Maestro Frequently Asked Questions (FAQs)
Maestro, Enterprise Appliances, Data Center Security Appliances
Platform / Model
5000, 6000, 15000, 16000, 23000, 26000, 13000
Show the Entire Article
What is an MHO?
MHO stands for Maestro Hyperscale Orchestrator.
What is an SMO?
SMO stands for Single Management Object.
What is an SGM and how many are supported?
A Security Group is a group of SGMs represented by an SMO.
SGMs (Security Gateway Modules) in a security group share the same:
Software versions and Hotfixes
Traffic is shared between members of a Security Group according to their distribution mode settings.
Currently, a maximum of 8 Security Groups are supported.
Does Check Point use a branded solution or its own product?
The Orchestrator, which executes the orchestration and distribution functions, runs Check Point code.
Does Maestro need specific interface cards for Check Point appliances on downlinks?
Is it possible to share uplink interfaces between Security Groups?
An interface (physical or VLAN) can be attached only to a single Security Group.
How many Management ports are supported?
Check Point supports up to 4 Management ports per Orchestrator. Management ports can be shared between Security Groups.
Which Check Point appliances are supported?
Are there any differences between regular appliances and appliances with MHO SKUs?
Appliances with MHO SKUs might be different from normal appliance SKUs (memory, NICs, etc). Please refer to the
Product Catalog for more details.
Is Open Server support planned?
No, Open Server support is not planned.
Is it possible to move customers' environments running Check Point clusters under MHO?
Yes, this is a possible scenario. Check Point recommends that you contact
Professional Services for the migration process.
How many Orchestrators are supported in a cluster?
single-site installation, two Orchestrators can can work together. In dual-site installation, either single or dual Orchestrators per site works, but there must be the same number on both sites. (2x1 or 2x2). Support for more than two sites is planned for a future release.
MHO supports 1m and 3m DAC cables. Are there any plans to add support for 5m and 10m cables?
5m and 10m cables can be certified based on business cases.
Does the breakout DAC require transceivers on either end?
No transceivers are required.
Are there breakout cables for uplinks?
Yes. CPAC-TR-40SPLIT-QSFP-3M or CPAC-TR-40SPLIT-QSFP-6M can be used with CPAC-TR-40SR-QSFP-300m transceiver.
Is it supported to use 3rd party DAC cables?
Check Point does not support 3rd party DAC cables.
Which transceivers can be used on uplink ports?
For a full list of transceivers, refer to
Does Check Point plan to phase out Scalable Platforms (44000/64000) appliances?
Maestro serves as an extension of Scalable Platform capabilities to other Check Point Appliances and not as a replacement to the 44000/64000 line. Chassis-based solutions have specific use cases and will continue to evolve according to the roadmap.
How long are the included DAC cables?
We provide 2 cables: one is 1m long, the other is 3m long.
Are there any additional transceivers needed for connecting the Orchestrator to LAN/DMZ/Internet/etc?
Yes. For a list of supported transceivers, refer to
Is it supported to use fiber transceivers/cables for downlinks?
Yes, up to 200m long Short Range with suitable transceivers (see
How does synchronization work? Is there an overhead with potentially 52 appliances in a MHO installation?
MHO uses a special synchronization solution called HyperSync which provides high scale synchronization support without sacrificing Security Gateway performance.
Does Check Point support virtual MHOs running in Private or Public Clouds?
Is it possible to monitor individual SGM load information?
Yes, the same tools can be used as on our Scalable Platforms.
Will the MHO web frontend be built into SmartConsole?
There are plans to make management of the Security Groups, SGMs and MHO ports even simpler. It's too early to discuss SmartConsole integration, although Check Point is interested in customers' requirements and use cases.
Is MHO available in SmartConsole?
The individual Security Groups under MHO are available as SMOs in SmartConsole as Hardware Type
Maestro. This makes the underlying architecture easier to manage in SmartConsole.
Which versions of Check Point's Security Management Server/Multi Domain Management can be used to manage Maestro?
R80.10 and R80.20 systems can manage Maestro if Jumbo Hotfix is added. R80.30 systems can manage it even without the Jumbo Hotfix.
Does Check Point support 3rd party orchestration tools with MHO?
MHO will have full Check Point API support when the Gaia Gateway API is available.
Is it supported to upgrade Security Groups separately? Can they run different software releases?
Security Groups work independently from one another and therefore they can run on different software versions.
Is there any downtime introduced while upgrading SGMs in a Security Group?
SGMs can be upgraded individually or in groups without introducing downtime (Full Connectivity Upgrade).
Is any downtime introduced while upgrading the Orchestrators?
If the Orchestrators are in cluster, no downtime is introduced.
How does SIC work with MHO?
Each Security Group has its own SMO. SIC is built up with the SMO and shared between SGMs in the same Security Group.
How does the Security Management count the Gateway licenses in MHO?
1 Security Group equals 1 Gateway license.
How is the MHO system licensed?
There is no specific license needed on the MHO.
How is a Security Group or Multiple Security Groups (MSG) licensed?
There is no specific license needed for Security Groups.
How are the SGMs licensed?
The SGMs use the same licensing methodology as any other Check Point appliances. All features must be licensed per Gateway and the same type of licenses must be applied to all SGMs in a Security Group.
Is the LTE feature set supported?
The LTE feature set is not fully supported with R80.x. When the LTE feature set is integrated back into the R80.x train, MHO will be able to support it.
Which release enables vSwitch support?
Which release enables dual-site support?
Which clustering modes are supported in dual-site?
Currently, the supported clustering modes in dual-site are SGW active-standby mode, VSX active-standby mode, and VSLS. These modes are per Security Group and can be different for each one.
Example: Security Group 1 can be active on site A while the standby is on site B; Security Group 2 can be active on site B and standby on site A.
Redundancy and Scaling
Is interface bonding between MHO and downlink appliances available?
There's an automatic bonding inside, so if you are connecting more than one cable, it will be linked into the bond automatically. No additional configuration is required, but make sure to refer to the documentation for information on how to share downlinks between Orchestrators.
Is interface bonding between MHO and uplink network systems available?
Yes, this is the recommended configuration.
Is there a redundant sync between two MHOs?
Not currently. Redundant sync should be introduced in an upcoming release.
What throughput is needed between MHOs for sync?
MHO-170 requires a 40GB DAC cable
or a 100GB DAC cable. MHO-140 requires a 10GB DAC cable.
Does Check Point support single MHO appliance installations?
Yes, but it's recommended to have two MHOs to provide redundancy and avoid a single point of failure.
Is redundancy between different appliance models in a Security Group supported?
Not in the first release of the MHO. Currently, different appliance models must be used in separated Security Groups.
Does the MHO support dynamic scaling?
Dynamic scaling is currently not supported, but it's on the roadmap. With dynamic scaling, the system will be able to add/remove SGMs from a Security Group or move SGMs between Security Groups dynamically when the load requires it and if the policy permits it.
Is there any throughput degradation when adding multiple SGMs to a Security Group?
Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future.
Is there a redundant sync between MHOs?
Single-site: Not currently, but the sync is only used for Security Group information passing, and not for cluster sync processes.
Dual-site (one orchestrator per site): Single sync link is available. Dual sync links are planned but currently require an RFE.
Dual-site (two orchestrator per site): Each Orchestrator is linked to its counterpart on the other side with a single sync link, which adds up to a redundant sync configuration between sites.
Is Multi-Queue setup needed on SGMs?
Multi-Queue is set up automatically. There is no need to modify the configuration.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.