This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor
‎2025-05-14 08:45 AM

Migrate Maestro from dual site to single site

Hello Community,

I am facing a customer requirement and wanted to ask for some help here.

We need to migrate a Maestro deploymento from Dual Site / Single Orchestrator, to two independent deployments configured as Single Site / Single Orchestrator. No change on cabling or appliances, only MHO configuration. We have 4 SG's, two are only on site 1, and two are only on site 2, so we are not using dual site at all. I clearly understand we should engage PS for this, but unfortunately this is not an option this time. I have been working on a MOP, i leave the steps below, in case someone could recommend changes to improve/correct the procedure would be great.

On site 2 (standby):

  1. Take backups, snapshots, save configuration, and export these files from both MHOs: /etc/sgdb.json, /etc/rsrcdb.json, /etc/smodb.json, /etc/maestro.json, /etc/maestro_full.jso
  2. Unplug inter-site interface cable.
  3. Run these commands:

    > set maestro configuration orchestrator-site-amount 1

    > set maestro configuration orchestrator-site-id 1

    > set maestro port 1/47/1 type downlink

    > save config

    > expert

    # orchd restart

  4. Go to webui, click Apply
  5. Go to SGs Gclish and run these commands:

    > set smo security-group site-amount 1

    > asg_reboot –b all

  6. Run all checks on MHO and SGs.

And repeat the same for site 1. I would like to know what happens after orchd restart, how the webui configuration should see, SGs from the other site should just dissapear or i should delete them manually? Also not sure if step 5 is mandatory. Any help is welcome.

Regards

0 Kudos
3 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2025-05-14 04:20 PM

Your plan looks pretty good to me. I don't think you'll have to do anything in the WebUI. As soon as you change the site amount to 1 and run orchd restart, the secondary site doesn't exist (hint: if you run "service orchd restart" it won't ask for a confirmation).

Value of security-group site amount in the SG is 2 by default (even in single site setup) and you don't necessarily have to change it. Considering that your setup isn't really a dual site right now, this value might already be 1. Check it out. You will have to reboot the gateways anyway I think.

I'm pasting here my notes about my lab (it has two MHOs) for you reference for dual site to single site change.

Change lab to single site

 

MHO-1

 

touch /etc/.asg_auto_confirm

clish

set maestro configuration orchestrator-site-amount 1

set maestro configuration orchestrator-site-id 1

set maestro configuration orchestrator-amount  2

set maestro port 1/47/1 type downlink

save config

service orchd restart

set maestro port 1/47/1 admin-state down

save config

 

MHO-2

 

touch /etc/.asg_auto_confirm

clish

set maestro configuration orchestrator-site-amount 1

set maestro configuration orchestrator-site-id 1

set maestro configuration orchestrator-amount  2

set maestro port 2/47/1 type downlink

save config

service orchd restart

set maestro port 2/47/1 admin-state down

save config




 

RS_Daniel
Advisor
a month ago
In response to Lari_Luoma

Hello @Lari_Luoma,

Thanks for your update. I am still tunning the procedure and had one doubt maybe you can help me with. 

Let me give you an example. I have 4 SG's.

  • SG-1 and SG-2 are present only on site 1.
  • SG-3 and SG-4 are present only on site 2.

I will start the changes on site 2 (standby). So, on site 2 i will configure  site amount to 1 and set the site ID to 1. I imagine that after orchd restart, MHO should keep the configuration for SG's that were configured in site 1, in this case SG-1 and SG-2, and configuration for SG's in site 2 will be lost (SG-3 and SG-4)? Does it make sense? If this is true, do you know any way to recover configuration for SG-3 and SG-4, maybe editing the /etc/sgdb.json file? Thanks in advance.

Regards

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
a month ago
In response to RS_Daniel

Thanks for the detailed explanation.

You're on the right track with the overall approach. When transitioning from dual-site to single-site Maestro, the correct steps are:

  • Change the site amount to 1 and site ID to 1 on each MHO.

  • Disable the site sync interface (inter-site sync).

  • Be prepared for a brief service interruption due to service orchd restart.

Since your SGs are already site-local (SG-1 and SG-2 only on Site 1, SG-3 and SG-4 only on Site 2), you don’t need to make any changes to the SG definitions themselves. They will remain intact after the site configuration is adjusted—no need to recreate them.

Regarding your concern: SG-3 and SG-4 were created and are active on Site 2, which will now become an independent Maestro cluster. You will not lose them—their configuration is local to the MHOs at Site 2 and will remain after the change, as long as you're not wiping or rebuilding the setup.

That said, it’s always a good idea to:

  • Take a backup of /etc/sgdb.json before making changes.

  • Document current SG mappings in case any recovery is needed.

And if you want peace of mind that the transition goes smoothly—especially in a production environment—you might consider engaging Check Point Professional Services to assist with or validate the change plan.

Let me know how it goes or if you have any other questions.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events