Re: Maestro Best Practices

Lari_Luoma · ‎2025-09-03

Hi Everyone!

I’m excited to share that my colleague John White and I have co-authored a new Maestro Best Practices Guide. This document brings together lessons learnt from real-world projects and field experience, and we hope it will serve as a practical resource for anyone working with Maestro.

Please feel free to save it for your own use — and more importantly, let us know your feedback. If you have additional best practices or tips from the field, share them here. I’ll be happy to incorporate them into future updates so this guide continues to grow with community input.

Looking forward to your thoughts and contributions!

Danny · ‎2025-09-03

Thanks for putting this together!

I recommend running the document through a grammar checker like LanguageTool to improve clarity and correctness.

Lari_Luoma · ‎2025-09-03

Thanks for the feedback Danny. I replaced the file in my original post with a fixed version now. Some of them I already had fixed in the Word-version, but for some reason the version I posted had still those errors.

Dario_Perez · ‎2025-09-03

Great work!

the_rock · ‎2025-09-03

Amazing job...super helpful!

Best,
Andy

John_White · ‎2025-09-03

Looks good Lari, thanks again for your support on this.

the_rock · ‎2025-09-05

Jonny White...man, cant believe I see you on here...its been FOREVER lol

Hows life? : - )

Andy

Best,
Andy

PhoneBoy · ‎2025-09-05

Great stuff, I'll make sure to call it out in the next CheckMates Go episode 🙂

Timothy_Hall · ‎2025-09-05

Incredible, thanks @Lari_Luoma! I always appreciate seeing battle-hardened best practice recommendations like this, formed by dozens (if not hundreds) of complex Maestro deployments in the real world.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

the_rock · ‎2025-09-05

I saw all @Lari_Luoma did for one of our clients for maestro deployment and they were so impressed, to say the least. Personally, I had never seen that level of knowledge and expertise from someone, its hard to even describe with right words.

Andy

Best,
Andy

Lari_Luoma · ‎2025-09-08

Thank you so much, Andy — I’m truly humbled by your kind words.

It’s always a privilege to support our customers, wherever they are, and I’m glad I could contribute to a successful Maestro deployment. Seeing the impact of our work firsthand and knowing it made a difference for the client is incredibly rewarding.

I’m grateful to be part of a team that values excellence and collaboration. Always happy to help!

the_rock · ‎2025-09-08

100%...maybe if I say RC in Ottawa, you may remember who it was : - )

Andy

Best,
Andy

_Val_ · ‎2025-09-07

Thanks, @Lari_Luoma , great work!

adelguia · ‎2025-09-08

I would add this Key reason in point 6:

If shared uplink is used then each SG should have unique VLAN IDs. It's no posible to have the same VLAN ID in multiple SGs with shared UPLINKs.

That's an important point that everyone should have in mind while designing. We are in the middle of a migration and had to change the design from 2 SG to 1 SG because of this.

Lari_Luoma · ‎2025-09-08

Good point, and thanks for bringing it up.

Just to highlight: different VLAN IDs between Security Groups on shared uplinks are not only best practice, but a mandatory requirement. The system won’t allow the same VLAN ID across multiple SGs on a shared uplink, so this needs to be accounted for during design.

That said, the stronger recommendation is to use dedicated interfaces per Security Group whenever possible. Shared uplinks can create dependencies where external issues affect every SG tied to that interface, reducing isolation and resiliency.

Your example is a good reminder that planning these details upfront helps avoid costly redesigns mid-migration.

Daniel_Kuhl1 · ‎2025-09-12

Great work @Lari_Luoma and all contributors! 👍 Thank you for putting the things together and describing the key reasons behind each topic which is even more important. The key reasons behind a specific design or configuration are not obvious for everyone in first place and sometimes not part of Admin Guides.

Alex-

In Maestro deployment for DC traffic without any NAT, I remember from other webinars that it is recommended to use general mode.

In the relevant guide, it is mentioned not to change the distribution mode of a VS for performance reasons, without further explanations.

What does this mean?

- Should we change the distribution mode to general on VS0 only?

- Not change it at all if we use VSX?

Dario_Perez

for VSX you can work on different scenarios and by default is auto-topology per-port

read https://support.checkpoint.com/results/sk/sk108842 for further information