if "add backup scp ip..." is solving a problem in case of a crash.

Thanks for the feedback.