Showing results for 
Search instead for 
Did you mean: 
Create a Post

Maestro TechTalk

On 17th July 2019, we did a TechTalk with @Anatoly@Maor_Elharar, and Matan Tenenboim on Maestro, doing a deep dive on the technology and answering many of your burning questions. 

Materials below are available to CheckMates members who are signed in.

Q&A answered during the session will be posted as comments shortly.

(view in My Videos)

0 Kudos
2 Replies

Re: Maestro TechTalk

Here are the questions asked during the Q&A:

Is Maestro compatible with CloudGuard for ACI/NSX?

Not currently compatible with ACI, but it is in the plans.

When creating VLANs on the Orchestrator, only tagged VLANs can be used. How about VLAN 1?

Once you setup a VLAN on the Orchestrator, only that specific VLAN will be used. Trunk interfaces that allow more than a single VLAN will be supported in the future.

What gateways does Maestro work with?


  • 5900
  • 6500
  • 6800
  • 23800 (requires R80.20SP JHF1)
  • 23900

We plan to support other gateways in the future. Please contact your local office if such support is required.

Is a dedicated management port for each security group needed?

No, you can share a management interface between security groups.

What is the transmit hash policy on the portchannel between the orchestrator and appliances?

It's a Check Point algorithm based on L3/L4 information.

What cables are needed for downlinks between Orchestrator and appliances?

DAC cables are recommended.

What is the minimum version of Check Point required with Maestro?

R80.20 and above for management. The gateways will run R80.20SP. R80.30SP is planned, as is integration into maintrain.

Can different appliance types be used in the same security group?

Not currently, but it is planned.

Distance limitations for dual site?

No, but latency should be kept below 100ms and have no more than 5% packet loss over a Layer 2 link between the sites. This is similar to ClusterXL.

What happens (other than mass chaos) when the Orchestrator sync cable is broken?

Configuration synchronization will not be possible except via manual means.

When will dual-site support be available?

Expected end of July for Security gateway. For VSX, expected end of August.

Can you run a single Orchestrator at two sites and run this as a dual-site configuration?

Yes, but we definitely recommend running two orchestrators at each site for redundancy.

How long can the DAC cables be?

3 meters currently. We plan to support longer cables and fiber in the future.

Is it possible to use VSX with Maestro?

Yes, but VSLS is currently not supported. We plan to support it when dual-site support is released.

Will the dual-site Security Group failover be for all gateways in the site or for the affected security group only?

The affected security group only.

I have four appliances, two in site A and two in site B in the same security group. One appliance in this group goes down. Can I configure it so if one appliance in the security group is down at site A, it will switch to site B?

Each component in the system (like interface or appliance) is assigned a weight. If the remote site total weight is higher, a site failover is performed. You can change the default weight of the components to suit your requirements.

What transceivers are supported? The slides mentioned 25G transceivers but sk92755 doesn't list it.

Any Check Point transceivers should work. Check Point currently does not offer 25G transceivers, but Maestro is ready to support them.

Are all appliances seeing every packet, or is it the job of the Orchestrator to distribute packets?

The Orchestrator distributes the traffic. The appliances only sees traffic that is relevant for that appliance.

Does the Orchestrator handle routing for the various members as wel?

No, the Orchestrator only forwards and balances traffic to the appliances in the security group. It is not involved in Layer 3 routing decisions.

Does Maestro support ICAP?

We plan to support it in the future, but plans have not been finalized. If you have this requirement, please contact your local Check Point office.

How do you troubleshoot a traffic flow with Maestro?

We have global versions of various troubleshooting commands that gather the relevant data from the relevant appliance.

What happens if you're running with a single Orchestrator and that fails?

No traffic will be passed. This is why we recommend running with a second Orchestrator for redundancy.

Are dual Orchestrator uplinks capable of LACP/Multi-Chassis Link Aggregation?

Yes, we support LACP on two Orchestrators. The Orchestrator is not aware of the bond, however.

Is it necessary to perform configuration backups from the SMO or will everything be restored/redeployed from the Orchestrator?

You still need to backup the SMO. We do plan to offload deployment/maintenance tasks to the Orchestrator in the future.

Will all the data between appliances and orchestrators pass on the dedicated link? Meaning, no specific interface modules are required on the appliance?

Maestro uses standard Check Point interfaces. Each appliance requires a 10G/40G expansion card. 

Regarding management: which IP is the manager talking to? Do we need a management network large enough for the maximum number of appliances?

Only one IP is required per security group, regardless of the number of appliances.

Can you create virtual switches to represent network connectivity to the Orchestrator the same as VSX?

Virtual switches are not supported currently with Maestro, but it is in the plans.

What is the interface naming convention for the Orchestrator?


Re: Maestro TechTalk


Why I am getting the message "You do not have permission to view this asset." when I try to watch the Maestro TechTalk video?


Marcos Reis

Marcos Ferreira dos Reis
0 Kudos