1. Do you have 2 maestros? maestro is solution with orchestrator and security gateways, maybe you have 2 orchestrators and 4 Security Gateways on site one (no other side)?  ==> We have 2 maestro and four security gateways. In one room one maestro and 2 security gateways from two different security groups and in the other which is far from room 1 one maestro and 2 security gateway.
2. Device uplink for other vendor it does mean the SFP is other than Check Point or you mean the SFP is Check Point and connects to switch (other vendor)?  ==> Other vendor side it's vendor SFP and in checkpoint it will be checkpoint SFP
3. When you say single site dual deployment you mean 2 MHO per site? Yes. 1 MHO in each room.
4. 2 Security Groups one uplink connected? are you sharing the same interface on both Security group or is one per SG? No sharing uplink. MGMT(SMS) will be same. Please refer the diagram I attached for other reply.
5. 2 SG connected to 3party device connected to L3 as VSX? this is other check point gateway with maestro VSX Dual Site?One security group will connect to 3rd part device connected as VSX. My understanding its work well. Problem with the other security group which is currently planning to connect on L3 device which not configured as VSX between two different room. Need to know best practice from 3rd party vendor side.

High level Uplink topology

Attached high level uplink design

Ok I think I understand now. 

So, you have single site, with dual orchestrator all 4 gateways on 2 Security Group 2km? do you have the lattency less than 100ms? else should change to Multi-room 

the VSX is I think Aruba technology to segregate VLANs. 

I see the topology for MHO but what about Security Group?

The HLD is for current or proposal? 

I'm looking for a document related to third-party L3 third-party device configuration best practices while connecting maestro uplink. That's the reason not to include downlink and related security groups. HLD is the proposed one. Would like to know what is the drawback if L3 third-party vendor is not configured as VSX/LAG. Why its recommending to configure L3 switches as one virtual switch (VSX/LAG) even its away for couple of kilometers.

On Maestro, the uplink bonds are configured and managed at the security group level, not the MHOs. This means that when you create a bond using interfaces over both MHOs (which is recommended so that you have high availability on this bond interface in the event of an MHO going down) it has to be configured as a single bond on the neighbouring devices.

If you create two separate bonds to your neighbour devices, they are just two separate interfaces onto the security group. They would need to be in separate IP address spaces and you'll need some sort of dynamic routing running to achieve proper HA. 

If your uplink neighbour devices cannot act as one virtual switch, you can use Active/Standby bonds at the security group. In that case you only need to have regular interfaces configured on the neighbour devices in the same VLANs. The security group will use the primary interface when it's up (make sure you configure this) by default. 

Thanks emmap. Will you able to share the URL where the checkpoint recommendation is to configure L3 switches as one virtual switch?

It's not that there's an explicit recommendation to do that, it's just understanding that if you're creating a load sharing bond with interfaces on two MHOs, it's a single bond. If those two MHOs are connected to two different switches, those switches logically have to be acting as a single switch to present back to the MHOs a single load sharing bond. It's an architectural understanding more than it is a Check Point recommendation.

UPLINK design network diagram already shared earlier.