Re: Maestro VSX – Backup created on one SGM is aut...

OriN · ‎2025-12-18

Hello,

We are running a Check Point Maestro + VSX environment with the following topology:

4 SGMs (2 per site)
4 Orchestrators (2 per site)

When creating a backup on a single SGM (local backup, not via GCLISH), we observed that once the backup process completes, the backup file is automatically copied to all other SGMs in the Maestro fabric.

Relevant log message:

Dec 18 13:08:03 2025 SG1-VSX-ch02-02 confd: Copy file backup_--_SG1-VSX-ch02-02_18_Dec_2025_13_06_55.tgz to all SGMs - OK

What is the underlying mechanism or feature that causes this behavior?
Is this expected behavior in Maestro / VSX environments?
Is there a supported way to prevent backups created on one SGM from being propagated to the other SGMs?

Any clarification or official documentation references would be appreciated.

Thank you.

Lesley · ‎2025-12-18

From r81.10 the smo runs the scheduled backups

https://support.checkpoint.com/results/sk/sk183672

They all have to be the same appliance otherwise it does not work

Maestro Security Groups that contain different Security Appliance models do not support Gaia Backup operations (in the Global Gaia Portal or Global Gaia Clish

To collect or import a Gaia Backup in such a Security Group, connect directly to Gaia Portal or Gaia Clish on each Security Appliance in the Security Group.

-------
Please press "Accept as Solution" if my post solved it 🙂

OriN · ‎2025-12-18

Hey Lesley,
Thanks for the reference, but this does not address the behavior I described.

To clarify:

The backup is manually initiated on a single SGM
Not scheduled
Not SMO-initiated
Not via GCLISH
All SGMs are identical models

Despite this, after the backup completes, the file is automatically copied to all other SGMs, as shown in the log.

This points to an internal Maestro / confd Security Group file-replication mechanism, not scheduled backups or SMO behavior.

If there is an SK that specifically explains SGM-level backup file synchronization, I’d appreciate the reference.

Thanks.

emmap · ‎2025-12-18

I don't know what the expectation is for the backup script, but also I don't know that backing up specific SGMs is all that useful - you only need a backup of the SMO to restore a complete security group, as other SGMs can be restored via the cloning process. I guess the idea here is that your backup isn't very useful if you leave it on the box, so by copying it to all SGMs it will be more easily available on the SMO to be transferred off.

If you do want a rollback point for a specific SGM, we would recommend going with a locally taken snapshot. That would definitely not be copied to every other SGM.

OriN · ‎2025-12-21

Understood on the general backup approach, but that’s not the issue here.

We back up the SMO only using an external system. During that process, the Gaia backup created on the SMO is automatically copied to all SGMs, creating unnecessary backups on each SGM.

My question is simply: is this copy behavior mandatory by design in Maestro, and is there any supported way to disable it?

Thanks.

emmap · ‎2026-01-11

I have tried a couple of things on my EXL cluster, which shows the same behaviour, regardless of whether the backup is taken in bash or gclish. Seems it's by design, and I can't see a way to change that.

Maestro VSX – Backup created on one SGM is automatically copied to all SGMs