This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
‎2025-06-03 03:22 PM

Maestro Masters 2025: Maestro Migration and Upgrade Best Practices

 

Preview file
1933 KB
6 Replies
the_rock
Legend
Legend
‎2025-06-03 03:24 PM

Excellent, as always.

0 Kudos
Arthur_DENIS1
Advisor
Advisor
‎2025-06-06 07:01 AM

Thanks for sharing !

One question regarding migrating to new appliances.

In my scenario, I have single site running dual orchestrator.
As I understand, I can add new appliance inside my security group even if it's not supported for production based sk162373.

Let's say I have 2 SGM 15600 on my single site, and I want to migrate to 9000 series.
If I put 1x 9000 inside my SG, production traffic is supposed to be handled by this 9000s without impact ? Correct ?

But at the end of the migration, I still need to reboot all in the same time to be able to allocated correct SND core number, still correct ?


If yes, smooth indeed, but not totally transparent and still need a maintenance windows as we have a real cut at a moment 

Thanks 

0 Kudos
CKing
Participant
‎2025-06-11 07:54 AM
In response to Arthur_DENIS1

I've recently tested a similar scenario, dual site each with dual orchestrators, but the same 15600 to 9000 series appliances.

Once all SGMs were swapped to the 9000 series "asg diag verify" fails the Core Distribution tests with "Ppak cores inconsistency" and "CoresXL + ppak exceed physical"

Had to reboot all SGMs after reconfiguring the CoreXL instance counts with cpconfig. I did find the new 9000 series appliances rebooted much faster than the 15600s. Was approx 6min in my lab.

Also interested to know if there is a smoother way for migration purposes to sort the CoreXL config, or if we just have to take the full outage.

RPawar
Contributor
2 weeks ago

Hello PhoneBoy,

Really appreciate for the PDF and the video that you have shared, its very insight full in regards to upgrading of and migrating to maestro devices.

However i have few questions or rather doubts that i would like to share with the experts here.

1) In the document under migration troubleshooting it is mentioned that LACP should be configured and there should be no VPC between the connected switches - Question : we have a migration going on and we have 3 switches in uplink WAN, Core, DMZ all the switches have VPC on them, although we tested the LACP functionality by enabling the interfaces and it was working as expected, just wanted to clarify that can the VPC part on switch cause any future hurdle during cutover?

2) We have 95 Ipsec communities along with their respective routes VPNT (Route Based Ipsec tunnels) in our live setup which has standard HA cluster of two 5600 gateways. We will be performing a direct migration and full cutover in one go to Maestro - Question: Wanted to know if there are any hidden settings or configuration that is specific to maestro environment which we need to follow before the direct cutover for IPsec?

note : we will be using the same Ip-schema as that of live setup and all the configurations or policy package will be replicated and pushed on the maestro.

 

Would be great help if anyone can assist on these queries.

0 Kudos
_Val_
Admin
Admin
a week ago
In response to RPawar

@Lari_Luoma can you answer, please?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
a week ago
In response to RPawar

Hi!

1. VpC is needed if you want to connect LACP members to different switches

2. Seems like you would need to migrate to SASE. 😉 Typically when VPNs are migrated there are no special settings and they come up fine. Make sure the new GW object is in every community as expected and other settings are cloned correctly from the old setup. For this kind of complex migration I would recommend hiring Check Point PS. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events