Maestro for Beginners: Core Concepts Explained

Today, we will discuss Maestro for beginners, explaining in a clear and simple way the fundamental concepts of this advanced and complex Check Point firewall architecture.

What Is Maestro?

Maestro is an orchestration platform designed to deliver hyperscale network security. It is the device responsible for coordinating firewall, the MHO distributes and forwards traffic to the Security Gateway Modules, which perform inspection and enforcement.

Source: Quantum Maestro 2026 datasheet

Maestro is also known as MHO, which stands for:

Maestro Hyperscale Orchestrator

What Is Hyperscale?

Hyperscale is a technology that provides organizations with the ability to scale their network architecture dynamically as system demand increases.

In simple terms, hyperscale means achieving massive scalability, allowing infrastructure growth without architectural redesign.

What Is the Other Function of the Maestro (MHO)?

MHO logically groups multiple Security Gateway Modules into a single Security Group that operates as one unified firewall. It creates a logical firewall cluster called a Security Group (SG).

What Is a Security Group?

A Security Group (SG) in a Maestro environment is a logical group of security appliances that provides Active/Active cluster functionality.

Security Groups operate separately and independently from each other within the same Maestro environment

The Security Group is created within the Gaia operating system of the MHO.

How Many Security Groups Can Be Created?

A maximum of 8 Security Groups can be created in a Maestro deployment.

How Are Firewalls Identified in a Maestro Environment?

In a Maestro environment, the individual firewall appliances are called:

SGM – Security Gateway Module

How Many SGMs Can Be Added to a Security Group?

The number of SGMs depends on:

• The MHO model being used
• The number of ports allocated for downlink connectivity

This allocation is adjustable based on design requirements.

Single Site Deployment

• Maximum of 31 SGMs in one Security Group.

Dual Site Deployment

• Maximum of 14 SGMs per Security Group per site.

What Is a Site?

In a Maestro deployment, a Site represents a physical location containing a complete Maestro infrastructure, including its own Orchestrators (MHOs) and Security Gateway Modules (SGMs).

A Single Site deployment operates entirely within one physical location.

What Is a Dual Site?

A Dual Site deployment consists of two geographically separated Maestro Sites.

Each Site contains its own pair of Orchestrators and SGMs, operating together to form a distributed Security Group across locations.

This architecture provides geographic redundancy and enhanced high availability.

Source: Quantum Maestro 2026 datasheet

What MHO Models Are Currently in Production?

• MHO-140
• MHO-175

Note: The MHO-170 model was previously available but has been replaced by the MHO-175.

What Is the Difference Between the MHO-140 and MHO-175?

MHO-140

• 48 × 10/25GbE ports
• 8 × 40/100GbE ports

Source: Quantum Maestro 2026 datasheet

MHO-175

• 32 × 40/100GbE ports

Source: Quantum Maestro 2026 datasheet

Does the Maestro (MHO) Perform Routing?

No.

The Orchestrator primarily operates at Layer 2, forwarding traffic to the Security Gateway Modules (SGMs).

Does the Maestro (MHO) Perform Security Inspection?

No.

The SGMs are responsible for processing and inspecting traffic. All security inspection is handled by the Security Gateway Modules.

Understanding Maestro (MHO) Ports

Uplink Ports

• Connect the MHO to the customer’s switches.
• Provide connectivity to the customer network.
• Function as the external interfaces of the Maestro Security Gateway.

Downlink Ports

• Connect the MHO to the SGMs.

Used for internal communication between the orchestrator and the firewall modules.

The image below shows the downlink connection between the Maestro and the SGM and the sync port connection between the MHO-140 appliances

Management Ports

• Used for connectivity between the Security Group and the Security Management Server (SMS) or other management systems.
  
  
• This port inside the Gaia Orchestrator config shows as eth1-Mgmt1 ...
• Firewall management traffic
• SIC (Secure Internal Communication)
• Policy installation
• Logs
  
  

The image below shows Management SG port, located on the front Panel of the MHO-140

The image below shows Management SG port, located on the front Panel of the MHO-175

Orchestrator Sync Ports

• Used for synchronization between two MHOs in a cluster.
• Both MHOs must be the same model.

Site Sync Ports

• Used for synchronization between Maestro systems located in geographically separated sites (Dual Site).

Mgmt Orchestrator Port

• Used for managing the Gaia operating system of the Maestro (MHO).

The image below shows the management ports located on the rear panel of the MHO-140. 

• Used for managing the Gaia operating system of the Maestro (MHO).

  

  
  Port 0 (red): Mgmt1 – default management port for the Gaia operating system.

  Port 1 (green): Mgmt2 – secondary management port, optional.

   

  The image below shows the management ports located on the front panel of the MHO-175.

  • Used for managing the Gaia operating system of the Maestro (MHO).
• 

   

   

   

What Is the Operating Mode of the MHO and SGMs?

The Maestro architecture operates in Active/Active mode, enabling load distribution across all SGMs within a Security Group.

How Is Maestro Represented in SmartConsole?

Within Maestro, we create a Security Group (SG).

In SmartConsole, we create a Gateway object (Single Gateway) to represent the Maestro firewall.

This object is known in the Maestro environment as:

SMO – Single Management Object

The SMO allows administrators to manage the entire Active/Active Maestro cluster as if it were a single Security Gateway, even though it is composed of multiple SGMs operating together.