Solved: Maestro - Dual Site - Security Group questions

simonemantovani · ‎2025-04-07

Hello All

I'm writing to you to get an opinion, I'm preparing a Maestro installation for a customer; the scenario is dual site (site 1 and site 2) with dual orchestrator, and only 1 securty group (SG1) configured like the attached screenshot.

The customer wants that the traffic will be managed only by SGM in site 1; site 2 will be used only if site 1 is down; so my first question is: to achieve what the customer requests, do I need to work with weights for every SGM, and setup weight to 0 for the SGMs in site 2?

The second question is related to the model of appliance that can be used; if I understood correctly the Admin guide, in this scenario, I can use different model of appliance in the same Security Group, but appliances, in different site, with the same ID must be the same model.

So, in attached screenshot, SGM1_1 and SGM2_1 must be the same model, and event SGM1_2 and SGM2_2 must be the same model (and in case different from SGM1_1 and SGM2), am I right?

SGM1_3 and SGM1_4 can be different models, compared with the other SGM. Right?

Thanks for your opinion.

emmap · ‎2025-04-07

When you set up your security group, it will be Active/Standby across the two sites already, you don't have to adjust anything for that. SGMs in site 1 will process traffic, SGMs in site 2 will be in standby in case a failover event occurs.

You can mix & match SGM appliances in a running security group, but we generally wouldn't recommended it for a first time out. It can get complicated and you lose some of the quality of life features (such as auto-cloning). Limitations apply as to which models you can run together. See here for details: https://support.checkpoint.com/results/sk/sk162373

If you are mixing appliances, it is recommended to have the same mix across sites, yes. Further to that though, we do recommend that you have the same SGM setup on both sites, so that you maintain full high availability. If you need 4 SGMs on site 1 to serve your network load, it stands to reason that you'll need the same capability on site 2 so that you have continuity if a failover should occur. Hence there should also be an SGM 3 and 4 on site 2 as well.

View solution in original post

emmap · ‎2025-04-07

When you set up your security group, it will be Active/Standby across the two sites already, you don't have to adjust anything for that. SGMs in site 1 will process traffic, SGMs in site 2 will be in standby in case a failover event occurs.

You can mix & match SGM appliances in a running security group, but we generally wouldn't recommended it for a first time out. It can get complicated and you lose some of the quality of life features (such as auto-cloning). Limitations apply as to which models you can run together. See here for details: https://support.checkpoint.com/results/sk/sk162373

If you are mixing appliances, it is recommended to have the same mix across sites, yes. Further to that though, we do recommend that you have the same SGM setup on both sites, so that you maintain full high availability. If you need 4 SGMs on site 1 to serve your network load, it stands to reason that you'll need the same capability on site 2 so that you have continuity if a failover should occur. Hence there should also be an SGM 3 and 4 on site 2 as well.

simonemantovani · ‎2025-04-08

Hello Emmap

thanks for your reply.