This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
MVP Gold
MVP Gold
Tuesday

ElasticXL vs. Maestro

Over the past few months, I’ve received many questions about MaestroElasticXL and VSNext, so I’ve put together the following overview to briefly highlight the differences.

This should help you decide which of the two solutions best fits your needs.

The following table provides a few ideas on when each solution might be the better fit.


Criterion

 Maestro
Working with Quantum Maestro 
 ElasticXL
Working with ElasticXL Cluster 
Architecture / Purpose Hyperscale security orchestration using Security Groups managed by dedicated Maestro Orchestrators (MHO). Designed for large-scale horizontal scalability New clustering technology (introduced in R82) with a Single Management Object (SMO); simplified configuration, no orchestrator hardware required.
Maximum Gateways in one Security Group Single-Site: up to 14 appliances per Security Group.
Dual-Site: up to 28 (14 per site).		 Single-Site: up to 3 cluster members.
Dual-Site: up to (3 per site).
Management Model Security Group appears as one Security Gateway object (SMO) in SmartConsole. The entire ElasticXL cluster is represented as one Security Gateway object (SMO) in management.
Scalability / Expansion Scale-out by adding more Security Gateway Modules (SGMs) to the Security Group; requires the MHO fabric. Cluster members can be added or removed on the fly; configuration and software are automatically cloned.
Site Topologies Supports Single-Site and Dual-Site deployments. Supports Single-Site and Dual-Site deployments.
Operation / Administration Requires dedicated Maestro Orchestrator hardware; centralized management IP per Security Group (SMO). Managed directly through Gaia Portal/CLI as one unit; automatic synchronization and setup.
Typical Use Cases Large data centers, service providers, or hyperscale environments requiring high throughput and multi-gateway redundancy. Simplified clustering and load sharing for small to mid-sized environments.
MHO You need two MHOs (140 or 175, old 170) for a single-site deployment and four MHOs for a dual-site setup. No MHO required.
Security Groups Maestro supports more than one SG per site. Maestro can have up to 8 Security Groups off one set of MHOs. EXL doesn't yet
"will be added in JHF very soon"
Appliance mix and match mode Maestro supports mix and match
sk162373 - Maestro Mix and Match		 EXL doesn't yet
Virtual System

sk79700 - VSNext / VSX supported features		 Maestro supports legacy VSX and VSNext EXL only VSNext

 

Maybe you can also share your own experiences and insights here.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
8 Replies
PhoneBoy
Admin
Admin
Tuesday

Single site topologies are supported with ElasticXL as well.
Unless you create a second site, you're in Load Sharing by default. 🙂

0 Kudos
HeikoAnkenbrand
MVP Gold
MVP Gold
Wednesday
In response to PhoneBoy

Oh, I must have been daydreaming while writing.
Of course, EXL also allows single-site setups. I’ll update that in the article above.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Tuesday

The scalability statement for EXL applies to Maestro SGs as well. 

Worth stating under scalability for Maestro that we can have up to 8 security groups off one set of MHOs.

For MHO, you can have one MHO per site if you want to (but obviously dual MHO per site recommended for HA).

Maestro supports mix and match, EXL doesn't (yet).

Maestro supports more than one SGM per site for VSNext, EXL doesn't (yet, will be added in JHF very soon).

Maestro supports legacy VSX and VSNext, EXL only VSNext.

HeikoAnkenbrand
MVP Gold
MVP Gold
Wednesday
In response to emmap


@emmap I’ve added your information to the original article.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Wednesday
In response to HeikoAnkenbrand

EXL will never support multiple security groups. 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Thursday
In response to emmap

To expand on this, when I said more than one SGM per site, I mean within the Security Group. At the moment there's a limitation with VSNext over EXL that means it's not supported to have it running on a cluster with more than one SGM defined per site. It will let you do it, but it's listed on the limitations pages as not supported. It'll be fixed soon. 

More than one security group is a concept that doesn't apply to EXL at all, as each EXL cluster is effectively the same as a security group as defined on a Maestro setup. As there are no MHOs involved, only the SGMs, the whole 'multiple security group' concept is irrelevant. 

0 Kudos
PhoneBoy
Admin
Admin
Thursday

Adding @ShaiF to review 

0 Kudos
HeikoAnkenbrand
MVP Gold
MVP Gold
Friday
In response to PhoneBoy

Hi @emmap@PhoneBoy,

Just like with Maestro R80.20 SP in the initial phase, there are now many small limitations in ElasticXL that aren’t immediately obvious in the readme or admin guide. My request would be to create an SK that provides a detailed comparison between Maestro and ElasticXL, covering all features and differences. This would help us as SEs to plan and advise customers more effectively.

So far, I’ve only seen the following documentation for ElasticXL:
sk173183 - Scalable Platforms (Maestro and Chassis) comparison between versions 
R82 Scalable Platforms Administration Guide- Working with ElasticXL Cluster
sk79700 - VSNext / VSX supported features
What's New in R82 - Quantum Maestro, Scalable Chassis, and ElasticXL 
R82 Release Notes - Quantum Maestro, Scalable Chassis, and ElasticXL 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events