I did some months on memory leaks to - got this resolved by a private fix in the end. Of course, when applying private fix'es to the Maestro - the upgrade process when moving to new jumbos and versions do get a bit tedious and time consuming. I think that for a lot of my customers an upgrade to , say R81, will be a hard sell - since we have spent so much time on debug and tshoot.
For the implementation of the solution there has been some great improvement. Starting out with r80.20sp there was limitationon max vlans pr bond - and also a lot of manual work when creating 50-60 interfaces, as it could not be scriptes. As of now, with the 307 or 309 (I cant remember) we are at least able to just create the interfaces on the sec.group itself - and then this gets auto populated to the orchs. That was a nice fix/feature.
Placing the Maestro solution into a legacy / old network - where you have 10-15-20 years of history with fix's and patches, special nat, and maybe a bit messy network design - is a hard task. We got into major issues with the use of the MAGG interface and the rules/design concerning this, just as an example. Check Point do want the MAGG interface to pretty much be directly attached to at least the SMS, but it do not support routing/nat så if you have anything else there - lets say a radius server og a vmware box - this stuff will get issues with its production traffic.
Just to say - that I think planning/design is a big part of Maestro solution - I see to many customers just thinking to do a copy/paste of the old setup - and this will bring them in to issues for sure. Migrating from an old CheckPoint setup to Maestro should probably trigger at least a network design review, and in many cases a redesign.
Putting up the Maestro as a new solution in paralell to the "old", and then move stuff over in batches seems to be the best. But this is time consuming and also have a high cost, since you need to have two systems running and operated at the same time.