topic Re: Maestro Best Practices in Hyperscale Firewall (Maestro)

Maestro Best Practices

Lari_Luoma — Wed, 03 Sep 2025 18:03:07 GMT

Hi Everyone!

I’m excited to share that my colleague John White and I have co-authored a new Maestro Best Practices Guide. This document brings together lessons learnt from real-world projects and field experience, and we hope it will serve as a practical resource for anyone working with Maestro.

Please feel free to save it for your own use — and more importantly, let us know your feedback. If you have additional best practices or tips from the field, share them here. I’ll be happy to incorporate them into future updates so this guide continues to grow with community input.

Looking forward to your thoughts and contributions!

Re: Maestro Best Practices

Danny — Wed, 03 Sep 2025 19:05:41 GMT

Thanks for putting this together!

I recommend running the document through a grammar checker like LanguageTool to improve clarity and correctness.

Re: Maestro Best Practices

Dario_Perez — Wed, 03 Sep 2025 16:06:06 GMT

Great work!

Re: Maestro Best Practices

Lari_Luoma — Wed, 03 Sep 2025 18:04:57 GMT

Thanks for the feedback Danny. I replaced the file in my original post with a fixed version now. Some of them I already had fixed in the Word-version, but for some reason the version I posted had still those errors.

Re: Maestro Best Practices

the_rock — Wed, 03 Sep 2025 18:36:10 GMT

Amazing job...super helpful!

Re: Maestro Best Practices

John_White — Thu, 04 Sep 2025 01:23:23 GMT

Looks good Lari, thanks again for your support on this.

Re: Maestro Best Practices

PhoneBoy — Fri, 05 Sep 2025 20:42:25 GMT

Great stuff, I'll make sure to call it out in the next CheckMates Go episode 🙂

Re: Maestro Best Practices

the_rock — Fri, 05 Sep 2025 21:13:14 GMT

Jonny White...man, cant believe I see you on here...its been FOREVER lol

Hows life? : - )

Andy

Re: Maestro Best Practices

Timothy_Hall — Fri, 05 Sep 2025 23:06:58 GMT

Incredible, thanks @Lari_Luoma! I always appreciate seeing battle-hardened best practice recommendations like this, formed by dozens (if not hundreds) of complex Maestro deployments in the real world.

Re: Maestro Best Practices

the_rock — Sat, 06 Sep 2025 02:09:30 GMT

I saw all @Lari_Luoma did for one of our clients for maestro deployment and they were so impressed, to say the least. Personally, I had never seen that level of knowledge and expertise from someone, its hard to even describe with right words.

Andy

Re: Maestro Best Practices

_Val_ — Mon, 08 Sep 2025 06:31:13 GMT

Thanks, @Lari_Luoma , great work!

Re: Maestro Best Practices

Lari_Luoma — Mon, 08 Sep 2025 18:03:16 GMT

Thank you so much, Andy — I’m truly humbled by your kind words.

It’s always a privilege to support our customers, wherever they are, and I’m glad I could contribute to a successful Maestro deployment. Seeing the impact of our work firsthand and knowing it made a difference for the client is incredibly rewarding.

I’m grateful to be part of a team that values excellence and collaboration. Always happy to help!

Re: Maestro Best Practices

the_rock — Mon, 08 Sep 2025 18:07:00 GMT

100%...maybe if I say RC in Ottawa, you may remember who it was : - )

Andy

Re: Maestro Best Practices

adelguia — Mon, 08 Sep 2025 19:03:07 GMT

I would add this Key reason in point 6:

If shared uplink is used then each SG should have unique VLAN IDs. It's no posible to have the same VLAN ID in multiple SGs with shared UPLINKs.

That's an important point that everyone should have in mind while designing. We are in the middle of a migration and had to change the design from 2 SG to 1 SG because of this.

Re: Maestro Best Practices

Lari_Luoma — Mon, 08 Sep 2025 22:07:10 GMT

Good point, and thanks for bringing it up.

Just to highlight: different VLAN IDs between Security Groups on shared uplinks are not only best practice, but a mandatory requirement. The system won’t allow the same VLAN ID across multiple SGs on a shared uplink, so this needs to be accounted for during design.

That said, the stronger recommendation is to use dedicated interfaces per Security Group whenever possible. Shared uplinks can create dependencies where external issues affect every SG tied to that interface, reducing isolation and resiliency.

Your example is a good reminder that planning these details upfront helps avoid costly redesigns mid-migration.

Re: Maestro Best Practices

Daniel_Kuhl1 — Fri, 12 Sep 2025 07:24:50 GMT

Great work @Lari_Luoma and all contributors! 👍 Thank you for putting the things together and describing the key reasons behind each topic which is even more important. The key reasons behind a specific design or configuration are not obvious for everyone in first place and sometimes not part of Admin Guides.

Re: Maestro Best Practices

Alex- — Thu, 25 Sep 2025 11:48:17 GMT

In Maestro deployment for DC traffic without any NAT, I remember from other webinars that it is recommended to use general mode.

In the relevant guide, it is mentioned not to change the distribution mode of a VS for performance reasons, without further explanations.

What does this mean?

- Should we change the distribution mode to general on VS0 only?

- Not change it at all if we use VSX?

Re: Maestro Best Practices

Dario_Perez — Thu, 25 Sep 2025 13:47:35 GMT

for VSX you can work on different scenarios and by default is auto-topology per-port

read https://support.checkpoint.com/results/sk/sk108842 for further information