In recent years, I have read and heard many questions about licensing in Maestro environments.
Therefore, here is a brief summary of the licensing model.

Important:
In R81.20 and higher versions, you can use the Security Group Management IP as the IP for the license string.
Here you can find the SK for the R81.20+ model: License for Maestro setup - R81.20 new features 

Here is an example with two MHOs, two security groups, and eight physical security gateways:



Therefore, here is a brief summary of the licensing model.

Maestro Orchestrators (e.g., MHO-140, MHO-170, MHO-175) do not require any license.

Each Security Group counts as one “gateway object” on the Management Server.
So, even if a Security Group has 2, 4, or 8 appliances, it is still managed as a single gateway from a licensing perspective. Therefore, you need a Security Management license (NGSM) that supports the number of Security Groups you plan to manage.

Example:
                  1 Security Group   → need 1 NGSM gateway license on the management.
                  5 Security Groups → need a license like CPSM-NGSM5 (5 gateways).

Each physical security appliance (member) in the Security Group requires its own standard Security Gateway license. 

Licensing is per gateway appliance, not per Security Group or Orchestrator. In R81.20 and higher versions, you can use the Security Group Management IP as the IP for the license string. Here you can find the SK for the R81.20+ model:
License for Maestro setup - R81.20 new features (sk180461)

These are the same licenses used for standalone gateways — typically:
   - NGFW
   - NGTP
   - NGTX bundles, depending on the feature set (Firewall, IPS, Application Control, Threat Prevention, etc.).'

All SG members should have identical licenses and enabled blades to ensure consistent behavior across the group.

Therefore, there are two ways to license the security gateways within a security group. The traditional method using the internal IP addresses of the gateways, or, starting with R81.20, the new method using the management IP address of the security group.

The licenses within the Security Group are bound to the internal IP address of each gateway. The internal IPs within a Security Group are always the same and are automatically assigned by the Maestro environment.

Here is an example of an traditional way NGTP license assignment within a Security Group:

Important:
In the case of dual-site licenses, there is an additional jump in the sequence of internal IP addresses.

Starting with version R81.20, Maestro Autoscaling was introduced. As a result, the licensing model had to be changed, since appliances can now be automatically added to a security group. Because of this, static assignment is no longer possible. Therefore, a new licensing model was introduced.

 - Each SGM must have a different license. To create a license, enter the IPv4 and the appliance's Certificate Key (CK).
 - For the license IP, use the Security Group's management IP. It is the same for all SGMs in the group.
 - For the appliance's CK, use the MAC address of the management interface.

Here is an example of an NGTP license assignment within a Security Group:

Each VSX/VSNext Security Group requires its own license. Each VSX Cluster license covers a predefined number of Virtual Systems (3, 10, 25, and 50), and these licenses are cumulative. The VSX licenses are applied in addition to the Security Gateway license (container and Software Blades).

Please note that VSLS (for example CPSB-VS-10-VSLS) or HA licensing is not supported on Maestro deployments.