System Requirements

This section contains the requirements for Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO., Management Servers, and Security Appliances.

Orchestrator Requirements

Supported Maestro Security Groups

A Quantum Maestro Orchestrator that runs the R80.20SP version, can manage only these Maestro Security Groups:

R81 (see sk169954)
R80.30SP (see sk162552)
R80.20SP (see sk138233)

Supported Web Browsers for Gaia Portal

To connect to Gaia Portal Web interface for the Check Point Gaia operating system. on a Quantum Maestro Orchestrator that runs the R80.20SP version, you must use one of these web browsers:

Google Chrome - 71.0 and higher
Microsoft Edge - 40.15063 and higher
Mozilla Firefox - 64.0 and higher
Microsoft Internet Explorer - 11.0.50 and higher

Management Server Requirements

You can manage Maestro R80.20SP Security Groups with these versions of Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

R80.30 (see sk144293), and higher
R80.20.M2 (see sk123473)
R80.20 (see sk122485)
R80.10 (see PMTR-22521 and MBS-2739 in Jumbo Hotfix Accumulator for R80.10):
1. Install the R80.10 Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 214 or higher
2. Install the R80.10 SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Build 89 or higher (refer to R80.10 SmartConsole Releases)

Security Gateway Requirements

Supported Security Appliances

For the list of available Security Appliances, see sk162373.

Supported Network Cards on Security Appliances

To connect a Security Appliance to Quantum Maestro Orchestrator with DAC cables, one of these Check Point cards has to be installed in the Security Appliance:

Network Card

Notes

10 GbE Fiber SFP+

SKUs:
CPAC-4-10F-B
CPAC-4-10F-6500/6800-C

Output of the "lspci -v" command must show:

Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection

To verify, run this command in the Expert mode on the Security Appliance:

lspci -v | grep 'Ethernet controller' | grep Intel

40 GbE Fiber QSFP+

SKU:
CPAC-2-40F-B

100 GbE Fiber QSFP

SKU:
CPAC-2-100/25F-B

The minimal required card firmware version is 12.22.1002

To verify, run this one long command in the Expert mode on the Security Appliance:

for NIC in $(ifconfig | grep ethsBP | awk '{print $1}') ; do echo $NIC: ; ethtool -i $NIC | grep firmware ; done

Example output:

ethsBP4-01:

firmware-version: 12.22.1002

ethsBP4-02:

firmware-version: 12.22.1002

Important:

It is not supported to install 10 GbE cards together with 40 GbE or 100 GbE cards in the same Security Appliance (see MBS-5227).
All Security Appliances in the same Maestro Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. must have identical Expansion Cards installed - the type and the number (see MBS-6466):
- All Security Appliances must have 1 x Quad-Port Expansion Card, 1 x Dual-Port Expansion Card, or 2 x Dual-Port Expansion Cards.
- All other Expansion Cards must be removed from all Security Appliances, even if these Expansion Cards are not used.

Supported Security Gateway Software Blades and Features

Software Blade or Feature	Gateway Mode	VSX Mode
Firewall	Yes	Yes
SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway.	Yes	Yes
IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.	Yes - IPv4 only	Yes - IPv4 only
IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).	Yes	Yes
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.	Yes	Yes
Threat Emulation - MTA	Yes	Yes
Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.	Yes	Yes
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.	Yes	Yes
Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.	Yes	Yes
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.	Yes	Yes
Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.	Yes	Yes
Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.	Yes	Yes
Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP.	Yes - IPv4 only	Not supported
Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. See sk119715. Acronym: CTNT.	Yes	Yes
Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.	Yes	Yes
Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM. & Email Security	Yes	Not supported
Dynamic Routing and Multicast	Yes	Yes
QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.	Not supported	Not supported
Mirror and Decrypt The Mirror and Decrypt feature on a Security Gateway or Cluster (in versions R80.40 and higher) that performs these actions: (1) Mirror only of all traffic - Clones all traffic (including HTTPS without decryption) that passes through, and sends it out of the designated physical interface. (2) Mirror and Decrypt of HTTPS traffic - Clones all HTTPS traffic that passes through, decrypts it, and sends it in clear-text out of the designated physical interface. Acronym: M&D.	Yes	Yes
ICAP Server The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Client requests, send the files for inspection, and return the verdict.	Not supported	Not supported
ICAP Client The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40 and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify their content, and block the matched HTTP connections.	Yes	Yes
Support for using NAT64 and NAT46 objects in Access Control Policy	Not supported	Not supported

Notes:

Read the Scalable Platforms Known Limitations in sk148074.
Read the R80.20 Known Limitations in sk122486.
To learn about the differences between R80.20 and R80.20SP versions, see sk147033.

To learn about the differences between different Scalable Platform versions, see sk173183.

Compatibility with Clients

For the list of Endpoint clients that are supported by this release, see the R80.20SP Quantum Maestro Release Notes.

Number of Supported Items

Item	Number of Supported Items	Notes
Number of Security Groups configured	Minimum: 1 Maximum: 8
Number of Security Appliances in one Security Group	In Single Site deployment: Minimum: 1 Maximum: 31 In Dual Site deployment: Minimum: 1 Maximum: 24	In Dual Site deployment: Each Security Group must contain at least one Security Appliance from each site(see MBS-7606 in sk148074). Each Security Group can contain a maximum of 24 Security Appliances - 12 Security Appliances from each site (see MBS-7773 in sk148074).
Number of interfaces configured on top of Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. in one Security Group	In Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Mode: Minimum: 2 Maximum: 1024 In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Mode: Minimum: 2 Maximum: 4096 For every Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.: Minimum: 2 Maximum: 250	Includes all interface types (Physical, Bonds, VLAN, Warp).

Item

Number of
Supported Items

Notes

Number of Security Groups configured

Minimum: 1
Maximum: 8

Number of Security Appliances in one Security Group

In Single Site deployment:

Minimum: 1
Maximum: 31

In Dual Site deployment:

Minimum: 1
Maximum: 24

In Dual Site deployment:

Each Security Group must contain at least one Security Appliance from each site(see MBS-7606 in sk148074).
Each Security Group can contain a maximum of 24 Security Appliances - 12 Security Appliances from each site (see MBS-7773 in sk148074).

Number of interfaces configured on top of Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. in one Security Group

In Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Mode:

Minimum: 2
Maximum: 1024

In VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Mode:

Minimum: 2
Maximum: 4096

For every Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.:

Minimum: 2
Maximum: 250

Includes all interface types

(Physical, Bonds, VLAN, Warp).