System Requirements

This section contains the requirements for Management Servers, Maestro Orchestrator See "Maestro Orchestrator"., and Security Appliances.

Orchestrator Requirements

Supported Maestro Security Groups

A Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. that runs the R80.20SP version, can manage only these Maestro Security Groups A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.:

R80.30SP (see sk162552)
R80.20SP (see sk138233)

Supported Web Browsers for Gaia Portal

To connect to Gaia Portal Web interface for the Check Point Gaia operating system. on a Quantum Maestro Orchestrator that runs the R80.20SP version, you must use one of these web browsers:

Google Chrome - 71.0 and higher
Microsoft Edge - 40.15063 and higher
Mozilla Firefox - 64.0 and higher
Microsoft Internet Explorer - 11.0.50 and higher

Management Server Requirements

You can manage Maestro R80.30SP Security Groups with these versions of Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

R80.30 (see sk144293)
R80.20 (see PRJ-645 in Jumbo Hotfix Accumulator for R80.20)
1. Install the R80.20 Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 91 or higher
2. Install the R80.20 SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Build 055 or higher (refer to R80.20 SmartConsole Releases)
R80.10 (see PRJ-601 in Jumbo Hotfix Accumulator for R80.10):
1. Install the R80.10 Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator Take 225 or higher
2. Install the R80.10 SmartConsole Build 137 or higher (refer to R80.10 SmartConsole Releases)

Security Gateway Requirements

Supported Security Appliances

R80.30SP supports only these Appliances (see sk162373):

6200, 6400, 6600, 6700, 6900
7000
16000, 16200, 16600HS
26000
28000, 28600HS

Supported Network Cards on Security Appliances

To connect a Appliance to Quantum Maestro Orchestrator with DAC cables, one of these Check Point cards has to be installed in the Appliance:

Network Card

Notes

10 GbE Fiber SFP+

SKUs:
CPAC-4-10F-B
CPAC-4-10F-6500/6800-C

Output of the lspci -v command must show one of these:

Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection
Intel Corporation Ethernet Controller X710 for 10GbE SFP+

To verify, run this command in the Expert mode on the Appliance:

lspci -v | grep 'Ethernet controller' | grep Intel

40 GbE Fiber QSFP+

SKU:
CPAC-2-40F-B

100 GbE Fiber QSFP

SKU:
CPAC-2-100/25F-B

The minimal required card firmware version is 12.22.1002

To verify, run this single long command in the Expert mode on the Appliance:

for NIC in $(ifconfig | grep ethsBP | awk '{print $1}') ; do echo $NIC: ; ethtool -i $NIC | grep firmware ; done

Example output:

ethsBP4-01:
firmware-version: 12.22.1002
ethsBP4-02:
firmware-version: 12.22.1002

Important:

It is not supported to install 10 GbE cards together with 40 GbE or 100 GbE cards in the same Appliance (see MBS-5227).
All Security Appliances in the same Maestro Security Group must have identical Expansion Cards installed - the type and the number (see MBS-6466):
- All Security Appliances must have 1 x Quad-Port Expansion Card, 1 x Dual-Port Expansion Card, or 2 x Dual-Port Expansion Cards.
- All other Expansion Cards must be removed from all Security Appliances, even if these Expansion Cards are not used.

Supported Security Gateway Software Blades and Features

Note - Support for VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode is planned (see MBS-7920 in sk162552).

Software Blade or Feature	Gateway Mode
Firewall	Yes
SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway.	Yes
IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.	Yes - IPv4 only
IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).	Yes
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.	Yes
Threat Emulation - MTA	Yes
Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.	Yes
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.	Yes
Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.	Yes
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.	Yes
Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.	Yes
Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.	Yes
Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP.	Yes - IPv4 only
Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. See sk119715. Acronym: CTNT.	Yes
Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.	Yes
Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM. & Email Security	Yes
Dynamic Routing and Multicast	Yes
QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.	Not supported
Mirror and Decrypt	Yes
ICAP Server	Not supported
ICAP Client	Yes
Support for using NAT64 and NAT46 objects in Access Control policies	Not supported R80.30SP does not support IPv6 (see MBS-7903 in sk162552)

In addition, see the limitations listed in the sk144295.

Compatibility with Clients

For the list of Endpoint clients that are supported by this release, see the R80.30SP Quantum Maestro Release Notes.

Number of Supported Items

Item	Number of Supported Items	Notes
Number of Security Groups configured	Minimum: 1 Maximum: 8
Number of Security Appliances in one Security Group	In Single Site deployment: Minimum: 1 Maximum: 31	Support for Dual Site is planned (see MBS-7514 in sk162552).
Number of interfaces configured on top of Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. in one Security Group	In Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Mode: Minimum: 2 Maximum: 1024	Includes all interface types (Physical, Bonds, VLAN).

Item

Number of
Supported Items

Notes

Number of Security Groups configured

Minimum: 1
Maximum: 8

Number of Security Appliances in one Security Group

In Single Site deployment:

Minimum: 1
Maximum: 31

Support for Dual Site is planned (see MBS-7514 in sk162552).

Number of interfaces configured on top of Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. in one Security Group

In Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Mode:

Minimum: 2
Maximum: 1024

Includes all interface types

(Physical, Bonds, VLAN).