Hi all, 

I have a couple of questions about maestro that im curious about, i feel like i know the answers i just cant find confirmation. 

Q1 - Currently we have a traffic flow described like below

Inside --> Firewall1 --> switch1 --> inline transparent IPS --> switch1 --> Firewall2 

From the above flow traffic passes through our first checkpoint firewall (Firewall1) and then traffic is routed to our second checkpoint firewall (firewall2) between these 2 firewalls is a transparent IPS sensor that inspects traffic. 

When we move firewall1 and firewall2 into a maestro context, will traffic for these firewalls still route out of the MHO to the local switch network through the IPS sensor as we have it now? or does the MHO internally switch these as it knows they are in the same vlan. 

I feel like they wouldnt switch them in the MHO as the way i imagine it is the interfaces are containerised so have no way to route between without first going to the switch and back up to the MHO. 

Please do not hesitate correct any misunderstandings i have.

Q2 - Management interfaces for MHO

We are going to be running a dual MHO dual site configuration with this, will each MHO have its own management address or will they logically be one? so should i connect all 4 MGMT interfaces (The ones on the back of the MHO) and if i lose one appliance ill still be able to reach the MHO "cluster"

Q3 - Mangement interfaces (ports 1 - 4)

My understanding is that these ports are used to connect the security groups to allow them to be managed by the management server, if i use a single interface how can i make it so that all security groups can use this same interface? is it just the case that i select the interface and assign to each security group

I'm aware that some of these questions might be relatively basic, i must admit the documentation tends to leave me asking more questions than it does answer any. 

Im happy to be directed to concise answers read up myself if people have references/links.