This is a collection of frequently asked questions gathered during recent CheckMates Maestro presentations. It covers key features, limitations, and best practices—especially related to R82. We will continue to update this post based on insights from the two remaining presentations in this series.

UPDATE 5/14/2025: Integrated more questions and answers from recent sessions. I have removed duplicates, left out non-Maestro related questions and edited questions for clarity.

Hardware & Compatibility

Q: Does MHO-175 support 1G interfaces?
A: Yes, 1G interfaces are supported in R82.

Q: Can Maestro orchestrators or SGMs be virtualized in R82?
A: No, only physical orchestrators and SGMs are supported.

Q: Can I reimage a Mellanox SN2410 (MSN2410-CB2RC) with Gaia and use it as an MHO-140 for lab purposes?
A: No, Maestro is only supported on orchestrators officially sold and provided by Check Point.

Q: Can different appliance models be mixed in the same Security Group?
A: Yes, provided they are listed as compatible in sk162373.

Functional Capabilities

Q: What does the SMO represent in SmartConsole?
A: The SMO (Single Management Object) represents the Security Group. Orchestrators themselves do not appear in SmartConsole.

Q: Is WebUI-based cluster member management exclusive to R82?
A: Yes, this is only available starting from R82.

Q: Does Maestro support dual-site active/active?
A: This feature is not yet generally available in R82. However, early access may be available—please contact your Check Point account team for more information.

Q: Does Maestro support WebUI?
A: Yes. Both orchestrators and security groups support WebUI. R82 enhances WebUI with features like virtual gateway creation.

Q: Is the "Insights" monitoring tool specific to R82?
A: Yes, Insights is introduced in R82 for advanced visibility and analytics.

Q: Can I share the same IP across multiple management interfaces?
A: Use a bonded management interface (MAGG) and assign the IP to the bond. This ensures resilience and proper traffic handling.

Q: Can the same physical uplink be shared between multiple Security Groups?
A: Yes, but it must be explicitly enabled in the orchestrator. Management interfaces can be shared by default if they’re on the same subnet.

Q: Does Maestro support VRRP?
A: No, VRRP is not supported. Maestro operates as a single logical entity, eliminating the need for VRRP.

Q: Is ISP redundancy supported in Maestro?
A: Yes, but SD-WAN is the recommended approach for handling it.

Q: What is the best distribution mode for a perimeter gateway?
A: Auto-topology.

Q: Can you set distribution mode per VS in VSX?
A: No, distribution mode is global for all VSs.

Q: Is there a reason not to use a data interface for management?
A: Yes, using data interfaces for management is not recommended. It typically reflects poor network design due to the lack of a separate management network.

Q: If correction traffic was 100%, is that good or bad?
A: If all traffic is corrected, it can lead to performance issues. Correction should be minimized through proper tuning of the distribution mode.

Q: How do I know if distribution mode is causing performance issues?
A: Performance problems may appear when some SGMs receive significantly more traffic than others, often seen in high connection rate environments.

Q: What are the implications of changing the distribution mode? Is downtime required?
A: Switching from auto-topology to general mode clears the NAT table, though NAT is not typically used in general mode. Changing distribution at the port level (e.g., from internal to external) changes distribution decisions but does not require stopping the environment.

Q: Is there a command to see corrected traffic as a percentage of total traffic?
A: No, such a command is not available.

Q: What is the command to check Maestro status in the CLI?
A: Use asg monitor.

Q: Do downlinks have VLAN tags?
A: Yes. MHOs tag each port with a VLAN that the SGM strips. Additional VLANs exist for correction, CIN, sync, and uplink networks.

Q: If an SGM fails, how does distribution work?
A: One SGM handles traffic and syncs to a backup. If the active SGM fails, the backup takes over, and a new backup is assigned. This transition is seamless.

Upgrades & Configuration

Q: How are orchestrators upgraded?
A: Ensure HA is working. You can shift traffic from MHO1 to MHO2 and upgrade one orchestrator at a time. Most upgrades are non-disruptive.

Q: Can I rename a Security Group without impacting traffic?
A: Yes, this operation is supported and non-disruptive.

Q: How is failover handled between MHOs?
A: MHOs do not form an HA pair but synchronize configurations. If uplinks are bonded across MHOs, failover is seamless during maintenance or reboot.

Q: Can I upgrade from VSX to VSNext automatically when moving to R82?
A: No. A conversion tool is planned but not yet available.

Q: In the SG configuration window, when should “Install as VSX/VSNext” be enabled?
A: Enable this option only if you want to use VSNext. For legacy VSX, create the SG and then run set vsx on via CLI.

Q: Why is active/backup recommended over LACP for MAGG interfaces?
A: LACP-based MAGG cannot be shared across Security Groups. Active/backup is simpler and sufficient for most management traffic needs.

Q: Are CoreXL settings set manually for Maestro VSX in SmartConsole?
A: CoreXL configuration is the same as with other VSX platforms. You can configure up to 32 instances per VS, which are automatically distributed across CoreXL cores.

Q: How do I monitor each SGM with SNMP?
A: Refer to the R82 Scalable Platforms Administration Guide. For R81.10 and R81.20, see sk181373.

Network & Connectivity

Q: Where are production devices and switches connected in a Maestro setup?
A: All production traffic interfaces connect to orchestrator uplink ports.

Q: Can I connect MHO synchronization links through a switch?
A: No, direct connection between MHOs is required for synchronization.

Q: Can I use mixed-speed uplinks in Maestro?
A: Yes. Uplink ports support multiple speeds (1G, 10G, 25G, 40G, 100G) depending on transceiver, orchestrator model, and software version.

Q: What are the distance limitations for fiber uplinks?
A: This depends on the fiber and transceiver type. Refer to sk92755 for details.

Training, Labs & Roadmap

Q: Is there a plan to add a visual topology map for Maestro in R81.20?
A: No, this feature is only available starting in R82.

Q: Is there a Maestro lab environment available in TechPoint?
A: It is currently on the roadmap.

Q: Can Maestro be tested in a virtual environment?
A: Orchestrators cannot be virtualized. Gateways can be used for limited testing, but this setup is not officially supported.

Q: Are you planning a webinar on dual-site active/active?
A: Yes, a webinar is planned but will likely take place once the feature becomes generally available in a recommended version. In the meantime, reach out to your account team if you're interested in early access.

Migration & Best Practices

Q: What’s the difference between ElasticXL and Maestro?
A: ElasticXL uses pivot mode and does not have hardware orchestrators, supports one Security Group with up to three members per site. Maestro supports up to eight Security Groups and up to 14 members per site. Maestro uses orchestrators to distribute traffic to the gateways.

Q: Are there best practices for migrating new appliances to Maestro?
A: Yes. Refer to sk182838 and consider involving Check Point Professional Services for complex migrations.

Q: Where are VLANs assigned—at the orchestrator or the Security Group level?
A: VLANs are configured at the Security Group level.