This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
simonemantovani
Explorer
‎2025-04-07 06:09 AM
Jump to solution

Maestro - Dual Site - Security Group questions

Hello All

I'm writing to you to get an opinion, I'm preparing a Maestro installation for a customer; the scenario is dual site (site 1 and site 2) with dual orchestrator, and only 1 securty group (SG1) configured like the attached screenshot.

The customer wants that the traffic will be managed only by SGM in site 1; site 2 will be used only if site 1 is down; so my first question is: to achieve what the customer requests, do I need to work with weights for every SGM, and setup weight to 0 for the SGMs in site 2?

The second question is related to the model of appliance that can be used; if I understood correctly the Admin guide, in this scenario, I can use different model of appliance in the same Security Group, but appliances, in different site, with the same ID must be the same model.

So, in attached screenshot, SGM1_1 and SGM2_1 must be the same model, and event SGM1_2 and SGM2_2 must be the same model (and in case different from SGM1_1 and SGM2), am I right?

SGM1_3 and SGM1_4 can be different models, compared with the other SGM. Right?

Thanks for your opinion.

Preview file
52 KB
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2025-04-07 07:28 PM
Jump to solution

When you set up your security group, it will be Active/Standby across the two sites already, you don't have to adjust anything for that. SGMs in site 1 will process traffic, SGMs in site 2 will be in standby in case a failover event occurs. 

You can mix & match SGM appliances in a running security group, but we generally wouldn't recommended it for a first time out. It can get complicated and you lose some of the quality of life features (such as auto-cloning). Limitations apply as to which models you can run together. See here for details: https://support.checkpoint.com/results/sk/sk162373

If you are mixing appliances, it is recommended to have the same mix across sites, yes. Further to that though, we do recommend that you have the same SGM setup on both sites, so that you maintain full high availability. If you need 4 SGMs on site 1 to serve your network load, it stands to reason that you'll need the same capability on site 2 so that you have continuity if a failover should occur. Hence there should also be an SGM 3 and 4 on site 2 as well. 

View solution in original post

(1)
2 Replies
emmap
Employee
Employee
‎2025-04-07 07:28 PM
Jump to solution

When you set up your security group, it will be Active/Standby across the two sites already, you don't have to adjust anything for that. SGMs in site 1 will process traffic, SGMs in site 2 will be in standby in case a failover event occurs. 

You can mix & match SGM appliances in a running security group, but we generally wouldn't recommended it for a first time out. It can get complicated and you lose some of the quality of life features (such as auto-cloning). Limitations apply as to which models you can run together. See here for details: https://support.checkpoint.com/results/sk/sk162373

If you are mixing appliances, it is recommended to have the same mix across sites, yes. Further to that though, we do recommend that you have the same SGM setup on both sites, so that you maintain full high availability. If you need 4 SGMs on site 1 to serve your network load, it stands to reason that you'll need the same capability on site 2 so that you have continuity if a failover should occur. Hence there should also be an SGM 3 and 4 on site 2 as well. 

(1)
simonemantovani
Explorer
‎2025-04-08 12:06 AM
In response to emmap
Jump to solution

Hello Emmap

thanks for your reply.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    CheckMates Events