topic Re: Migrate Maestro from dual site to single site in Hyperscale Firewall (Maestro)

Migrate Maestro from dual site to single site

RS_Daniel — Wed, 14 May 2025 15:45:05 GMT

Hello Community,

I am facing a customer requirement and wanted to ask for some help here.

We need to migrate a Maestro deploymento from Dual Site / Single Orchestrator, to two independent deployments configured as Single Site / Single Orchestrator. No change on cabling or appliances, only MHO configuration. We have 4 SG's, two are only on site 1, and two are only on site 2, so we are not using dual site at all. I clearly understand we should engage PS for this, but unfortunately this is not an option this time. I have been working on a MOP, i leave the steps below, in case someone could recommend changes to improve/correct the procedure would be great.

On site 2 (standby):

Take backups, snapshots, save configuration, and export these files from both MHOs: /etc/sgdb.json, /etc/rsrcdb.json, /etc/smodb.json, /etc/maestro.json, /etc/maestro_full.jso
Unplug inter-site interface cable.
Run these commands:
> set maestro configuration orchestrator-site-amount 1

> set maestro configuration orchestrator-site-id 1

> set maestro port 1/47/1 type downlink

> save config

> expert

# orchd restart
Go to webui, click Apply
Go to SGs Gclish and run these commands:
> set smo security-group site-amount 1

> asg_reboot –b all
Run all checks on MHO and SGs.

And repeat the same for site 1. I would like to know what happens after orchd restart, how the webui configuration should see, SGs from the other site should just dissapear or i should delete them manually? Also not sure if step 5 is mandatory. Any help is welcome.

Regards

Re: Migrate Maestro from dual site to single site

Lari_Luoma — Wed, 14 May 2025 23:20:02 GMT

Your plan looks pretty good to me. I don't think you'll have to do anything in the WebUI. As soon as you change the site amount to 1 and run orchd restart, the secondary site doesn't exist (hint: if you run "service orchd restart" it won't ask for a confirmation).

Value of security-group site amount in the SG is 2 by default (even in single site setup) and you don't necessarily have to change it. Considering that your setup isn't really a dual site right now, this value might already be 1. Check it out. You will have to reboot the gateways anyway I think.

I'm pasting here my notes about my lab (it has two MHOs) for you reference for dual site to single site change.

Change lab to single site

MHO-1

touch /etc/.asg_auto_confirm

clish

set maestro configuration orchestrator-site-amount 1

set maestro configuration orchestrator-site-id 1

set maestro configuration orchestrator-amount 2

set maestro port 1/47/1 type downlink

save config

service orchd restart

set maestro port 1/47/1 admin-state down

save config

MHO-2

touch /etc/.asg_auto_confirm

clish

set maestro configuration orchestrator-site-amount 1

set maestro configuration orchestrator-site-id 1

set maestro configuration orchestrator-amount 2

set maestro port 2/47/1 type downlink

save config

service orchd restart

set maestro port 2/47/1 admin-state down

save config

Re: Migrate Maestro from dual site to single site

RS_Daniel — Thu, 22 May 2025 13:11:14 GMT

Hello @Lari_Luoma,

Thanks for your update. I am still tunning the procedure and had one doubt maybe you can help me with.

Let me give you an example. I have 4 SG's.

SG-1 and SG-2 are present only on site 1.
SG-3 and SG-4 are present only on site 2.

I will start the changes on site 2 (standby). So, on site 2 i will configure site amount to 1 and set the site ID to 1. I imagine that after orchd restart, MHO should keep the configuration for SG's that were configured in site 1, in this case SG-1 and SG-2, and configuration for SG's in site 2 will be lost (SG-3 and SG-4)? Does it make sense? If this is true, do you know any way to recover configuration for SG-3 and SG-4, maybe editing the /etc/sgdb.json file? Thanks in advance.

Regards

Re: Migrate Maestro from dual site to single site

Lari_Luoma — Fri, 23 May 2025 02:54:14 GMT

Thanks for the detailed explanation.

You're on the right track with the overall approach. When transitioning from dual-site to single-site Maestro, the correct steps are:

Change the site amount to 1 and site ID to 1 on each MHO.
Disable the site sync interface (inter-site sync).
Be prepared for a brief service interruption due to service orchd restart.

Since your SGs are already site-local (SG-1 and SG-2 only on Site 1, SG-3 and SG-4 only on Site 2), you don’t need to make any changes to the SG definitions themselves. They will remain intact after the site configuration is adjusted—no need to recreate them.

Regarding your concern: SG-3 and SG-4 were created and are active on Site 2, which will now become an independent Maestro cluster. You will not lose them—their configuration is local to the MHOs at Site 2 and will remain after the change, as long as you're not wiping or rebuilding the setup.

That said, it’s always a good idea to:

Take a backup of /etc/sgdb.json before making changes.
Document current SG mappings in case any recovery is needed.

And if you want peace of mind that the transition goes smoothly—especially in a production environment—you might consider engaging Check Point Professional Services to assist with or validate the change plan.

Let me know how it goes or if you have any other questions.