- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters
Round Table session with Maestro experts
Hello Community,
I am facing a customer requirement and wanted to ask for some help here.
We need to migrate a Maestro deploymento from Dual Site / Single Orchestrator, to two independent deployments configured as Single Site / Single Orchestrator. No change on cabling or appliances, only MHO configuration. We have 4 SG's, two are only on site 1, and two are only on site 2, so we are not using dual site at all. I clearly understand we should engage PS for this, but unfortunately this is not an option this time. I have been working on a MOP, i leave the steps below, in case someone could recommend changes to improve/correct the procedure would be great.
On site 2 (standby):
> set maestro configuration orchestrator-site-amount 1
> set maestro configuration orchestrator-site-id 1
> set maestro port 1/47/1 type downlink
> save config
> expert
# orchd restart
> set smo security-group site-amount 1
> asg_reboot –b all
And repeat the same for site 1. I would like to know what happens after orchd restart, how the webui configuration should see, SGs from the other site should just dissapear or i should delete them manually? Also not sure if step 5 is mandatory. Any help is welcome.
Regards
Your plan looks pretty good to me. I don't think you'll have to do anything in the WebUI. As soon as you change the site amount to 1 and run orchd restart, the secondary site doesn't exist (hint: if you run "service orchd restart" it won't ask for a confirmation).
Value of security-group site amount in the SG is 2 by default (even in single site setup) and you don't necessarily have to change it. Considering that your setup isn't really a dual site right now, this value might already be 1. Check it out. You will have to reboot the gateways anyway I think.
I'm pasting here my notes about my lab (it has two MHOs) for you reference for dual site to single site change.
Change lab to single site
MHO-1
touch /etc/.asg_auto_confirm
clish
set maestro configuration orchestrator-site-amount 1
set maestro configuration orchestrator-site-id 1
set maestro configuration orchestrator-amount 2
set maestro port 1/47/1 type downlink
save config
service orchd restart
set maestro port 1/47/1 admin-state down
save config
MHO-2
touch /etc/.asg_auto_confirm
clish
set maestro configuration orchestrator-site-amount 1
set maestro configuration orchestrator-site-id 1
set maestro configuration orchestrator-amount 2
set maestro port 2/47/1 type downlink
save config
service orchd restart
set maestro port 2/47/1 admin-state down
save config
Hello @Lari_Luoma,
Thanks for your update. I am still tunning the procedure and had one doubt maybe you can help me with.
Let me give you an example. I have 4 SG's.
I will start the changes on site 2 (standby). So, on site 2 i will configure site amount to 1 and set the site ID to 1. I imagine that after orchd restart, MHO should keep the configuration for SG's that were configured in site 1, in this case SG-1 and SG-2, and configuration for SG's in site 2 will be lost (SG-3 and SG-4)? Does it make sense? If this is true, do you know any way to recover configuration for SG-3 and SG-4, maybe editing the /etc/sgdb.json file? Thanks in advance.
Regards
Thanks for the detailed explanation.
You're on the right track with the overall approach. When transitioning from dual-site to single-site Maestro, the correct steps are:
Change the site amount to 1 and site ID to 1 on each MHO.
Disable the site sync interface (inter-site sync).
Be prepared for a brief service interruption due to service orchd restart
.
Since your SGs are already site-local (SG-1 and SG-2 only on Site 1, SG-3 and SG-4 only on Site 2), you don’t need to make any changes to the SG definitions themselves. They will remain intact after the site configuration is adjusted—no need to recreate them.
Regarding your concern: SG-3 and SG-4 were created and are active on Site 2, which will now become an independent Maestro cluster. You will not lose them—their configuration is local to the MHOs at Site 2 and will remain after the change, as long as you're not wiping or rebuilding the setup.
That said, it’s always a good idea to:
Take a backup of /etc/sgdb.json
before making changes.
Document current SG mappings in case any recovery is needed.
And if you want peace of mind that the transition goes smoothly—especially in a production environment—you might consider engaging Check Point Professional Services to assist with or validate the change plan.
Let me know how it goes or if you have any other questions.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY