Maestro Host Access - Best Practice - Check Point CheckMates

This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.

Reject

Preferences

ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ Sign In

Products
Learn
Local User Groups
Partners
- Welcome Partners!
More

Products
Learn
Local User Groups
- Upcoming Events
- Americas
- EMEA
  - Czech Republic and Slovakia
  - Denmark
  - Netherlands
  - Germany
  - Sweden
  - United Kingdom and Ireland
  - France
  - Spain
  - Norway
  - Ukraine
  - Baltics and Finland
  - Greece
  - Portugal
  - Austria
  - Kazakhstan and CIS
  - Switzerland
  - Romania
  - Turkey
  - Belarus
  - Belgium & Luxembourg
  - Russia
  - Poland
  - Georgia
  - DACH - Germany, Austria and Switzerland
  - Iberia
  - Africa
  - Adriatics Region
  - Eastern Africa
  - Israel
  - Nordics
  - Middle East and Africa
  - Balkans
  - Italy
  - Bulgaria
  - Cyprus
- APAC
  - Korea
  - Mongolia
  - Bangalore
  - Greater China
  - Australia/New Zealand
  - Philippines
  - Japan
  - Singapore
  - India
  - Thailand
  - Taiwan
  - Hong Kong
  - Indonesia
Partners
- Welcome Partners!
More
ABOUT CHECKMATES & FAQ
- About CheckMates & FAQ
- Community Guidelines
Sign In
Leaderboard
Events

Maestro Masters
Round Table session with Maestro experts

WATCH NOW

Create a Post

Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Search instead for

Did you mean:

CheckMates
:
Products
:
Network & SASE
:
Maestro Masters
:
Maestro Host Access - Best Practice

Options

Subscribe to RSS Feed
Mark Topic as New
Mark Topic as Read
Float this Topic for Current User
Bookmark
Subscribe
Mute
Printer Friendly Page

cancel

Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Search instead for

Did you mean:

Danny

MVP Platinum

‎2025-10-02 02:00 AM

Mark as New
Bookmark
Subscribe
Mute
Subscribe to RSS Feed
Permalink
Print
Report Inappropriate Content

Maestro Host Access - Best Practice

Maestro operates with predefined Internal IP Addresses.

In order to allow connections between SGMs and MHOs, like the member command, it's required to add these IPs to the Gaia Host Access list, in addition to monitoring probes and your Firewall Management DMZ that manages your Check Point security infrastructure.

A typical Gaia Host Access list on Maestro security groups would look like this:

Type	IP / Netmask	Description
Host	`127.0.0.1`	Localhost
Network	`192.0.2.0 /24`	Maestro Internal Sync Network
Network	`198.51.101.0 /24`	CIN (~~Chassis~~ Maestro Internal Network)
Network	`203.0.113.0 /24`	Maestro Inter-Site Sync Network

Depending on the number of security groups, there could also be additional Maestro CIN networks, such as:
198.51.102.0 / 24, 198.51.103.0 / 24 and so on, as described here.

Note: Check Point may hide some of these networks in Gaia WebUI, verify them in GClish via: show configuration allowed-client

Let's discuss how the Gaia Host Access list should be configured on Maestro HyperScale Orchestrators (MHO).

---
@Lari_Luoma @Anatoly @Tom_Kendrick @Laszlo_Csosza @Jochen_Hoechner