Maestro Frequently Asked Questions (FAQs)
Maestro, Enterprise Appliances, Data Center Security Appliances
Platform / Model
Show the Entire Article
What is MHO?
MHO stands for Maestro Hyperscale Orchestrator.
What is an SMO?
SMO stands for Single Management Object.
What is an SGM and how many are supported?
A Security Group is a group of SGMs represented by an SMO.
SGMs (Security Gateway Modules) in a security group share the same:
Software versions and hotfixes
Traffic is shared between members of a security group according to their distribution mode settings.
Currently, a maximum of 8 Security Groups are supported.
Does Check Point use a branded solution or its own product?
The Orchestrator, which executes the orchestration and distribution functions, runs Check Point code.
Does Maestro need specific interface cards for Check Point appliances on downlinks?
Is it possible to share uplink interfaces between Security Groups?
An interface (physical or VLAN) can be attached only to a single Security Group.
How many Management ports are supported?
Which Check Point appliances are supported?
Currently, the 5900, 6500, 6800, and 23800, and 23900
* appliance models are supported. In general, all 2012 and 2016 Check Point Gateway appliances with 10G or 40G connectivity can be supported after certification. To do this, submit an RFE. * 23900 appliances are supported beginning in Jumbo Hotfix Accumulator Take 105.
Are there any differences between regular appliances and appliances with MHO SKUs?
Appliances with MHO SKU have an additional interface card with two DAC cables for MHO connectivity and extended system memory.
Is Open Server support planned?
No, Open Server support is not planned.
Is it possible to move customers' environments running Check Point clusters under MHO?
Yes, this is a possible scenario. Check Point recommends that you contact
Professional Services for the migration process.
How many orchestrators are supported in a cluster?
Currently, two orchestrators can work together. MultiSite support for 2x2 orchestrators is planned for a future release.
MHO supports 1m and 3m DAC cables. Are there any plans to add support for 5m and 10m cables?
5m and 10m cables can be certified based on business cases.
Is it supported to use 3rd party DAC cables?
Check Point does not support 3rd party DAC cables.
Which transceivers can be used on uplink ports?
For a full list of transceivers, refer to
Does Check Point plan to phase out Scalable Platforms (44000/64000) appliances?
Maestro serves as an extension of Scalable Platform capabilities to other Check Point Appliances and not as a replacement to the 44000/64000 line. Chassis-based solutions have specific use cases and will continue to evolve according to the roadmap.
How long are the included DAC cables?
We provide 2 cables: one is 1m long, the other is 3m long.
Are there any additional transceivers needed for connecting the orchestrator to LAN/DMZ/Internet/etc??
Yes. For a list of supported transceivers, refer to
How does synchronization work? Is there an overhead with potentially 52 appliances in a MHO installation?
MHO uses a special synchronization solution called HyperSync which provides high scale synchronization support without sacrificing Security Gateway performance.
Does Check Point support virtual MHOs running in Private or Public Clouds?
Is it possible to monitor individual SGM load information?
Yes, the same tools can be used as on our Scalable Platforms.
Will the MHO web frontend be built into SmartConsole?
There are plans to make management of the Security Groups, SGMs and MHO ports even simpler. It's too early to discuss SmartConsole integration, although Check Point is interested in customers' requirements and use cases.
Is MHO available in SmartConsole?
The individual Security Groups under MHO are available as SMOs in SmartConsole as Hardware Type
Maestro. This makes the underlying architecture easier to manage in SmartConsole.
Which Check Point SMS/MDM version can be used to manage Maestro?
Currently, R80.10 and R80.20 systems can manage MHO with one limitation: MHO icons and object name are not visible, and therefore the Scalable Platforms appliance must be selected as the gateway type. Upcoming JHFs should include the imagery and Maestro texts.
Does Check Point support 3rd party orchestration tools with MHO?
MHO will have full Check Point API support when the GAIA Gateway API is available.
Is it supported to upgrade Security Groups separately? Can they run different software releases?
Security Groups work independently from one another and therefore they can run on different software versions.
Is there any downtime introduced while upgrading SGMs in a Security Group?
SGMs can be upgraded individually or in groups without introducing downtime (Full Connectivity Upgrade).
Is there any downtime introduced while upgrading the Orchestrators?
If the Orchestrators are in cluster, no downtime is introduced.
How does SIC work with MHO?
Each Security Group has its own SMO. SIC is built up with the SMO and shared between SGMs in the same Security Group.
How does the Security Management count the Gateway licenses in MHO?
1 Security Group equals 1 Gateway license.
How is the MHO system licensed?
There's no specific license needed on the MHO.
How is a Security Group or Multiple Security Groups (MSG) licensed?
There's no specific license needed for Security Groups.
How are the SGMs licensed?
The SGMs use the same licensing methodology as any other Check Point appliances. All features must be licensed per Gateway and the same type of licenses must be applied to all SGMs in a Security Group.
Is the LTE feature set supported?
The LTE feature set is not fully supported with R80.x. When the LTE feature set is integrated back into the R80.x train, MHO will be able to support it.
How much is the actual "extended memory"?
6500: 16GB 6800: 32GB 23800: 64GB
Redundancy and Scaling
Is interface bonding between MHO and downlink appliances available?
There's an automatic bonding inside, so if connecting more than one cable, it will be linked into bond automatically. No additional configuration is required.
Is interface bonding between MHO and uplink network systems available?
Yes, this is the recommended configuration.
Is there a redundant sync between two MHOs?
Not currently. Redundant sync should be introduced during in an upcoming release.
What throughput is needed between MHOs for sync?
MHO-170 requires a 40GB DAC cable
or a 100GB DAC cable. MHO-140 requires a 10GB DAC cable.
Does Check Point support single MHO appliance installations?
Yes, but it's recommended to have two MHOs to provide redundancy and avoid single point of failure.
Is redundancy between different appliance models in a Security Group supported?
Not in the first release of MHO. Currently, different appliance models must be used in separated Security Groups.
Does the MHO support dynamic scaling?
Dynamic scaling is currently not supported, but it's on the roadmap. With dynamic scaling, the system will be able to add/remove SGMs from a Security Group or move SGMs between Security Groups dynamically when the load requires it and if the policy permits it.
Is there any throughput degradation when adding multiple SGMs to a Security Group?
Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.