diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml
index d451fc6a..e890ea35 100755
--- a/aws/templates/asg/autoscale.yaml
+++ b/aws/templates/asg/autoscale.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Create an Auto Scaling group of Check Point gateways (20221226)
+Description: Create an Auto Scaling group of Check Point gateways (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -31,6 +31,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - AllowUploadDownload
           - CloudWatch
@@ -80,6 +81,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: Gateways SIC key
       AllowUploadDownload:
@@ -312,6 +315,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections.
       between Check Point components. Choose a random string consisting of at least
@@ -524,9 +533,10 @@ Resources:
               - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
               - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
               - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+              - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
               - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
               - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+              - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
       VersionDescription: Initial template version
   GatewayScaleUpPolicy:
     Type: AWS::AutoScaling::ScalingPolicy
diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml
index a343b557..5a6ac254 100755
--- a/aws/templates/cluster/cluster-master.yaml
+++ b/aws/templates/cluster/cluster-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Check Point Cluster in a new VPC (20230830)
+Description: Deploy a Check Point Cluster in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -29,6 +29,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -80,6 +81,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -319,6 +322,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections.
       between Check Point components. Choose a random string consisting of at least
@@ -420,6 +429,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml
index c5c6cdbd..1418885b 100755
--- a/aws/templates/cluster/cluster.yaml
+++ b/aws/templates/cluster/cluster.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point Cluster into an existing VPC (20230830)
+Description: Deploys a Check Point Cluster into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -29,6 +29,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -80,6 +81,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -314,6 +317,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections.
       between Check Point components. Choose a random string consisting of at least
@@ -548,9 +557,10 @@ Resources:
             - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
             - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
   MemberBInstance:
     Type: AWS::EC2::Instance
     DependsOn: [MemberBExternalInterface, MemberBInternalInterface]
diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml
index 7d69c5b3..75cd5981 100755
--- a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml
+++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Check Point Cluster in a new VPC (20230503)
+Description: Deploy a Check Point Cluster in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -30,6 +30,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -83,6 +84,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -318,6 +321,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections.
       between Check Point components. Choose a random string consisting of at least
@@ -423,6 +432,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml
index 4b216a3a..7773ae03 100755
--- a/aws/templates/cross-az-cluster/cross-az-cluster.yaml
+++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point Cluster into an existing VPC (20230830)
+Description: Deploys a Check Point Cluster into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -31,6 +31,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -86,6 +87,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -323,6 +326,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections
       between Check Point components. Choose a random string consisting of at least
@@ -603,9 +612,10 @@ Resources:
             - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
             - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
   MemberBInstance:
     Type: AWS::EC2::Instance
     DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberAExternalInterface]
@@ -649,9 +659,10 @@ Resources:
             - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
             - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+            - !Join [ '', [ '    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
 Outputs:
   ClusterPublicAddress:
     Description: The public address of the cluster.
diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml
index 326558b5..ab95bdd6 100755
--- a/aws/templates/geo-cluster/geo-cluster-master.yaml
+++ b/aws/templates/geo-cluster/geo-cluster-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Check Point cross AZ Cluster in a new VPC (20230503)
+Description: Deploy a Check Point cross AZ Cluster in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -31,6 +31,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -86,6 +87,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -336,6 +339,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between
       Check Point components. Choose a random string consisting of at least 8
@@ -441,6 +450,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml
index 43750745..e738ead2 100755
--- a/aws/templates/geo-cluster/geo-cluster.yaml
+++ b/aws/templates/geo-cluster/geo-cluster.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20230503)
+Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -31,6 +31,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -86,6 +87,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -330,6 +333,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between
       Check Point components. Choose a random string consisting of at least 8
@@ -563,9 +572,10 @@ Resources:
             - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
             - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230503\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
   MemberBInstance:
     Type: AWS::EC2::Instance
     DependsOn: MemberBInternalInterface
@@ -605,9 +615,10 @@ Resources:
             - !Join ['', ['    eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
             - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230503\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
   MemberAPublicAddress:
     Type: AWS::EC2::EIP
     Condition: AllocateAddress
diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml
index 3faf99a4..d10e85ad 100755
--- a/aws/templates/gwlb-asg/gwlb-master.yaml
+++ b/aws/templates/gwlb-asg/gwlb-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20230418)
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -43,6 +43,7 @@ Metadata:
           - GatewaysMaxSize
           - GatewayVersion
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - ControlGatewayOverPrivateOrPublicAddress
           - AllocatePublicAddress
@@ -54,6 +55,7 @@ Metadata:
           - ManagementInstanceType
           - ManagementVersion
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
           - GatewaysPolicy
           - AdminCIDR
           - GatewayManagement
@@ -115,6 +117,8 @@ Metadata:
         default: Gateways version & license
       GatewayPasswordHash:
         default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: Gateways SIC key
       ControlGatewayOverPrivateOrPublicAddress:
@@ -131,6 +135,8 @@ Metadata:
         default: Management version & license
       ManagementPasswordHash:
         default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
       GatewaysPolicy:
         default: Security Policy
       AdminCIDR:
@@ -423,6 +429,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -590,6 +602,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaysPolicy:
     Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
     Type: String
@@ -661,6 +679,7 @@ Resources:
         GatewaysMaxSize: !Ref GatewaysMaxSize
         GatewayVersion: !Ref GatewayVersion
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
         AllocatePublicAddress: !Ref AllocatePublicAddress
@@ -669,6 +688,7 @@ Resources:
         ManagementInstanceType: !Ref ManagementInstanceType
         ManagementVersion: !Ref ManagementVersion
         ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
         GatewaysPolicy: !Ref GatewaysPolicy
         AdminCIDR: !Ref AdminCIDR
         GatewayManagement: !Ref GatewayManagement
diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml
index bce603a6..8b2d8830 100644
--- a/aws/templates/gwlb-asg/gwlb.yaml
+++ b/aws/templates/gwlb-asg/gwlb.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC  (20230418)
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC  (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -38,6 +38,7 @@ Metadata:
           - GatewaysMaxSize
           - GatewayVersion
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - ControlGatewayOverPrivateOrPublicAddress
           - AllocatePublicAddress
@@ -49,6 +50,7 @@ Metadata:
           - ManagementInstanceType
           - ManagementVersion
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
           - GatewaysPolicy
           - AdminCIDR
           - GatewayManagement
@@ -100,6 +102,8 @@ Metadata:
         default: Gateways version & license
       GatewayPasswordHash:
         default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: Gateways SIC key
       ControlGatewayOverPrivateOrPublicAddress:
@@ -116,6 +120,8 @@ Metadata:
         default: Management version & license
       ManagementPasswordHash:
         default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default:  Management Maintenance Password hash
       GatewaysPolicy:
         default: Security Policy
       AdminCIDR:
@@ -373,6 +379,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -540,6 +552,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaysPolicy:
     Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
     Type: String
@@ -631,6 +649,7 @@ Resources:
         GatewaysTargetGroups: !Ref TargetGroup
         GatewayVersion: !Ref GatewayVersion
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         AllowUploadDownload: !Ref AllowUploadDownload
         ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
@@ -657,6 +676,7 @@ Resources:
         ManagementPermissions: Create with read-write permissions
         ManagementVersion: !Ref ManagementVersion
         ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
         AllowUploadDownload: !Ref AllowUploadDownload
         AdminCIDR: !Ref AdminCIDR
         GatewayManagement: !Ref GatewayManagement
diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml
index 47f7c01c..f0284de3 100755
--- a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml
+++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20230830)
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -54,6 +54,7 @@ Metadata:
           - GatewaysMaxSize
           - GatewayVersion
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - ControlGatewayOverPrivateOrPublicAddress
           - AllocatePublicAddress
@@ -65,6 +66,7 @@ Metadata:
           - ManagementInstanceType
           - ManagementVersion
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
           - GatewaysPolicy
           - AdminCIDR
           - GatewayManagement
@@ -148,6 +150,8 @@ Metadata:
         default: Gateways version & license
       GatewayPasswordHash:
         default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: Gateways SIC key
       ControlGatewayOverPrivateOrPublicAddress:
@@ -164,6 +168,8 @@ Metadata:
         default: Management version & license
       ManagementPasswordHash:
         default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
       GatewaysPolicy:
         default: Security Policy
       AdminCIDR:
@@ -516,6 +522,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -683,6 +695,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaysPolicy:
     Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
     Type: String
@@ -771,6 +789,7 @@ Resources:
         GatewaysMaxSize: !Ref GatewaysMaxSize
         GatewayVersion: !Ref GatewayVersion
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
         AllocatePublicAddress: !Ref AllocatePublicAddress
@@ -782,6 +801,7 @@ Resources:
         ManagementInstanceType: !Ref ManagementInstanceType
         ManagementVersion: !Ref ManagementVersion
         ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
         GatewaysPolicy: !Ref GatewaysPolicy
         AdminCIDR: !Ref AdminCIDR
         GatewayManagement: !Ref GatewayManagement
diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml
index cdaad8e9..0801a10a 100644
--- a/aws/templates/gwlb-asg/tgw-gwlb.yaml
+++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (__VERSION__)
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -46,6 +46,7 @@ Metadata:
           - GatewaysMaxSize
           - GatewayVersion
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - ControlGatewayOverPrivateOrPublicAddress
           - AllocatePublicAddress
@@ -63,6 +64,7 @@ Metadata:
           - ManagementInstanceType
           - ManagementVersion
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
           - GatewaysPolicy
           - AdminCIDR
           - GatewayManagement
@@ -136,6 +138,8 @@ Metadata:
         default: Gateways version & license
       GatewayPasswordHash:
         default: Gateways Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: Gateways SIC key
       ControlGatewayOverPrivateOrPublicAddress:
@@ -158,6 +162,8 @@ Metadata:
         default: Management version & license
       ManagementPasswordHash:
         default: Management password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
       GatewaysPolicy:
         default: Security Policy
       AdminCIDR:
@@ -467,6 +473,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -651,6 +663,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaysPolicy:
     Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
     Type: String
@@ -969,6 +987,7 @@ Resources:
         GatewaysMaxSize: !Ref GatewaysMaxSize
         GatewayVersion: !Ref GatewayVersion
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
         AllocatePublicAddress: !Ref AllocatePublicAddress
@@ -977,6 +996,7 @@ Resources:
         ManagementInstanceType: !Ref ManagementInstanceType
         ManagementVersion: !Ref ManagementVersion
         ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
         GatewaysPolicy: !Ref GatewaysPolicy
         AdminCIDR: !Ref AdminCIDR
         GatewayManagement: !Ref GatewayManagement
diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml
index d0e5ac77..6da0484a 100755
--- a/aws/templates/management/management.yaml
+++ b/aws/templates/management/management.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point Management Server (20230926)
+Description: Deploys a Check Point Management Server (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -33,12 +33,13 @@ Metadata:
           - ManagementVersion
           - Shell
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
       - Label:
           default: Security Management Server Settings
         Parameters:
           - ManagementHostname
-          - PrimaryManagement
-          - ManagementSICKey
+          - ManagementInstallationType
+          - SICKey
           - AllowUploadDownload
           - AdminCIDR
           - GatewayManagement
@@ -81,11 +82,13 @@ Metadata:
         default: Admin shell
       ManagementPasswordHash:
         default: Password hash
+      ManagementMaintenancePasswordHash:
+        default:  Management Maintenance Password hash
       ManagementHostname:
         default: Management hostname
-      PrimaryManagement:
-        default: Primary management
-      ManagementSICKey:
+      ManagementInstallationType:
+        default: Management installation type
+      SICKey:
         default: SIC key
       AllowUploadDownload:
         default: Allow upload & download
@@ -320,22 +323,29 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   ManagementHostname:
     Description: The name must not contain reserved words. For details, refer to sk40179 (optional).
     Type: String
     Default: mgmt-aws
     AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
     ConstraintDescription: A valid hostname label or an empty string.
-  PrimaryManagement:
-    Description: Determines if this is the primary Management Server or not.
+  ManagementInstallationType:
+    Description: Determines the Management Server installation type.
     Type: String
-    Default: true
+    Default: Primary management
     AllowedValues:
-      - true
-      - false
-  ManagementSICKey:
+      - Primary management
+      - Secondary management
+      - Log Server
+  SICKey:
     Description: >-
-      Mandatory only if deploying a secondary Management Server, the Secure Internal
+      Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal
       Communication key creates trusted connections between Check Point components.
       Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -394,7 +404,7 @@ Conditions:
     - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
   EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
   UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
-  NoSIC: !Equals [!Ref ManagementSICKey, '']
+  NoSIC: !Equals [!Ref SICKey, '']
   PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
 Resources:
   AMI:
@@ -519,14 +529,15 @@ Resources:
             - 'runcmd:'
             - '  - |'
             - '    set -e'
-            - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; primary_mgmt=${PrimaryManagement} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary}'
+            - !Sub '    admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}'''
             - !If [EIP, !Sub '    wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
-            - !If [NoSIC, '    sic=""', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref ManagementSICKey, ')"']]]
+            - !If [NoSIC, '    sic=""', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]]
             - !If [ManageOverInternetAndEIP, '    pub_mgmt=true', '    pub_mgmt=false']
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
-            - '    python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20221123\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" primary=\"${primary_mgmt}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
   PublicAddress:
     Type: AWS::EC2::EIP
     Condition: EIP
diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml
index 90b47f81..7ef88cf1 100755
--- a/aws/templates/mds/mds.yaml
+++ b/aws/templates/mds/mds.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: Deploys a Check Point Multi-Domain Server (20230926)
+Description: Deploys a Check Point Multi-Domain Server (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -32,6 +32,7 @@ Metadata:
           - MDSVersion
           - Shell
           - MDSPasswordHash
+          - MDSMaintenancePasswordHash
       - Label:
           default: Multi-Domain Server Settings
         Parameters:
@@ -77,6 +78,8 @@ Metadata:
         default: Admin shell
       MDSPasswordHash:
         default: Password hash
+      MDSMaintenancePasswordHash:
+        default: MDS Maintenance Password hash
       MDSHostname:
         default: MDS hostname
       MDSInstallationType:
@@ -303,6 +306,12 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  MDSMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   MDSHostname:
     Description: The name must not contain reserved words. For details, refer to sk40179 (optional).
     Type: String
@@ -492,5 +501,6 @@ Resources:
             - !If [PrimaryMDS, '    sic=notused', !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}]
-            - '    python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20221123\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"'
\ No newline at end of file
+            - '    python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"'
\ No newline at end of file
diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml
index 1db079a5..bc1e7147 100755
--- a/aws/templates/single-gw/gateway-master.yaml
+++ b/aws/templates/single-gw/gateway-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point Security Gateway into a new VPC (20231113)
+Description: Deploys a Check Point Security Gateway into a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -29,6 +29,7 @@ Metadata:
           - Shell
           - GatewaySICKey
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
         Parameters:
@@ -86,6 +87,8 @@ Metadata:
         default: Smart-1 Cloud Token
       GatewayPasswordHash:
         default: Gateway Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       ResourcesTagName:
         default: Resources prefix tag
       GatewayHostname:
@@ -328,6 +331,12 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   ResourcesTagName:
     Description: The name tag of the resources. (optional)
     Type: String
@@ -439,6 +448,7 @@ Resources:
         GatewaySICKey: !Ref GatewaySICKey
         GatewayToken: !Ref GatewayToken
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         ResourcesTagName: !Ref ResourcesTagName
         GatewayHostname: !Ref GatewayHostname
         AllowUploadDownload: !Ref AllowUploadDownload
diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml
index 3e2e3543..da41792a 100755
--- a/aws/templates/single-gw/gateway.yaml
+++ b/aws/templates/single-gw/gateway.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point Security Gateway into an existing VPC (20231113)
+Description: Deploys a Check Point Security Gateway into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -29,6 +29,7 @@ Metadata:
           - Shell
           - GatewaySICKey
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
         Parameters:
@@ -86,6 +87,8 @@ Metadata:
         default: Smart-1 Cloud Token
       GatewayPasswordHash:
         default: Gateway Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       ResourcesTagName:
         default: Resources prefix tag
       GatewayHostname:
@@ -326,6 +329,12 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   ResourcesTagName:
     Description: The name tag of the resources. (optional)
     Type: String
@@ -525,9 +534,10 @@ Resources:
             - !If [AllocateAddress, !Sub '    wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue']
             - !Join ['', ['    sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20231113\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
       KeyName: !Ref KeyName
       NetworkInterfaces:
         - DeviceIndex: 0
diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml
index 2ad55367..4f598a3f 100755
--- a/aws/templates/standalone/standalone-master.yaml
+++ b/aws/templates/standalone/standalone-master.yaml
@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
-  Security Gateway & Management (Standalone) instance in a new VPC (20231113)
+  Security Gateway & Management (Standalone) instance in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -29,6 +29,7 @@ Metadata:
           - StandaloneVersion
           - Shell
           - StandalonePasswordHash
+          - StandaloneMaintenancePasswordHash
       - Label:
           default: Advanced Settings
         Parameters:
@@ -74,6 +75,8 @@ Metadata:
         default: Admin shell
       StandalonePasswordHash:
         default: Standalone Password hash
+      StandaloneMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       ResourcesTagName:
         default: Resources prefix tag
       StandaloneHostname:
@@ -183,6 +186,12 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  StandaloneMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   StandaloneInstanceType:
     Description: The instance type of the Security Gateway & Management (Standalone) instance.
     Type: String
@@ -400,6 +409,7 @@ Resources:
         StandaloneVersion: !Ref StandaloneVersion
         Shell: !Ref Shell
         StandalonePasswordHash: !Ref StandalonePasswordHash
+        StandaloneMaintenancePasswordHash: !Ref StandaloneMaintenancePasswordHash
         ResourcesTagName: !Ref ResourcesTagName
         StandaloneHostname: !Ref StandaloneHostname
         AllowUploadDownload: !Ref AllowUploadDownload
diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml
index 81819393..78f36aba 100755
--- a/aws/templates/standalone/standalone.yaml
+++ b/aws/templates/standalone/standalone.yaml
@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
-  Security Gateway & Management (Standalone) instance into an existing VPC (20231113)
+  Security Gateway & Management (Standalone) instance into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -29,6 +29,7 @@ Metadata:
           - StandaloneVersion
           - Shell
           - StandalonePasswordHash
+          - StandaloneMaintenancePasswordHash
       - Label:
           default: Advanced Settings
         Parameters:
@@ -74,6 +75,8 @@ Metadata:
         default: Admin shell
       StandalonePasswordHash:
         default: Standalone Password hash
+      StandaloneMaintenancePasswordHash:
+        default: Standalone Maintenance Password hash
       ResourcesTagName:
         default: Resources prefix tag
       StandaloneHostname:
@@ -296,6 +299,12 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  StandaloneMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   ResourcesTagName:
     Description: The name tag of the resources. (optional)
     Type: String
@@ -475,8 +484,9 @@ Resources:
             - !If [AllocateAddress, !Sub '    wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue']
             - !Join ['', ['    bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"']]
             - !Join ['', ['    pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"']]
+            - !Join ['', ['    maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"']]
             - !Sub ['    version=${Version}', {Version: !Select [0, !Split ['-', !Ref StandaloneVersion]]}]
-            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20231113\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+            - '    python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
       KeyName: !Ref KeyName
       NetworkInterfaces:
         - DeviceIndex: 0
diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml
index 2efbb720..076e24a7 100755
--- a/aws/templates/tgw-asg/tgw-asg-master.yaml
+++ b/aws/templates/tgw-asg/tgw-asg-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20230830)
+Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -32,6 +32,7 @@ Metadata:
           - GatewaysMaxSize
           - GatewayVersion
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - CloudWatch
           - ASN
@@ -43,6 +44,7 @@ Metadata:
           - ManagementInstanceType
           - ManagementVersion
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
           - ManagementPermissions
           - ManagementPredefinedRole
           - GatewaysBlades
@@ -96,6 +98,8 @@ Metadata:
         default: Gateways version & license
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       CloudWatch:
@@ -112,6 +116,8 @@ Metadata:
         default: Version & license
       ManagementPasswordHash:
         default: Password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
       ManagementPermissions:
         default: IAM role
       ManagementPredefinedRole:
@@ -368,6 +374,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -532,6 +544,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   ManagementPermissions:
     Description: IAM role to attach to the instance profile.
     Type: String
@@ -629,6 +647,7 @@ Resources:
         GatewaysMaxSize: !Ref GatewaysMaxSize
         GatewayVersion: !Ref GatewayVersion
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         CloudWatch: !Ref CloudWatch
         ASN: !Ref ASN
@@ -637,6 +656,7 @@ Resources:
         ManagementInstanceType: !Ref ManagementInstanceType
         ManagementVersion: !Ref ManagementVersion
         ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
         ManagementPermissions: !Ref ManagementPermissions
         ManagementPredefinedRole: !Ref ManagementPredefinedRole
         GatewaysBlades: !Ref GatewaysBlades
diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml
index 1213aded..c63676e1 100755
--- a/aws/templates/tgw-asg/tgw-asg.yaml
+++ b/aws/templates/tgw-asg/tgw-asg.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20230830)
+Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -27,6 +27,7 @@ Metadata:
           - GatewaysMaxSize
           - GatewayVersion
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
           - CloudWatch
           - ASN
@@ -38,6 +39,7 @@ Metadata:
           - ManagementInstanceType
           - ManagementVersion
           - ManagementPasswordHash
+          - ManagementMaintenancePasswordHash
           - ManagementPermissions
           - ManagementPredefinedRole
           - GatewaysBlades
@@ -81,6 +83,8 @@ Metadata:
         default: Version & license
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       CloudWatch:
@@ -97,6 +101,8 @@ Metadata:
         default: Version & license
       ManagementPasswordHash:
         default: Password hash
+      ManagementMaintenancePasswordHash:
+        default: Management Maintenance Password hash
       ManagementPermissions:
         default: IAM role
       ManagementPredefinedRole:
@@ -322,6 +328,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
     Type: String
@@ -486,6 +498,12 @@ Parameters:
     Default: ''
     AllowedPattern: '[\$\./a-zA-Z0-9]*'
     NoEcho: true
+  ManagementMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   ManagementPermissions:
     Description: IAM role to attach to the instance profile.
     Type: String
@@ -565,6 +583,7 @@ Resources:
         ManagementPredefinedRole: !Ref ManagementPredefinedRole
         ManagementVersion: !Ref ManagementVersion
         ManagementPasswordHash: !Ref ManagementPasswordHash
+        ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
         AllowUploadDownload: !Ref AllowUploadDownload
         AdminCIDR: !Ref AdminCIDR
         GatewayManagement: !Ref GatewayManagement
@@ -616,6 +635,7 @@ Resources:
         AdminEmail: !Ref AdminEmail
         GatewayVersion: !Ref GatewayVersion
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         AllowUploadDownload: !Ref AllowUploadDownload
         CloudWatch: !Ref CloudWatch
diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml
index 46321c79..076c1390 100755
--- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml
+++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Check Point TGW  Cross Availabilty Zone Cluster in a new VPC (20230503)
+Description: Deploy a Check Point TGW  Cross Availabilty Zone Cluster in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -33,6 +33,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -92,6 +93,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -345,6 +348,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections
       between Check Point components. Choose a random string consisting of at least
@@ -455,6 +464,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml
index 61e4cd1d..651a4554 100755
--- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml
+++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20230503)
+Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -33,6 +33,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -92,6 +93,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -341,6 +344,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections
       between Check Point components. Choose a random string consisting of at least
@@ -425,6 +434,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml
index 06ee377d..7eb8db40 100755
--- a/aws/templates/tgw-ha/tgw-ha-master.yaml
+++ b/aws/templates/tgw-ha/tgw-ha-master.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20230503)
+Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -33,6 +33,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -92,6 +93,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -351,6 +354,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections
       between Check Point components. Choose a random string consisting of at least
@@ -460,6 +469,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml
index 663e6e5c..e02d8e5e 100755
--- a/aws/templates/tgw-ha/tgw-ha.yaml
+++ b/aws/templates/tgw-ha/tgw-ha.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20230503)
+Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20240204)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -33,6 +33,7 @@ Metadata:
           - GatewayVersion
           - Shell
           - GatewayPasswordHash
+          - GatewayMaintenancePasswordHash
           - GatewaySICKey
       - Label:
           default: Quick connect to Smart-1 Cloud (Recommended)
@@ -92,6 +93,8 @@ Metadata:
         default: Admin shell
       GatewayPasswordHash:
         default: Password hash
+      GatewayMaintenancePasswordHash:
+        default: Gateway Maintenance Password hash
       GatewaySICKey:
         default: SIC key
       MemberAToken:
@@ -346,6 +349,12 @@ Parameters:
     Default: ''
     AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
     NoEcho: true
+  GatewayMaintenancePasswordHash:
+    Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)
+    Type: String
+    Default: ''
+    AllowedPattern: '[\$\./a-zA-Z0-9]*'
+    NoEcho: true
   GatewaySICKey:
     Description: The Secure Internal Communication key creates trusted connections between
       Check Point components. Choose a random string consisting of at least 8
@@ -431,6 +440,7 @@ Resources:
         GatewayVersion: !Ref GatewayVersion
         Shell: !Ref Shell
         GatewayPasswordHash: !Ref GatewayPasswordHash
+        GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
         GatewaySICKey: !Ref GatewaySICKey
         MemberAToken: !Ref MemberAToken
         MemberBToken: !Ref MemberBToken
diff --git a/terraform/aws/autoscale-gwlb/README.md b/terraform/aws/autoscale-gwlb/README.md
index a34bc2fc..1ca15344 100755
--- a/terraform/aws/autoscale-gwlb/README.md
+++ b/terraform/aws/autoscale-gwlb/README.md
@@ -93,6 +93,7 @@ secret_key = "my-secret-key"
     gateway_version = "R81.20-BYOL"
     admin_shell = "/etc/cli.sh"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
     gateway_SICKey = "12345678"
     enable_instance_connect = false
     allow_upload_download = true
@@ -143,7 +144,7 @@ secret_key = "my-secret-key"
 | enable_cloudwatch               | Report Check Point specific CloudWatch metrics                                                                                                                                  | bool         | true/false                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                      | no       |
 | gateway_bootstrap_script        | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                          | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""                         | no       |
 | volume_type                     | General Purpose SSD Volume Type                                                                                                                                                 | string       | - gp3 <br/> - gp2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | gp3                        | no       |
-
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                         | no       |
 
 ## Outputs
 | Name                                           | Description                                                       |
@@ -172,6 +173,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/autoscale-gwlb/asg_userdata.yaml b/terraform/aws/autoscale-gwlb/asg_userdata.yaml
index 7ef7a603..bb095c01 100755
--- a/terraform/aws/autoscale-gwlb/asg_userdata.yaml
+++ b/terraform/aws/autoscale-gwlb/asg_userdata.yaml
@@ -26,4 +26,4 @@ bootcmd:
     - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${BootstrapScript}\"
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/autoscale-gwlb/locals.tf b/terraform/aws/autoscale-gwlb/locals.tf
index 0de76b1e..ef1abdf2 100755
--- a/terraform/aws/autoscale-gwlb/locals.tf
+++ b/terraform/aws/autoscale-gwlb/locals.tf
@@ -26,8 +26,10 @@ locals {
   // Will fail if var.gateway_SICKey is invalid
   regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
 
-
-
+  regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+  // Will fail if var.gateway_password_hash is invalid
+  regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
 
@@ -39,7 +41,7 @@ locals {
   gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
   gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
   gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
-
+  maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
   is_gwlb_ami = length(regexall(".*R80.40.*", var.gateway_version)) > 0
 
 }
diff --git a/terraform/aws/autoscale-gwlb/main.tf b/terraform/aws/autoscale-gwlb/main.tf
index 2d8f567a..2fc0a383 100755
--- a/terraform/aws/autoscale-gwlb/main.tf
+++ b/terraform/aws/autoscale-gwlb/main.tf
@@ -64,6 +64,7 @@ resource "aws_launch_template" "asg_launch_template" {
   user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
     // script's arguments
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
     EnableCloudWatch = var.enable_cloudwatch,
     EnableInstanceConnect = var.enable_instance_connect,
     Shell = var.admin_shell,
diff --git a/terraform/aws/autoscale-gwlb/terraform.tfvars b/terraform/aws/autoscale-gwlb/terraform.tfvars
index a5b9f5a9..ddc1de90 100755
--- a/terraform/aws/autoscale-gwlb/terraform.tfvars
+++ b/terraform/aws/autoscale-gwlb/terraform.tfvars
@@ -32,6 +32,7 @@ target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
 gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 enable_instance_connect = false
 allow_upload_download = true
diff --git a/terraform/aws/autoscale-gwlb/variables.tf b/terraform/aws/autoscale-gwlb/variables.tf
index a12f37cb..1f58bf6c 100644
--- a/terraform/aws/autoscale-gwlb/variables.tf
+++ b/terraform/aws/autoscale-gwlb/variables.tf
@@ -149,6 +149,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
diff --git a/terraform/aws/autoscale/README.md b/terraform/aws/autoscale/README.md
index a1920359..97cf8445 100755
--- a/terraform/aws/autoscale/README.md
+++ b/terraform/aws/autoscale/README.md
@@ -94,6 +94,7 @@ secret_key = "my-secret-key"
     gateway_version = "R81.20-BYOL"
     admin_shell = "/etc/cli.sh"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below versions the gateway_password_hash is used also as maintenance-mode password.
     gateway_SICKey = "12345678"
     enable_instance_connect = false
     allow_upload_download = true
@@ -153,6 +154,7 @@ secret_key = "my-secret-key"
 | proxy_elb_type                  | Type of ELB to create as an HTTP/HTTPS outbound proxy                                                                                                                           | string       | - none <br/> - internal <br/> - internet-facing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | none                       | no       |
 | proxy_elb_port                  | The TCP port on which the proxy will be listening                                                                                                                               | number       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 8080                       | no       |
 | proxy_elb_clients               | The CIDR range of the clients of the proxy                                                                                                                                      | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0.0.0.0/0                  | no       |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                         | no       |
 
 
 ## Outputs
@@ -185,6 +187,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | Change default shell for the admin user to /etc/cli.sh             |
 | 20230806         | Add support for c6in instance type                                 | 
 | 20230829         | Change default Check Point version to R81.20                       |
+| 20230914         | Add support for maintenance mode password                          |
 | 20230923         | Add support for C5d instance type                                  |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                    |
 
diff --git a/terraform/aws/autoscale/asg_userdata.yaml b/terraform/aws/autoscale/asg_userdata.yaml
index b6dd308a..ea6de749 100755
--- a/terraform/aws/autoscale/asg_userdata.yaml
+++ b/terraform/aws/autoscale/asg_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${BootstrapScript}\"
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
diff --git a/terraform/aws/autoscale/locals.tf b/terraform/aws/autoscale/locals.tf
index 5da05413..72fa5951 100755
--- a/terraform/aws/autoscale/locals.tf
+++ b/terraform/aws/autoscale/locals.tf
@@ -21,6 +21,10 @@ locals {
   regex_valid_key_name = "[\\S\\s]+[\\S]+"
   // will fail if var.key_name is invalid
   regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+  regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+  // Will fail if var.gateway_password_hash is invalid
+  regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
   // Will fail if var.gateway_SICKey is invalid
@@ -44,6 +48,7 @@ locals {
   version_split = element(split("-", var.gateway_version), 0)
   gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
   gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+  maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
   gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
 }
 resource "null_resource" "tags_as_list_of_maps" {
diff --git a/terraform/aws/autoscale/main.tf b/terraform/aws/autoscale/main.tf
index ac4cf3e3..8abaf1d4 100755
--- a/terraform/aws/autoscale/main.tf
+++ b/terraform/aws/autoscale/main.tf
@@ -62,6 +62,7 @@ resource "aws_launch_template" "asg_launch_template" {
   user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
     // script's arguments
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64
     EnableCloudWatch = var.enable_cloudwatch,
     EnableInstanceConnect = var.enable_instance_connect,
     Shell = var.admin_shell,
diff --git a/terraform/aws/autoscale/terraform.tfvars b/terraform/aws/autoscale/terraform.tfvars
index a51a6d7f..5978dffb 100755
--- a/terraform/aws/autoscale/terraform.tfvars
+++ b/terraform/aws/autoscale/terraform.tfvars
@@ -31,6 +31,7 @@ target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
 gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 enable_instance_connect = false
 allow_upload_download = true
diff --git a/terraform/aws/autoscale/variables.tf b/terraform/aws/autoscale/variables.tf
index e8925d12..9e757a8e 100755
--- a/terraform/aws/autoscale/variables.tf
+++ b/terraform/aws/autoscale/variables.tf
@@ -137,6 +137,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
diff --git a/terraform/aws/cluster-master/README.md b/terraform/aws/cluster-master/README.md
index 17437953..58f3fb3b 100755
--- a/terraform/aws/cluster-master/README.md
+++ b/terraform/aws/cluster-master/README.md
@@ -116,6 +116,7 @@ secret_key = "my-secret-key"
     admin_shell = "/etc/cli.sh"
     gateway_SICKey = "12345678"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
     // --- Quick connect to Smart-1 Cloud (Recommended) ---
     memberAToken = ""
@@ -182,7 +183,7 @@ secret_key = "my-secret-key"
 | gateway_bootstrap_script     | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                   | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""                     | no       |
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                    | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 169.254.169.123        | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0.pool.ntp.org         | no       |
-
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 ## Outputs
 | Name               | Description                                         |
@@ -209,6 +210,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/cluster-master/locals.tf b/terraform/aws/cluster-master/locals.tf
index d0d15a98..b77484fe 100755
--- a/terraform/aws/cluster-master/locals.tf
+++ b/terraform/aws/cluster-master/locals.tf
@@ -40,6 +40,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
   // Will fail if var.primary_ntp is invalid
diff --git a/terraform/aws/cluster-master/main.tf b/terraform/aws/cluster-master/main.tf
index 37428ff0..8aa87346 100755
--- a/terraform/aws/cluster-master/main.tf
+++ b/terraform/aws/cluster-master/main.tf
@@ -50,6 +50,7 @@ module "launch_cluster_into_vpc" {
   admin_shell = var.admin_shell
   gateway_SICKey = var.gateway_SICKey
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   memberAToken = var.memberAToken
   memberBToken = var.memberBToken
   resources_tag_name = var.resources_tag_name
diff --git a/terraform/aws/cluster-master/terraform.tfvars b/terraform/aws/cluster-master/terraform.tfvars
index 15308457..d336d788 100755
--- a/terraform/aws/cluster-master/terraform.tfvars
+++ b/terraform/aws/cluster-master/terraform.tfvars
@@ -30,6 +30,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 memberAToken = ""
diff --git a/terraform/aws/cluster-master/variables.tf b/terraform/aws/cluster-master/variables.tf
index 57794633..53798fb1 100755
--- a/terraform/aws/cluster-master/variables.tf
+++ b/terraform/aws/cluster-master/variables.tf
@@ -124,6 +124,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "memberAToken" {
diff --git a/terraform/aws/cluster/README.md b/terraform/aws/cluster/README.md
index b9da8ef1..d7bed5f6 100755
--- a/terraform/aws/cluster/README.md
+++ b/terraform/aws/cluster/README.md
@@ -90,6 +90,7 @@ secret_key = "my-secret-key"
     admin_shell = "/etc/cli.sh"
     gateway_SICKey = "12345678"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
     
     // --- Quick connect to Smart-1 Cloud (Recommended) ---
     memberAToken = ""
@@ -160,7 +161,7 @@ secret_key = "my-secret-key"
 | gateway_bootstrap_script     | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                   | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""                     | no       |
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                    | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 169.254.169.123        | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0.pool.ntp.org         | no       |
-
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 ## Outputs
 | Name               | Description                                         |
@@ -187,6 +188,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/cluster/cluster_member_a_userdata.yaml b/terraform/aws/cluster/cluster_member_a_userdata.yaml
index d84afcf3..6329e2cf 100755
--- a/terraform/aws/cluster/cluster_member_a_userdata.yaml
+++ b/terraform/aws/cluster/cluster_member_a_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/cluster/cluster_member_b_userdata.yaml b/terraform/aws/cluster/cluster_member_b_userdata.yaml
index 369c2760..36d29dc5 100755
--- a/terraform/aws/cluster/cluster_member_b_userdata.yaml
+++ b/terraform/aws/cluster/cluster_member_b_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/cluster/locals.tf b/terraform/aws/cluster/locals.tf
index fd9781ac..d64b39e7 100755
--- a/terraform/aws/cluster/locals.tf
+++ b/terraform/aws/cluster/locals.tf
@@ -50,6 +50,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
   // Will fail if var.primary_ntp is invalid
@@ -64,4 +65,5 @@ locals {
   gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
   gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
   gateway_password_hash_base64=base64encode(var.gateway_password_hash)
+  maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
 }
diff --git a/terraform/aws/cluster/main.tf b/terraform/aws/cluster/main.tf
index c4ac7554..3b8cc2d3 100755
--- a/terraform/aws/cluster/main.tf
+++ b/terraform/aws/cluster/main.tf
@@ -136,6 +136,7 @@ resource "aws_instance" "member-a-instance" {
     // script's arguments
     Hostname = var.gateway_hostname,
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
     AllowUploadDownload = var.allow_upload_download,
     EnableCloudWatch = var.enable_cloudwatch,
     NTPPrimary = var.primary_ntp,
@@ -191,6 +192,7 @@ resource "aws_instance" "member-b-instance" {
     // script's arguments
     Hostname = var.gateway_hostname,
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
     AllowUploadDownload = var.allow_upload_download,
     EnableCloudWatch = var.enable_cloudwatch,
     NTPPrimary = var.primary_ntp,
diff --git a/terraform/aws/cluster/terraform.tfvars b/terraform/aws/cluster/terraform.tfvars
index e4e7d4e5..ee33d4f1 100755
--- a/terraform/aws/cluster/terraform.tfvars
+++ b/terraform/aws/cluster/terraform.tfvars
@@ -26,6 +26,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 memberAToken = ""
diff --git a/terraform/aws/cluster/variables.tf b/terraform/aws/cluster/variables.tf
index d9030cd8..6dd9e5fa 100755
--- a/terraform/aws/cluster/variables.tf
+++ b/terraform/aws/cluster/variables.tf
@@ -122,6 +122,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "memberAToken" {
diff --git a/terraform/aws/cross-az-cluster-master/README.md b/terraform/aws/cross-az-cluster-master/README.md
index 27562ede..70badf8c 100755
--- a/terraform/aws/cross-az-cluster-master/README.md
+++ b/terraform/aws/cross-az-cluster-master/README.md
@@ -119,6 +119,7 @@ secret_key = "my-secret-key"
     admin_shell = "/etc/cli.sh"
     gateway_SICKey = "12345678"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
     // --- Quick connect to Smart-1 Cloud (Recommended) ---
     memberAToken = ""
@@ -181,7 +182,7 @@ secret_key = "my-secret-key"
 | gateway_bootstrap_script     | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                   | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                    | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 169.254.169.123        | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.pool.ntp.org         | no       |
-
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 ## Outputs
 | Name               | Description                                                  |
@@ -207,6 +208,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230503         | Smart-1 Cloud token validation                                                                                |
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/cross-az-cluster-master/locals.tf b/terraform/aws/cross-az-cluster-master/locals.tf
index 9a56e306..68e4523f 100755
--- a/terraform/aws/cross-az-cluster-master/locals.tf
+++ b/terraform/aws/cross-az-cluster-master/locals.tf
@@ -40,6 +40,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
   // Will fail if var.primary_ntp is invalid
diff --git a/terraform/aws/cross-az-cluster-master/main.tf b/terraform/aws/cross-az-cluster-master/main.tf
index cd65edcf..1984ca05 100755
--- a/terraform/aws/cross-az-cluster-master/main.tf
+++ b/terraform/aws/cross-az-cluster-master/main.tf
@@ -57,6 +57,7 @@ module "launch_cluster_into_vpc" {
   memberAToken = var.memberAToken
   memberBToken = var.memberBToken
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   resources_tag_name = var.resources_tag_name
   gateway_hostname = var.gateway_hostname
   allow_upload_download = var.allow_upload_download
diff --git a/terraform/aws/cross-az-cluster-master/terraform.tfvars b/terraform/aws/cross-az-cluster-master/terraform.tfvars
index cbc6e653..3059005a 100755
--- a/terraform/aws/cross-az-cluster-master/terraform.tfvars
+++ b/terraform/aws/cross-az-cluster-master/terraform.tfvars
@@ -31,6 +31,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 memberAToken = ""
diff --git a/terraform/aws/cross-az-cluster-master/variables.tf b/terraform/aws/cross-az-cluster-master/variables.tf
index 132ec40f..e51fcd99 100755
--- a/terraform/aws/cross-az-cluster-master/variables.tf
+++ b/terraform/aws/cross-az-cluster-master/variables.tf
@@ -124,6 +124,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "memberAToken" {
diff --git a/terraform/aws/cross-az-cluster/README.md b/terraform/aws/cross-az-cluster/README.md
index 1e38019c..7473b6ed 100755
--- a/terraform/aws/cross-az-cluster/README.md
+++ b/terraform/aws/cross-az-cluster/README.md
@@ -94,6 +94,7 @@ secret_key = "my-secret-key"
     // --- Quick connect to Smart-1 Cloud (Recommended) ---
     memberAToken = ""
     memberBToken = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
     // --- Advanced Settings ---
     resources_tag_name = "tag-name"
@@ -156,6 +157,7 @@ secret_key = "my-secret-key"
 | gateway_bootstrap_script     | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                   | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""                     | no       |
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                    | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 169.254.169.123        | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0.pool.ntp.org         | no       |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 
 ## Outputs
@@ -182,6 +184,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230503         | Smart-1 Cloud token validation                                                                                |
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 ## License
diff --git a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml
index 4ef01c26..1a3095e2 100755
--- a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml
+++ b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml
index 0fe3c7ab..9ec9d23a 100755
--- a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml
+++ b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/cross-az-cluster/locals.tf b/terraform/aws/cross-az-cluster/locals.tf
index 73484b79..19f67f30 100755
--- a/terraform/aws/cross-az-cluster/locals.tf
+++ b/terraform/aws/cross-az-cluster/locals.tf
@@ -50,6 +50,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
   // Will fail if var.primary_ntp is invalid
@@ -62,6 +63,7 @@ locals {
   gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
   gateway_SICkey_base64=base64encode(var.gateway_SICKey)
   gateway_password_hash_base64=base64encode(var.gateway_password_hash)
+  maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
 
   //Splits the version and licence and returns the os version
   version_split = element(split("-", var.gateway_version), 0)
diff --git a/terraform/aws/cross-az-cluster/main.tf b/terraform/aws/cross-az-cluster/main.tf
index fed5c125..80bb3429 100755
--- a/terraform/aws/cross-az-cluster/main.tf
+++ b/terraform/aws/cross-az-cluster/main.tf
@@ -135,6 +135,7 @@ resource "aws_instance" "member-a-instance" {
     // script's arguments
     Hostname = var.gateway_hostname,
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64
     AllowUploadDownload = var.allow_upload_download,
     EnableCloudWatch = var.enable_cloudwatch,
     NTPPrimary = var.primary_ntp,
@@ -194,6 +195,7 @@ resource "aws_instance" "member-b-instance" {
     // script's arguments
     Hostname = var.gateway_hostname,
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64
     AllowUploadDownload = var.allow_upload_download,
     EnableCloudWatch = var.enable_cloudwatch,
     NTPPrimary = var.primary_ntp,
diff --git a/terraform/aws/cross-az-cluster/terraform.tfvars b/terraform/aws/cross-az-cluster/terraform.tfvars
index 5ae99358..94afa38f 100755
--- a/terraform/aws/cross-az-cluster/terraform.tfvars
+++ b/terraform/aws/cross-az-cluster/terraform.tfvars
@@ -25,6 +25,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 memberAToken = ""
diff --git a/terraform/aws/cross-az-cluster/variables.tf b/terraform/aws/cross-az-cluster/variables.tf
index a770e85e..7c031c25 100755
--- a/terraform/aws/cross-az-cluster/variables.tf
+++ b/terraform/aws/cross-az-cluster/variables.tf
@@ -122,6 +122,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "memberAToken" {
diff --git a/terraform/aws/gateway-master/README.md b/terraform/aws/gateway-master/README.md
index 86f8d0cc..c4cee29b 100755
--- a/terraform/aws/gateway-master/README.md
+++ b/terraform/aws/gateway-master/README.md
@@ -113,7 +113,7 @@ secret_key = "my-secret-key"
     admin_shell = "/etc/cli.sh"
     gateway_SICKey = "12345678"
     gateway_password_hash = ""
-
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
     // --- Quick connect to Smart-1 Cloud (Recommended) ---
     gateway_TokenKey = ""
   
@@ -175,7 +175,7 @@ secret_key = "my-secret-key"
 | control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address                                                                                                                                    | string      | - public <br/> - private                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | private                | no       |
 | management_server                              | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration                                                                                                           | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
 | configuration_template                         | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration                                                                                                               | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
-
+| gateway_maintenance_mode_password_hash         | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 ## Outputs
 | Name                         | Description                                        |
@@ -205,6 +205,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/gateway-master/locals.tf b/terraform/aws/gateway-master/locals.tf
index cff01979..0ca4134f 100755
--- a/terraform/aws/gateway-master/locals.tf
+++ b/terraform/aws/gateway-master/locals.tf
@@ -23,6 +23,11 @@ locals {
   // Will fail if var.gateway_hostname is invalid
   regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
 
+  regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+  // Will fail if var.gateway_password_hash is invalid
+  regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
   control_over_public_or_private_allowed_values = [
     "public",
     "private"]
diff --git a/terraform/aws/gateway-master/main.tf b/terraform/aws/gateway-master/main.tf
index 9e0f2362..666fdcfa 100755
--- a/terraform/aws/gateway-master/main.tf
+++ b/terraform/aws/gateway-master/main.tf
@@ -51,6 +51,7 @@ module "launch_gateway_into_vpc" {
   admin_shell = var.admin_shell
   gateway_SICKey = var.gateway_SICKey
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_TokenKey = var.gateway_TokenKey
   gateway_hostname = var.gateway_hostname
   allow_upload_download = var.allow_upload_download
diff --git a/terraform/aws/gateway-master/terraform.tfvars b/terraform/aws/gateway-master/terraform.tfvars
index 201f3881..3bc61a7e 100755
--- a/terraform/aws/gateway-master/terraform.tfvars
+++ b/terraform/aws/gateway-master/terraform.tfvars
@@ -29,6 +29,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 gateway_TokenKey = ""
diff --git a/terraform/aws/gateway-master/variables.tf b/terraform/aws/gateway-master/variables.tf
index 9ebeb044..6a91a649 100755
--- a/terraform/aws/gateway-master/variables.tf
+++ b/terraform/aws/gateway-master/variables.tf
@@ -119,6 +119,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "gateway_TokenKey" {
diff --git a/terraform/aws/gateway/README.md b/terraform/aws/gateway/README.md
index 3987314f..00cb524b 100755
--- a/terraform/aws/gateway/README.md
+++ b/terraform/aws/gateway/README.md
@@ -86,6 +86,7 @@ secret_key = "my-secret-key"
     admin_shell = "/etc/cli.sh"
     gateway_SICKey = "12345678"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
   
     // --- Quick connect to Smart-1 Cloud (Recommended) ---
     gateway_TokenKey = ""
@@ -152,6 +153,7 @@ secret_key = "my-secret-key"
 | control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address                                                                                                                                    | string      | - public <br/> - private                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | private                | no       |
 | management_server                              | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration                                                                                                           | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
 | configuration_template                         | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration                                                                                                               | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
+| gateway_maintenance_mode_password_hash         | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here).  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 
 ## Outputs
@@ -178,6 +180,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/gateway/locals.tf b/terraform/aws/gateway/locals.tf
index ed10ed66..79c894db 100755
--- a/terraform/aws/gateway/locals.tf
+++ b/terraform/aws/gateway/locals.tf
@@ -27,6 +27,11 @@ locals {
   // Will fail if var.gateway_hostname is invalid
   regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
 
+  regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+  // Will fail if var.gateway_password_hash is invalid
+  regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
   control_over_public_or_private_allowed_values = [
     "public",
     "private"]
diff --git a/terraform/aws/gateway/main.tf b/terraform/aws/gateway/main.tf
index 0fd86987..0b2b7219 100755
--- a/terraform/aws/gateway/main.tf
+++ b/terraform/aws/gateway/main.tf
@@ -103,6 +103,7 @@ module "common_gateway_instance" {
   iam_instance_profile_id = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.gateway_instance_profile[0].id : "")
   ami_id = module.amis.ami_id
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   admin_shell = var.admin_shell
   gateway_SICKey = var.gateway_SICKey
   gateway_TokenKey = var.gateway_TokenKey
diff --git a/terraform/aws/gateway/terraform.tfvars b/terraform/aws/gateway/terraform.tfvars
index 0c1f4836..deefe79f 100755
--- a/terraform/aws/gateway/terraform.tfvars
+++ b/terraform/aws/gateway/terraform.tfvars
@@ -25,6 +25,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 gateway_TokenKey = ""
diff --git a/terraform/aws/gateway/variables.tf b/terraform/aws/gateway/variables.tf
index 125a8cab..8d1cf370 100755
--- a/terraform/aws/gateway/variables.tf
+++ b/terraform/aws/gateway/variables.tf
@@ -117,7 +117,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
-
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "gateway_TokenKey" {
   type = string
diff --git a/terraform/aws/gwlb-master/README.md b/terraform/aws/gwlb-master/README.md
index 2738256e..7e7a231d 100755
--- a/terraform/aws/gwlb-master/README.md
+++ b/terraform/aws/gwlb-master/README.md
@@ -117,6 +117,7 @@ secret_key = "my-secret-key"
       maximum_group_size = 10
       gateway_version = "R81.20-BYOL"
       gateway_password_hash = ""
+      gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
       gateway_SICKey = "12345678"
       gateways_provision_address_type = "private"
       allocate_public_IP = false
@@ -128,6 +129,7 @@ secret_key = "my-secret-key"
       management_instance_type = "m5.xlarge"
       management_version = "R81.20-BYOL"
       management_password_hash = ""
+      management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
       gateways_policy = "Standard"
       gateway_management = "Locally managed"
       admin_cidr = ""
@@ -193,6 +195,8 @@ secret_key = "my-secret-key"
 | admin_cidr                       | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server                                                                                      | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | n/a                   | no       |
 | gateway_addresses                | (CIDR) Allow gateways only from this network to communicate with the Management Server                                                                                                             | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | n/a                   | no       |
 | volume_type                      | General Purpose SSD Volume Type                                                                                                                                                                    | string | - gp3 <br/> - gp2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | gp3                   | no       |
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)           | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | ""| no       |
+| management_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)        | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | ""| no       |
 
 
 ## Outputs
@@ -220,6 +224,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230806         | Add support for c6in instance type                                                          | 
 | 20230829         | Change default Check Point version to R81.20                                                |
 | 20230910         | Add bootstrap script execution option for deployed gateways                                 |
+| 20230914         | Add support for maintenance mode password                                                   |
 | 20230923         | Add support for C5d instance type                                                           |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                             |
 
diff --git a/terraform/aws/gwlb-master/locals.tf b/terraform/aws/gwlb-master/locals.tf
index 4eddf6ac..29a557ee 100755
--- a/terraform/aws/gwlb-master/locals.tf
+++ b/terraform/aws/gwlb-master/locals.tf
@@ -26,10 +26,12 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.management_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+  regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
 
   regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
diff --git a/terraform/aws/gwlb-master/main.tf b/terraform/aws/gwlb-master/main.tf
index a1972636..a417d7d3 100755
--- a/terraform/aws/gwlb-master/main.tf
+++ b/terraform/aws/gwlb-master/main.tf
@@ -46,6 +46,7 @@ module "gwlb" {
   maximum_group_size = var.maximum_group_size
   gateway_version = var.gateway_version
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   gateways_provision_address_type = var.gateways_provision_address_type
   allocate_public_IP = var.allocate_public_IP
@@ -57,6 +58,7 @@ module "gwlb" {
   management_instance_type = var.management_instance_type
   management_version = var.management_version
   management_password_hash = var.management_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   gateways_policy = var.gateways_policy
   gateway_management = var.gateway_management
   admin_cidr = var.admin_cidr
diff --git a/terraform/aws/gwlb-master/terraform.tfvars b/terraform/aws/gwlb-master/terraform.tfvars
index d1fb797d..0b2f4ce1 100755
--- a/terraform/aws/gwlb-master/terraform.tfvars
+++ b/terraform/aws/gwlb-master/terraform.tfvars
@@ -32,6 +32,7 @@ minimum_group_size = 2
 maximum_group_size = 10
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 gateways_provision_address_type = "private"
 allocate_public_IP = false
@@ -43,6 +44,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 gateways_policy = "Standard"
 gateway_management = "Locally managed"
 admin_cidr = "0.0.0.0/0"
diff --git a/terraform/aws/gwlb-master/variables.tf b/terraform/aws/gwlb-master/variables.tf
index 7d11129f..dfcfdb14 100755
--- a/terraform/aws/gwlb-master/variables.tf
+++ b/terraform/aws/gwlb-master/variables.tf
@@ -164,6 +164,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
@@ -232,6 +237,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateways_policy" {
   type = string
   description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md
index 911c6c40..41a47ad4 100755
--- a/terraform/aws/gwlb/README.md
+++ b/terraform/aws/gwlb/README.md
@@ -110,6 +110,7 @@ secret_key = "my-secret-key"
     maximum_group_size = 10
     gateway_version = "R81.20-BYOL"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
     gateway_SICKey = "12345678"
     gateways_provision_address_type = "private"
     allocate_public_IP = false
@@ -121,6 +122,7 @@ secret_key = "my-secret-key"
     management_instance_type = "m5.xlarge"
     management_version = "R81.20-BYOL"
     management_password_hash = ""
+    management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
     gateways_policy = "Standard"
     gateway_management = "Locally managed"
     admin_cidr = ""
@@ -185,7 +187,8 @@ secret_key = "my-secret-key"
 | admin_cidr                       | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server                                                                           | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | n/a                   | no       |
 | gateway_addresses                | (CIDR) Allow gateways only from this network to communicate with the Management Server                                                                                                  | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | n/a                   | no       |
 | volume_type                      | General Purpose SSD Volume Type                                                                                                                                                         | string | - gp3 <br/> - gp2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | gp3                   | no       |
-
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
 
 ## Outputs
 | Name                | Description                                                                           |
@@ -213,6 +216,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230806         | Add support for c6in instance type                                                   | 
 | 20230829         | Change default Check Point version to R81.20                                         |
 | 20230910         | Add bootstrap script execution option for deployed gateways                          |
+| 20230914         | Add support for maintenance mode password                                            |
 | 20230923         | Add support for C5d instance type                                                    |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                      |
 | 20231022         | Fixed template to populate x-chkp-tags correctly                                     |
diff --git a/terraform/aws/gwlb/locals.tf b/terraform/aws/gwlb/locals.tf
index 0e982c82..44363311 100755
--- a/terraform/aws/gwlb/locals.tf
+++ b/terraform/aws/gwlb/locals.tf
@@ -23,11 +23,11 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.management_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
-
+  regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
-
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
   // Will fail if var.admin_cidr is invalid
diff --git a/terraform/aws/gwlb/main.tf b/terraform/aws/gwlb/main.tf
index 2fc6a38f..20a29602 100755
--- a/terraform/aws/gwlb/main.tf
+++ b/terraform/aws/gwlb/main.tf
@@ -52,6 +52,7 @@ module "autoscale_gwlb" {
   maximum_group_size = var.maximum_group_size
   gateway_version = var.gateway_version
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   allow_upload_download = var.allow_upload_download
   enable_cloudwatch = var.enable_cloudwatch
@@ -84,6 +85,7 @@ module "management" {
   disable_instance_termination = var.disable_instance_termination
   management_version = var.management_version
   management_password_hash = var.management_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   allow_upload_download = var.allow_upload_download
   admin_cidr = var.admin_cidr
   admin_shell = var.admin_shell
diff --git a/terraform/aws/gwlb/terraform.tfvars b/terraform/aws/gwlb/terraform.tfvars
index 13b14307..7f05b096 100755
--- a/terraform/aws/gwlb/terraform.tfvars
+++ b/terraform/aws/gwlb/terraform.tfvars
@@ -28,6 +28,7 @@ minimum_group_size = 2
 maximum_group_size = 10
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 gateways_provision_address_type = "private"
 allocate_public_IP = false
@@ -39,6 +40,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 gateways_policy = "Standard"
 gateway_management = "Locally managed"
 admin_cidr = "0.0.0.0/0"
diff --git a/terraform/aws/gwlb/variables.tf b/terraform/aws/gwlb/variables.tf
index da997a9c..660b4292 100755
--- a/terraform/aws/gwlb/variables.tf
+++ b/terraform/aws/gwlb/variables.tf
@@ -153,6 +153,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
@@ -221,6 +226,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateways_policy" {
   type = string
   description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
diff --git a/terraform/aws/management/README.md b/terraform/aws/management/README.md
index fe276df8..012433e1 100755
--- a/terraform/aws/management/README.md
+++ b/terraform/aws/management/README.md
@@ -106,10 +106,10 @@ secret_key = "my-secret-key"
     management_version = "R81.20-BYOL"
     admin_shell = "/etc/cli.sh"
     management_password_hash = ""
-    
+    management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
     // --- Security Management Server Settings ---
     management_hostname = "mgmt-tf"
-    is_primary_management = "true"
+    management_installation_type = "Primary management"
     SICKey = ""
     allow_upload_download = "true"
     gateway_management = "Locally managed"
@@ -155,7 +155,7 @@ secret_key = "my-secret-key"
 | admin_shell                  | Set the admin shell to enable advanced command line configuration                                                                                                                                                                      | string       | - /etc/cli.sh <br/> - /bin/bash <br/> - /bin/csh <br/> - /bin/tcsh                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | /etc/cli.sh                  | no       |
 | management_password_hash     | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash)                                                                                                                            | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                           | no       |
 | management_hostname          | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179.                                                                                                        | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                           | no       |
-| is_primary_management        | Determines if this is the primary management server or not                                                                                                                                                                             | bool         | true/false                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | true                         | no       |
+| management_installation_type              | Determines if this is the primary management server, secondary management server or log server                                                                                                                                         | string       | - Primary management <br/> - Secondary management <br/> - Log Server </br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Primary management           | yes      |
 | SICKey                       | Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                           | no       |
 | allow_upload_download        | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point                                                                                                             | bool         | true/false                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | true                         | no       |
 | gateway_management           | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address                                                                                                            | string       | - Locally managed <br/> - Over the internet                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Locally managed              | no       |
@@ -164,6 +164,7 @@ secret_key = "my-secret-key"
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                                  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 169.254.169.123              | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                                | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 0.pool.ntp.org               | no       |
 | management_bootstrap_script  | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                                 | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                           | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                       | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                           | no       |
 
 
 ## Outputs
@@ -187,8 +188,10 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            | 
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
+| 20240207         | Added Log Server installation support                                                                         |
 
 ## License
 
diff --git a/terraform/aws/management/locals.tf b/terraform/aws/management/locals.tf
index 65ef62ad..896719ba 100755
--- a/terraform/aws/management/locals.tf
+++ b/terraform/aws/management/locals.tf
@@ -51,7 +51,7 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.management_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
-
+  regex_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
   regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})"
   // Will fail if var.SICKey is invalid
   regex_sic_result = regex(local.regex_valid_sic_key, var.SICKey) == var.SICKey ? 0 : "Variable [SICKey] must be at least 8 alphanumeric characters"
@@ -62,8 +62,15 @@ locals {
   management_bootstrap_script64 = base64encode(var.management_bootstrap_script)
   management_SICkey_base64=base64encode(var.SICKey)
   management_password_hash_base64=base64encode(var.management_password_hash)
+  maintenance_mode_password_hash_base64=base64encode(var.management_maintenance_mode_password_hash)
 
   manage_over_the_internet = var.gateway_management == "Over the internet" ? true : false
   manage_over_internet_and_EIP = var.allocate_and_associate_eip && local.manage_over_the_internet ? true : false
   pub_mgmt = local.manage_over_internet_and_EIP ? true : false
+
+  management_installation_type_allowed_values = [
+    "Primary management",
+    "Secondary management",
+    "Log Server"]
+  validate_management_installation_type = index(local.management_installation_type_allowed_values, var.management_installation_type)
 }
\ No newline at end of file
diff --git a/terraform/aws/management/main.tf b/terraform/aws/management/main.tf
index 27f5e891..059aaaed 100755
--- a/terraform/aws/management/main.tf
+++ b/terraform/aws/management/main.tf
@@ -154,12 +154,13 @@ resource "aws_instance" "management-instance" {
     // script's arguments
     Hostname = var.management_hostname,
     PasswordHash = local.management_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
     AllowUploadDownload = var.allow_upload_download,
     NTPPrimary = var.primary_ntp
     NTPSecondary = var.secondary_ntp
     Shell = var.admin_shell,
     AdminSubnet = var.admin_cidr
-    IsPrimary = var.is_primary_management
+    ManagementInstallationType = var.management_installation_type
     SICKey = local.management_SICkey_base64,
     OsVersion = local.version_split
     EnableInstanceConnect = var.enable_instance_connect
diff --git a/terraform/aws/management/management_userdata.yaml b/terraform/aws/management/management_userdata.yaml
index 23f8ac94..0f3801ff 100755
--- a/terraform/aws/management/management_userdata.yaml
+++ b/terraform/aws/management/management_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/management/terraform.tfvars b/terraform/aws/management/terraform.tfvars
index 2401f5a3..be24753c 100755
--- a/terraform/aws/management/terraform.tfvars
+++ b/terraform/aws/management/terraform.tfvars
@@ -27,10 +27,10 @@ sts_roles = []
 management_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 management_password_hash = ""
-
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 // --- Security Management Server Settings ---
 management_hostname = "mgmt-tf"
-is_primary_management = "true"
+management_installation_type = "Primary management"
 SICKey = ""
 allow_upload_download = "true"
 gateway_management = "Locally managed"
diff --git a/terraform/aws/management/variables.tf b/terraform/aws/management/variables.tf
index 8eb2a074..366ba2c2 100755
--- a/terraform/aws/management/variables.tf
+++ b/terraform/aws/management/variables.tf
@@ -121,6 +121,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Security Management Server Settings ---
 variable "management_hostname" {
@@ -128,10 +133,10 @@ variable "management_hostname" {
   description = "(Optional) Security Management Server prompt hostname"
   default = ""
 }
-variable "is_primary_management" {
-  type = bool
-  description = "Determines if this is the primary management server or not"
-  default = true
+variable "management_installation_type" {
+  type = string
+  description = "Determines the Management Server installation type: Primary management, Secondary management, Log Server"
+  default = "Primary management"
 }
 variable "SICKey" {
   type = string
diff --git a/terraform/aws/mds/README.md b/terraform/aws/mds/README.md
index 716950c5..06d3b282 100755
--- a/terraform/aws/mds/README.md
+++ b/terraform/aws/mds/README.md
@@ -104,6 +104,7 @@ secret_key = "my-secret-key"
   mds_version = "R81.20-BYOL"
   mds_admin_shell = "/etc/cli.sh"
   mds_password_hash = ""
+  mds_maintenance_mode_password_hash = ""
   
   // --- Multi-Domain Server Settings ---
   mds_hostname = "mds-tf"
@@ -157,6 +158,7 @@ secret_key = "my-secret-key"
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                                                        | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 169.254.169.123              | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                                                      | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 0.pool.ntp.org               | no       |
 | mds_bootstrap_script         | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                                                       | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                           | no       |
+| mds_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                           | no       |
 
 
 ## Outputs
@@ -177,6 +179,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/mds/locals.tf b/terraform/aws/mds/locals.tf
index ec9ee903..7dd690a2 100755
--- a/terraform/aws/mds/locals.tf
+++ b/terraform/aws/mds/locals.tf
@@ -54,6 +54,7 @@ locals {
   regex_valid_mds_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.mds_password_hash is invalid
   regex_mds_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_password_hash) == var.mds_password_hash ? 0 : "Variable [mds_password_hash] must be a valid password hash"
+  regex_maintenance_mode_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_maintenance_mode_password_hash) == var.mds_maintenance_mode_password_hash ? 0 : "Variable [mds_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})"
   // Will fail if var.mds_SICKey is invalid
@@ -64,4 +65,5 @@ locals {
   mds_bootstrap_script64 = base64encode(var.mds_bootstrap_script)
   mds_SICkey_base64 = base64encode(var.mds_SICKey)
   mds_password_hash_base64 =base64encode(var.mds_password_hash)
+  maintenance_mode_password_hash_base64 = base64encode(var.mds_maintenance_mode_password_hash)
 }
\ No newline at end of file
diff --git a/terraform/aws/mds/main.tf b/terraform/aws/mds/main.tf
index 5e3d2cfb..f95bb865 100755
--- a/terraform/aws/mds/main.tf
+++ b/terraform/aws/mds/main.tf
@@ -145,6 +145,7 @@ resource "aws_instance" "mds-instance" {
     // script's arguments
     Hostname = var.mds_hostname,
     PasswordHash = local.mds_password_hash_base64
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64
     AllowUploadDownload = var.allow_upload_download,
     NTPPrimary = var.primary_ntp
     NTPSecondary = var.secondary_ntp
diff --git a/terraform/aws/mds/mds_userdata.yaml b/terraform/aws/mds/mds_userdata.yaml
index 072d29eb..3321cd60 100755
--- a/terraform/aws/mds/mds_userdata.yaml
+++ b/terraform/aws/mds/mds_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/mds/terraform.tfvars b/terraform/aws/mds/terraform.tfvars
index cc4688ce..1104460d 100755
--- a/terraform/aws/mds/terraform.tfvars
+++ b/terraform/aws/mds/terraform.tfvars
@@ -26,6 +26,7 @@ sts_roles = []
 mds_version = "R81.20-BYOL"
 mds_admin_shell = "/etc/cli.sh"
 mds_password_hash = ""
+mds_maintenance_mode_password_hash = ""
 
 // --- Multi-Domain Server Settings ---
 mds_hostname = "mds-tf"
diff --git a/terraform/aws/mds/variables.tf b/terraform/aws/mds/variables.tf
index 334f968b..74c57829 100755
--- a/terraform/aws/mds/variables.tf
+++ b/terraform/aws/mds/variables.tf
@@ -116,6 +116,11 @@ variable "mds_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "mds_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Multi-Domain Server Settings ---
 variable "mds_hostname" {
diff --git a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml
index 5bdc62b5..05538232 100755
--- a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml
+++ b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/modules/common/gateway_instance/locals.tf b/terraform/aws/modules/common/gateway_instance/locals.tf
index 8381a058..a0d9034d 100755
--- a/terraform/aws/modules/common/gateway_instance/locals.tf
+++ b/terraform/aws/modules/common/gateway_instance/locals.tf
@@ -21,6 +21,12 @@ locals {
   // Will fail if var.gateway_hostname is invalid
   regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [lambda_scheduled_interval] must be a valid hostname label or an empty string"
 
+  regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+  // Will fail if var.gateway_password_hash is invalid
+  regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
   volume_encryption_condition = var.volume_encryption != "" ? true : false
 
   //Splits the version and licence and returns the os version
@@ -29,4 +35,5 @@ locals {
   gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
   gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
   gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+  gateway_maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
 }
\ No newline at end of file
diff --git a/terraform/aws/modules/common/gateway_instance/main.tf b/terraform/aws/modules/common/gateway_instance/main.tf
index 561814af..0cb9c40a 100755
--- a/terraform/aws/modules/common/gateway_instance/main.tf
+++ b/terraform/aws/modules/common/gateway_instance/main.tf
@@ -34,6 +34,7 @@ resource "aws_instance" "gateway_instance" {
   user_data = templatefile("${path.module}/gateway_userdata.yaml", {
     // script's arguments
     PasswordHash = local.gateway_password_hash_base64,
+    MaintenanceModePassword = local.gateway_maintenance_mode_password_hash_base64,
     Shell = var.admin_shell,
     SICKey = local.gateway_SICkey_base64,
     TokenKey = var.gateway_TokenKey,
diff --git a/terraform/aws/modules/common/gateway_instance/variables.tf b/terraform/aws/modules/common/gateway_instance/variables.tf
index 21af2fcd..505dfdd0 100755
--- a/terraform/aws/modules/common/gateway_instance/variables.tf
+++ b/terraform/aws/modules/common/gateway_instance/variables.tf
@@ -82,6 +82,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "admin_shell" {
   type = string
   description = "Set the admin shell to enable advanced command line configuration"
diff --git a/terraform/aws/qs-autoscale-master/README.md b/terraform/aws/qs-autoscale-master/README.md
index af7257e2..db6c44a6 100755
--- a/terraform/aws/qs-autoscale-master/README.md
+++ b/terraform/aws/qs-autoscale-master/README.md
@@ -122,6 +122,7 @@ secret_key = "my-secret-key"
     gateways_max_group_size = 8
     gateway_version = "R81.20-BYOL"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
     gateway_SICKey = "12345678"
     enable_cloudwatch = false
 
@@ -130,6 +131,7 @@ secret_key = "my-secret-key"
     management_instance_type = "m5.xlarge"
     management_version = "R81.20-BYOL"
     management_password_hash = ""
+    management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
     gateways_policy = "Standard"
     gateways_blades = true
     admin_cidr = "0.0.0.0/0"
@@ -204,6 +206,9 @@ secret_key = "my-secret-key"
 | servers_subnets              | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f).                                                               | list(string) | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                   | yes      |
 | servers_instance_type        | The EC2 instance type for the web servers                                                                                                                                                          | string       | - t3.nano <br/> - t3.micro <br/> - t3.small <br/> - t3.medium <br/> - t3.large <br/> - t3.xlarge <br/> - t3.2xlarge                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | t3.micro              | no       |
 | server_ami                   | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)                                                                                                                      | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                   | yes      |
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
+
 
 
 ## Outputs
@@ -238,6 +243,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20221226         | Support ASG Launch Template instead of Launch Configuration                           |
 | 20230806         | Add support for c6in instance type                                                    | 
 | 20230829         | Change default Check Point version to R81.20                                          |
+| 20230914         | Add support for maintenance mode password                                              |
 | 20230923         | Add support for C5d instance type                                                     |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                       |
 | 20231127         | Add support for parameter admin shell                                                 |
diff --git a/terraform/aws/qs-autoscale-master/locals.tf b/terraform/aws/qs-autoscale-master/locals.tf
index e020fd88..e23f58a2 100755
--- a/terraform/aws/qs-autoscale-master/locals.tf
+++ b/terraform/aws/qs-autoscale-master/locals.tf
@@ -38,6 +38,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash."
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
   // Will fail if var.gateway_SIC_Key is invalid
diff --git a/terraform/aws/qs-autoscale-master/main.tf b/terraform/aws/qs-autoscale-master/main.tf
index 1ac3f1e5..1d4b7e56 100755
--- a/terraform/aws/qs-autoscale-master/main.tf
+++ b/terraform/aws/qs-autoscale-master/main.tf
@@ -40,12 +40,14 @@ module "launch_qs_autoscale" {
   gateways_max_group_size = var.gateways_max_group_size
   gateway_version = var.gateway_version
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   enable_cloudwatch = var.enable_cloudwatch
   management_deploy = var.management_deploy
   management_instance_type = var.management_instance_type
   management_version = var.management_version
   management_password_hash = var.gateway_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   gateways_policy = var.gateways_policy
   gateways_blades = var.gateways_blades
   admin_cidr = var.admin_cidr
diff --git a/terraform/aws/qs-autoscale-master/terraform.tfvars b/terraform/aws/qs-autoscale-master/terraform.tfvars
index 1d2fea19..e43c2d68 100755
--- a/terraform/aws/qs-autoscale-master/terraform.tfvars
+++ b/terraform/aws/qs-autoscale-master/terraform.tfvars
@@ -35,6 +35,7 @@ gateways_min_group_size = 2
 gateways_max_group_size = 8
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 enable_cloudwatch = true
 
@@ -43,6 +44,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 gateways_policy = "Standard"
 gateways_blades = true
 admin_cidr = "0.0.0.0/0"
diff --git a/terraform/aws/qs-autoscale-master/variables.tf b/terraform/aws/qs-autoscale-master/variables.tf
index 4757bafc..efe4b16f 100755
--- a/terraform/aws/qs-autoscale-master/variables.tf
+++ b/terraform/aws/qs-autoscale-master/variables.tf
@@ -140,6 +140,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
@@ -183,6 +188,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateways_policy" {
   type = string
   description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
diff --git a/terraform/aws/qs-autoscale/README.md b/terraform/aws/qs-autoscale/README.md
index 1d633d19..f28045e3 100755
--- a/terraform/aws/qs-autoscale/README.md
+++ b/terraform/aws/qs-autoscale/README.md
@@ -109,6 +109,7 @@ secret_key = "my-secret-key"
     gateways_max_group_size = 8
     gateway_version = "R81.20-BYOL"
     gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
     gateway_SICKey = "12345678"
     enable_cloudwatch = true
 
@@ -117,6 +118,7 @@ secret_key = "my-secret-key"
     management_instance_type = "m5.xlarge"
     management_version = "R81.20-BYOL"
     management_password_hash = ""
+    management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
     gateways_policy = "Standard"
     gateways_blades = true
     admin_cidr = "0.0.0.0/0"
@@ -189,6 +191,8 @@ secret_key = "my-secret-key"
 | servers_subnets              | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f).                                                    | list(string) | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                   | yes      |
 | servers_instance_type        | The EC2 instance type for the web servers                                                                                                                                               | string       | - t3.nano <br/> - t3.micro <br/> - t3.small <br/> - t3.medium <br/> - t3.large <br/> - t3.xlarge <br/> - t3.2xlarge                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | t3.micro              | no       |
 | server_ami                   | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)                                                                                                           | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | n/a                   | yes      |
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
 
 
 ## Outputs
@@ -220,6 +224,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20221226         | Support ASG Launch Template instead of Launch Configuration                                                                         |
 | 20230806         | Add support for c6in instance type                                                                                                  | 
 | 20230829         | Change default Check Point version to R81.20                                                                                        |
+| 20230914         | Add support for maintenance mode password                                                                                           |
 | 20230923         | Add support for C5d instance type                                                                                                   |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                                                     |
 | 20231022         | Fixed template to populate x-chkp-tags correctly                                                                                    |
diff --git a/terraform/aws/qs-autoscale/locals.tf b/terraform/aws/qs-autoscale/locals.tf
index 291ad271..58086ff1 100755
--- a/terraform/aws/qs-autoscale/locals.tf
+++ b/terraform/aws/qs-autoscale/locals.tf
@@ -39,6 +39,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash."
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
   // Will fail if var.gateway_SIC_Key is invalid
@@ -47,6 +48,7 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash."
+  regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
   // Will fail if var.admin_cidr is invalid
diff --git a/terraform/aws/qs-autoscale/main.tf b/terraform/aws/qs-autoscale/main.tf
index 4dedce81..785e1faf 100755
--- a/terraform/aws/qs-autoscale/main.tf
+++ b/terraform/aws/qs-autoscale/main.tf
@@ -62,6 +62,7 @@ module "autoscale" {
   gateway_version = var.gateway_version
   admin_shell = var.admin_shell
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   allow_upload_download = var.allow_upload_download
   enable_cloudwatch = var.enable_cloudwatch
@@ -91,6 +92,7 @@ module "management" {
   management_version = var.management_version
   admin_shell = var.admin_shell
   management_password_hash = var.management_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   allow_upload_download = var.allow_upload_download
   admin_cidr = var.admin_cidr
   gateway_addresses = var.gateways_addresses
diff --git a/terraform/aws/qs-autoscale/terraform.tfvars b/terraform/aws/qs-autoscale/terraform.tfvars
index e37313dd..91bf2436 100755
--- a/terraform/aws/qs-autoscale/terraform.tfvars
+++ b/terraform/aws/qs-autoscale/terraform.tfvars
@@ -25,6 +25,7 @@ gateways_min_group_size = 2
 gateways_max_group_size = 8
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 enable_cloudwatch = true
 
@@ -33,6 +34,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 gateways_policy = "Standard"
 gateways_blades = true
 admin_cidr = "0.0.0.0/0"
diff --git a/terraform/aws/qs-autoscale/variables.tf b/terraform/aws/qs-autoscale/variables.tf
index a30b9f7b..3c37c42c 100755
--- a/terraform/aws/qs-autoscale/variables.tf
+++ b/terraform/aws/qs-autoscale/variables.tf
@@ -127,6 +127,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
@@ -170,6 +175,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateways_policy" {
   type = string
   description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
diff --git a/terraform/aws/standalone-master/README.md b/terraform/aws/standalone-master/README.md
index 452fe366..4c5a25fe 100755
--- a/terraform/aws/standalone-master/README.md
+++ b/terraform/aws/standalone-master/README.md
@@ -109,6 +109,7 @@ secret_key = "my-secret-key"
     standalone_version = "R81.20-BYOL"
     admin_shell = "/etc/cli.sh"
     standalone_password_hash = ""
+    standalone_maintenance_mode_password_hash = ""
 
     // --- Advanced Settings ---
     resources_tag_name = "tag-name"
@@ -162,6 +163,7 @@ secret_key = "my-secret-key"
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                            | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.pool.ntp.org            | no       |
 | admin_cidr                   | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server                                                                                      | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.0.0.0/0                 | no       |
 | gateway_addresses            | (CIDR) Allow gateways only from this network to communicate with the Management Server                                                                                                             | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.0.0.0/0                 | no       |
+| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                        | no       |
 
 
 ## Outputs
@@ -188,7 +190,8 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname           |
 | 20230806         | Add support for c6in instance type                                                                                      |
 | 20230829         | Change default Check Point version to R81.20                                                                            |
-| 20231012         | Update AWS Terraform provider version to 5.20.1                                                                         |
+| 20230914         | Add support for maintenance mode password                                                                              |
+| 20231012         | Update AWS Terraform Provider version to 5.20.1                                                                        |
 | 20231113         | Add support for BYOL license type for Standalone                                                                        |
 
 ## License
diff --git a/terraform/aws/standalone-master/locals.tf b/terraform/aws/standalone-master/locals.tf
index e4c5ca14..e2e6ab47 100755
--- a/terraform/aws/standalone-master/locals.tf
+++ b/terraform/aws/standalone-master/locals.tf
@@ -31,4 +31,5 @@ locals {
   regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.standalone_password_hash is invalid
   regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash"
+  regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash"
 }
\ No newline at end of file
diff --git a/terraform/aws/standalone-master/main.tf b/terraform/aws/standalone-master/main.tf
index a49c8e3b..e6b8d999 100755
--- a/terraform/aws/standalone-master/main.tf
+++ b/terraform/aws/standalone-master/main.tf
@@ -50,6 +50,7 @@ module "launch_standalone_into_vpc" {
   standalone_version = var.standalone_version
   admin_shell = var.admin_shell
   standalone_password_hash = var.standalone_password_hash
+  standalone_maintenance_mode_password_hash = var.standalone_maintenance_mode_password_hash
   standalone_hostname = var.standalone_hostname
   allow_upload_download = var.allow_upload_download
   enable_cloudwatch = var.enable_cloudwatch
diff --git a/terraform/aws/standalone-master/terraform.tfvars b/terraform/aws/standalone-master/terraform.tfvars
index 9ec0508a..3ebcf2e5 100755
--- a/terraform/aws/standalone-master/terraform.tfvars
+++ b/terraform/aws/standalone-master/terraform.tfvars
@@ -28,6 +28,7 @@ instance_tags = {
 standalone_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 standalone_password_hash = ""
+standalone_maintenance_mode_password_hash = ""
 
 // --- Advanced Settings ---
 resources_tag_name = "tag-name"
diff --git a/terraform/aws/standalone-master/variables.tf b/terraform/aws/standalone-master/variables.tf
index 6705eb60..8610c874 100755
--- a/terraform/aws/standalone-master/variables.tf
+++ b/terraform/aws/standalone-master/variables.tf
@@ -115,6 +115,11 @@ variable "standalone_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "standalone_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Advanced Settings ---
 variable "resources_tag_name" {
diff --git a/terraform/aws/standalone/README.md b/terraform/aws/standalone/README.md
index 4fd9eb8b..6ac70d94 100755
--- a/terraform/aws/standalone/README.md
+++ b/terraform/aws/standalone/README.md
@@ -84,7 +84,7 @@ secret_key = "my-secret-key"
     standalone_version = "R81.20-BYOL"
     admin_shell = "/etc/cli.sh"
     standalone_password_hash = ""
-
+    standalone_maintenance_mode_password_hash = ""
     // --- Advanced Settings ---
     resources_tag_name = "tag-name"
     standalone_hostname = "standalone-tf"
@@ -140,6 +140,7 @@ secret_key = "my-secret-key"
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                         | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.pool.ntp.org            | no       |
 | admin_cidr                   | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server                                                                   | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.0.0.0/0                 | no       |
 | gateway_addresses            | (CIDR) Allow gateways only from this network to communicate with the Management Server                                                                                          | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.0.0.0/0                 | no       |
+| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                        | no       |
 
 
 ## Outputs
@@ -163,6 +164,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521           | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname    |
 | 20230806           | Add support for c6in instance type                                                                               | 
 | 20230829           | Change default Check Point version to R81.20                                                                     |
+| 20230914           | Add support for maintenance mode password                                                                        |
 | 20230923           | Add support for C5d instance type                                                                                |
 | 20231012           | Update AWS Terraform provider version to 5.20.1                                                                  |
 | 20231113           | Add support for BYOL license type for Standalone                                                                 | 
diff --git a/terraform/aws/standalone/locals.tf b/terraform/aws/standalone/locals.tf
index a3da2197..6e438e83 100755
--- a/terraform/aws/standalone/locals.tf
+++ b/terraform/aws/standalone/locals.tf
@@ -30,9 +30,12 @@ locals {
   regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.standalone_password_hash is invalid
   regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash"
+  regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash"
+
   //Splits the version and licence and returns the os version
   version_split = element(split("-", var.standalone_version), 0)
 
   standalone_bootstrap_script64 = base64encode(var.standalone_bootstrap_script)
   standalone_password_hash_base64 = base64encode(var.standalone_password_hash)
+  maintenance_mode_password_hash_base64 = base64encode(var.standalone_maintenance_mode_password_hash)
 }
\ No newline at end of file
diff --git a/terraform/aws/standalone/main.tf b/terraform/aws/standalone/main.tf
index 81073d8b..2ffdfa05 100755
--- a/terraform/aws/standalone/main.tf
+++ b/terraform/aws/standalone/main.tf
@@ -113,6 +113,7 @@ resource "aws_instance" "standalone-instance" {
     // script's arguments
     Hostname = var.standalone_hostname,
     PasswordHash = local.standalone_password_hash_base64,
+    MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
     AllowUploadDownload = var.allow_upload_download,
     EnableCloudWatch = var.enable_cloudwatch,
     NTPPrimary = var.primary_ntp,
diff --git a/terraform/aws/standalone/standalone_userdata.yaml b/terraform/aws/standalone/standalone_userdata.yaml
index d111c806..1bdf7eca 100755
--- a/terraform/aws/standalone/standalone_userdata.yaml
+++ b/terraform/aws/standalone/standalone_userdata.yaml
@@ -1,4 +1,4 @@
 #cloud-config
 runcmd:
   - |
-    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230923\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\"
\ No newline at end of file
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/standalone/terraform.tfvars b/terraform/aws/standalone/terraform.tfvars
index b89f8dc1..78def85e 100755
--- a/terraform/aws/standalone/terraform.tfvars
+++ b/terraform/aws/standalone/terraform.tfvars
@@ -24,6 +24,7 @@ instance_tags = {
 standalone_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 standalone_password_hash = ""
+standalone_maintenance_mode_password_hash = ""
 
 // --- Advanced Settings ---
 resources_tag_name = "tag-name"
diff --git a/terraform/aws/standalone/variables.tf b/terraform/aws/standalone/variables.tf
index 29097671..de1c9349 100755
--- a/terraform/aws/standalone/variables.tf
+++ b/terraform/aws/standalone/variables.tf
@@ -113,6 +113,11 @@ variable "standalone_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "standalone_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 
 // --- Advanced Settings ---
 variable "resources_tag_name" {
diff --git a/terraform/aws/tgw-asg/README.md b/terraform/aws/tgw-asg/README.md
index c2adadf4..d99a5781 100755
--- a/terraform/aws/tgw-asg/README.md
+++ b/terraform/aws/tgw-asg/README.md
@@ -101,6 +101,7 @@ secret_key = "my-secret-key"
   gateways_max_group_size = 8
   gateway_version = "R81.20-BYOL"
   gateway_password_hash = ""
+  gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
   gateway_SICKey = "12345678"
   enable_cloudwatch = true
   asn = "6500"
@@ -110,6 +111,7 @@ secret_key = "my-secret-key"
   management_instance_type = "m5.xlarge"
   management_version = "R81.20-BYOL"
   management_password_hash = ""
+  management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
   management_permissions = "Create with read-write permissions"
   management_predefined_role = ""
   gateways_blades = true
@@ -174,6 +176,8 @@ secret_key = "my-secret-key"
 | control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address                                                                                                | string       | - private <br/> - public                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | private                            | no       |
 | management_server                              | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration                                                                  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | management-server                  | no       |
 | configuration_template                         | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration                                                                      | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | TGW-ASG-configuration              | no       |
+| gateway_maintenance_mode_password_hash         | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                                 | no       |
+| management_maintenance_mode_password_hash      | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                                 | no       |
 
 
 ## Outputs
@@ -198,6 +202,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230626         | Fixed missing x-chkp-* tags on Auto Scale Group                                          |
 | 20230806         | Add support for c6in instance type                                                       | 
 | 20230829         | Change default Check Point version to R81.20                                             |
+| 20230914         | Add support for maintenance mode password                                                |
 | 20230923         | Add support for C5d instance type                                                        |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                          |
 
diff --git a/terraform/aws/tgw-asg/locals.tf b/terraform/aws/tgw-asg/locals.tf
index ae8c8683..7ecd5cf4 100755
--- a/terraform/aws/tgw-asg/locals.tf
+++ b/terraform/aws/tgw-asg/locals.tf
@@ -31,10 +31,14 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.management_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+  regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
 
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
 
   regex_valid_asn = "^[0-9]+$"
   // Will fail if var.asn is invalid
diff --git a/terraform/aws/tgw-asg/main.tf b/terraform/aws/tgw-asg/main.tf
index b4341e80..f9c77f26 100755
--- a/terraform/aws/tgw-asg/main.tf
+++ b/terraform/aws/tgw-asg/main.tf
@@ -21,6 +21,7 @@ module "autoscale" {
   maximum_group_size = var.gateways_max_group_size
   gateway_version = var.gateway_version
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   allow_upload_download = var.allow_upload_download
   enable_cloudwatch = var.enable_cloudwatch
@@ -52,6 +53,7 @@ module "management" {
   predefined_role = var.management_predefined_role
   management_version = var.management_version
   management_password_hash = var.management_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   allow_upload_download = var.allow_upload_download
   admin_cidr = var.admin_cidr
   gateway_addresses = var.gateways_addresses
diff --git a/terraform/aws/tgw-asg/terraform.tfvars b/terraform/aws/tgw-asg/terraform.tfvars
index 3d6675a4..7c512fab 100755
--- a/terraform/aws/tgw-asg/terraform.tfvars
+++ b/terraform/aws/tgw-asg/terraform.tfvars
@@ -18,6 +18,7 @@ gateways_min_group_size = 2
 gateways_max_group_size = 8
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 enable_cloudwatch = true
 asn = "65000"
@@ -27,6 +28,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = "12345678"
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 management_permissions = "Create with read-write permissions"
 management_predefined_role = ""
 gateways_blades = true
diff --git a/terraform/aws/tgw-asg/variables.tf b/terraform/aws/tgw-asg/variables.tf
index 8d7ffc01..9f2885cb 100755
--- a/terraform/aws/tgw-asg/variables.tf
+++ b/terraform/aws/tgw-asg/variables.tf
@@ -97,6 +97,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
@@ -145,6 +150,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+  type = string
+  default = ""
+}
 variable "management_permissions" {
   type = string
   description = "IAM role to attach to the instance profile"
diff --git a/terraform/aws/tgw-cross-az-cluster-master/README.md b/terraform/aws/tgw-cross-az-cluster-master/README.md
index ecf0c96f..94402e3f 100755
--- a/terraform/aws/tgw-cross-az-cluster-master/README.md
+++ b/terraform/aws/tgw-cross-az-cluster-master/README.md
@@ -98,7 +98,7 @@ secret_key = "my-secret-key"
       admin_shell = "/etc/cli.sh"
       gateway_SICKey = "12345678"
       gateway_password_hash = ""
-
+      gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
       // --- Quick connect to Smart-1 Cloud (Recommended) ---
       memberAToken = ""
       memberBToken = ""
@@ -170,6 +170,7 @@ secret_key = "my-secret-key"
 | gateway_bootstrap_script     | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                   | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                    | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 169.254.169.123        | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.pool.ntp.org         | no       |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 
 ## Outputs
@@ -196,6 +197,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
 | 20230806         | Add support for c6in instance type                                                                            |
+| 20230914         | Add support for maintenance mode password                                                                     |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/tgw-cross-az-cluster-master/locals.tf b/terraform/aws/tgw-cross-az-cluster-master/locals.tf
index d251bfde..387fb7c1 100755
--- a/terraform/aws/tgw-cross-az-cluster-master/locals.tf
+++ b/terraform/aws/tgw-cross-az-cluster-master/locals.tf
@@ -40,6 +40,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
   // Will fail if var.primary_ntp is invalid
diff --git a/terraform/aws/tgw-cross-az-cluster-master/main.tf b/terraform/aws/tgw-cross-az-cluster-master/main.tf
index e2aa6599..16f2fe11 100755
--- a/terraform/aws/tgw-cross-az-cluster-master/main.tf
+++ b/terraform/aws/tgw-cross-az-cluster-master/main.tf
@@ -58,6 +58,7 @@ module "tgw_cluster_into_vpc" {
   admin_shell = var.admin_shell
   gateway_SICKey = var.gateway_SICKey
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   memberAToken = var.memberAToken
   memberBToken = var.memberBToken
   resources_tag_name = var.resources_tag_name
diff --git a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars
index b78fc9b8..352b9dac 100755
--- a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars
+++ b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars
@@ -32,7 +32,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
-
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 memberAToken = ""
 memberBToken = ""
diff --git a/terraform/aws/tgw-cross-az-cluster-master/variables.tf b/terraform/aws/tgw-cross-az-cluster-master/variables.tf
index eb2dfe33..725be048 100755
--- a/terraform/aws/tgw-cross-az-cluster-master/variables.tf
+++ b/terraform/aws/tgw-cross-az-cluster-master/variables.tf
@@ -142,7 +142,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
-
+variable "gateway_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "memberAToken" {
   type = string
diff --git a/terraform/aws/tgw-cross-az-cluster/README.md b/terraform/aws/tgw-cross-az-cluster/README.md
index 7acf8f95..9cd581c2 100755
--- a/terraform/aws/tgw-cross-az-cluster/README.md
+++ b/terraform/aws/tgw-cross-az-cluster/README.md
@@ -92,6 +92,7 @@ secret_key = "my-secret-key"
       admin_shell = "/etc/cli.sh"
       gateway_SICKey = "12345678"
       gateway_password_hash = ""
+      gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
       // --- Quick connect to Smart-1 Cloud (Recommended) ---
       memberAToken = ""
@@ -165,6 +166,8 @@ secret_key = "my-secret-key"
 | gateway_bootstrap_script     | (Optional) Semicolon (;) separated commands to run on the initial boot                                                                                                                                                   | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                     | no       |
 | primary_ntp                  | (Optional) The IPv4 addresses of Network Time Protocol primary server                                                                                                                                                    | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 169.254.169.123        | no       |
 | secondary_ntp                | (Optional) The IPv4 addresses of Network Time Protocol secondary server                                                                                                                                                  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0.pool.ntp.org         | no       |
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string      | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                     | no       |
 
 
 ## Outputs
@@ -191,6 +194,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230521         | - Change default shell for the admin user to /etc/cli.sh<br/>- Add description for reserved words in hostname |
 | 20230806         | Add support for c6in instance type                                                                            |
 | 20230829         | Change default Check Point version to R81.20                                                                  |
+| 20230914         | Add support for maintenance mode password                                                       |
 | 20230923         | Add support for C5d instance type                                                                             |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                               |
 
diff --git a/terraform/aws/tgw-cross-az-cluster/locals.tf b/terraform/aws/tgw-cross-az-cluster/locals.tf
index b03f7323..9a9929b7 100755
--- a/terraform/aws/tgw-cross-az-cluster/locals.tf
+++ b/terraform/aws/tgw-cross-az-cluster/locals.tf
@@ -38,6 +38,7 @@ locals {
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
   // Will fail if var.primary_ntp is invalid
diff --git a/terraform/aws/tgw-cross-az-cluster/main.tf b/terraform/aws/tgw-cross-az-cluster/main.tf
index e721e3a1..3db48741 100755
--- a/terraform/aws/tgw-cross-az-cluster/main.tf
+++ b/terraform/aws/tgw-cross-az-cluster/main.tf
@@ -28,6 +28,7 @@ module "cluster_into_vpc" {
   admin_shell = var.admin_shell
   gateway_SICKey = var.gateway_SICKey
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   memberAToken = var.memberAToken
   memberBToken = var.memberBToken
   resources_tag_name = var.resources_tag_name
diff --git a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars
index 17d0b767..46b50e68 100755
--- a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars
+++ b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars
@@ -26,6 +26,7 @@ gateway_version = "R81.20-BYOL"
 admin_shell = "/etc/cli.sh"
 gateway_SICKey = "12345678"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 memberAToken = ""
diff --git a/terraform/aws/tgw-cross-az-cluster/variables.tf b/terraform/aws/tgw-cross-az-cluster/variables.tf
index 16d916da..65c9f3e6 100755
--- a/terraform/aws/tgw-cross-az-cluster/variables.tf
+++ b/terraform/aws/tgw-cross-az-cluster/variables.tf
@@ -143,7 +143,11 @@ variable "gateway_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
-
+variable "gateway_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 // --- Quick connect to Smart-1 Cloud (Recommended) ---
 variable "memberAToken" {
   type = string
diff --git a/terraform/aws/tgw-gwlb-master/README.md b/terraform/aws/tgw-gwlb-master/README.md
index 8d4f98f3..47c907c4 100755
--- a/terraform/aws/tgw-gwlb-master/README.md
+++ b/terraform/aws/tgw-gwlb-master/README.md
@@ -136,6 +136,7 @@ secret_key = "my-secret-key"
       maximum_group_size = 10
     gateway_version = "R81.20-BYOL"
       gateway_password_hash = ""
+    gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
       gateway_SICKey = "12345678"
       gateways_provision_address_type = "private"
       allocate_public_IP = false
@@ -147,6 +148,7 @@ secret_key = "my-secret-key"
       management_instance_type = "m5.xlarge"
     management_version = "R81.20-BYOL"
       management_password_hash = ""
+    management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
       gateways_policy = "Standard"
       gateway_management = "Locally managed"
       admin_cidr = ""
@@ -237,6 +239,8 @@ a
 | admin_cidr                       | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server                                                                                      | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | n/a                   | no       |
 | gateway_addresses                | (CIDR) Allow gateways only from this network to communicate with the Management Server                                                                                                             | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | n/a                   | no       |
 | volume_type                      | General Purpose SSD Volume Type                                                                                                                                                                    | string | - gp3 <br/> - gp2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | gp3                   | no       |
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
 
 
 ## Outputs
@@ -264,6 +268,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230806         | Add support for c6in instance type                                                                                         | 
 | 20230829         | Change default Check Point version to R81.20                                                                               |
 | 20230910         | Add bootstrap script execution option for deployed gateways                                                                |
+| 20230914         | Add support for maintenance mode password                                                                                  |
 | 20230923         | Add support for C5d instance type                                                                                          |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                                            |
 
diff --git a/terraform/aws/tgw-gwlb-master/locals.tf b/terraform/aws/tgw-gwlb-master/locals.tf
index 5c045d4d..d75eeaa5 100755
--- a/terraform/aws/tgw-gwlb-master/locals.tf
+++ b/terraform/aws/tgw-gwlb-master/locals.tf
@@ -26,10 +26,11 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.management_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
-
+  regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
 
   regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
diff --git a/terraform/aws/tgw-gwlb-master/main.tf b/terraform/aws/tgw-gwlb-master/main.tf
index dd913ed7..4233d206 100755
--- a/terraform/aws/tgw-gwlb-master/main.tf
+++ b/terraform/aws/tgw-gwlb-master/main.tf
@@ -62,6 +62,7 @@ module "tgw-gwlb"{
   maximum_group_size = var.maximum_group_size
   gateway_version = var.gateway_version
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   gateways_provision_address_type = var.gateways_provision_address_type
   allocate_public_IP = var.allocate_public_IP
@@ -73,6 +74,7 @@ module "tgw-gwlb"{
   management_instance_type = var.management_instance_type
   management_version = var.management_version
   management_password_hash = var.management_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   gateways_policy = var.gateways_policy
   gateway_management = var.gateway_management
   admin_cidr = var.admin_cidr
diff --git a/terraform/aws/tgw-gwlb-master/terraform.tfvars b/terraform/aws/tgw-gwlb-master/terraform.tfvars
index 069c0e1b..8dd4681a 100755
--- a/terraform/aws/tgw-gwlb-master/terraform.tfvars
+++ b/terraform/aws/tgw-gwlb-master/terraform.tfvars
@@ -52,6 +52,7 @@ minimum_group_size = 2
 maximum_group_size = 10
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 gateways_provision_address_type = "private"
 allocate_public_IP = false
@@ -63,6 +64,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 gateways_policy = "Standard"
 gateway_management = "Locally managed"
 admin_cidr = "0.0.0.0/0"
diff --git a/terraform/aws/tgw-gwlb-master/variables.tf b/terraform/aws/tgw-gwlb-master/variables.tf
index 6a439084..788de570 100755
--- a/terraform/aws/tgw-gwlb-master/variables.tf
+++ b/terraform/aws/tgw-gwlb-master/variables.tf
@@ -221,6 +221,11 @@ variable "gateway_password_hash" {
   type = string
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
@@ -290,6 +295,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateways_policy" {
   type = string
   description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
diff --git a/terraform/aws/tgw-gwlb/README.md b/terraform/aws/tgw-gwlb/README.md
index b727d6ce..67f95566 100755
--- a/terraform/aws/tgw-gwlb/README.md
+++ b/terraform/aws/tgw-gwlb/README.md
@@ -131,6 +131,7 @@ secret_key = "my-secret-key"
       maximum_group_size = 10
       gateway_version = "R81.20-BYOL"
       gateway_password_hash = ""
+      gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
       gateway_SICKey = "12345678"
       gateways_provision_address_type = "private"
       allocate_public_IP = false	  
@@ -142,6 +143,7 @@ secret_key = "my-secret-key"
       management_instance_type = "m5.xlarge"
       management_version = "R81.20-BYOL"
       management_password_hash = ""
+      management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
       gateways_policy = "Standard"
       gateway_management = "Locally managed"
       admin_cidr = ""
@@ -237,6 +239,8 @@ secret_key = "my-secret-key"
 | admin_cidr                             | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server                                                                           | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | n/a                   | no       |
 | gateway_addresses                      | (CIDR) Allow gateways only from this network to communicate with the Management Server                                                                                                  | string | valid CIDR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | n/a                   | no       |
 | volume_type                            | General Purpose SSD Volume Type                                                                                                                                                         | string | - gp3 <br/> - gp2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | gp3                   | no       |
+| gateway_maintenance_mode_password_hash    | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                     | string | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional)                                                                                                                                  | string | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                    | no       |
 
 
 ## Outputs
@@ -264,6 +268,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
 | 20230806         | Add support for c6in instance type                                                                                 |
 | 20230829         | Change default Check Point version to R81.20                                                                       |
 | 20230910         | Add bootstrap script execution option for deployed gateways                                                        |
+| 20230914         | Add support for maintenance mode password                                                                          |
 | 20230923         | Add support for C5d instance type                                                                                  |
 | 20231012         | Update AWS Terraform provider version to 5.20.1                                                                    |           
 
diff --git a/terraform/aws/tgw-gwlb/locals.tf b/terraform/aws/tgw-gwlb/locals.tf
index 6ae61560..0693df6d 100755
--- a/terraform/aws/tgw-gwlb/locals.tf
+++ b/terraform/aws/tgw-gwlb/locals.tf
@@ -23,10 +23,12 @@ locals {
   regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.management_password_hash is invalid
   regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+  regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
 
   regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
   // Will fail if var.gateway_password_hash is invalid
   regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+  regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
 
 
   regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
diff --git a/terraform/aws/tgw-gwlb/main.tf b/terraform/aws/tgw-gwlb/main.tf
index 1dd90b74..94390b20 100755
--- a/terraform/aws/tgw-gwlb/main.tf
+++ b/terraform/aws/tgw-gwlb/main.tf
@@ -255,6 +255,7 @@ module "gwlb" {
   maximum_group_size = var.maximum_group_size
   gateway_version = var.gateway_version
   gateway_password_hash = var.gateway_password_hash
+  gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
   gateway_SICKey = var.gateway_SICKey
   gateways_provision_address_type = var.gateways_provision_address_type
   allocate_public_IP = var.allocate_public_IP
@@ -266,6 +267,7 @@ module "gwlb" {
   management_instance_type = var.management_instance_type
   management_version = var.management_version
   management_password_hash = var.management_password_hash
+  management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
   gateways_policy = var.gateways_policy
   gateway_management = var.gateway_management
   admin_cidr = var.admin_cidr
diff --git a/terraform/aws/tgw-gwlb/terraform.tfvars b/terraform/aws/tgw-gwlb/terraform.tfvars
index a3432a8e..2cc64a14 100755
--- a/terraform/aws/tgw-gwlb/terraform.tfvars
+++ b/terraform/aws/tgw-gwlb/terraform.tfvars
@@ -45,6 +45,7 @@ minimum_group_size = 2
 maximum_group_size = 10
 gateway_version = "R81.20-BYOL"
 gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
 gateway_SICKey = "12345678"
 gateways_provision_address_type = "private"
 allocate_public_IP = false
@@ -56,6 +57,7 @@ management_deploy = true
 management_instance_type = "m5.xlarge"
 management_version = "R81.20-BYOL"
 management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
 gateways_policy = "Standard"
 gateway_management = "Locally managed"
 admin_cidr = "0.0.0.0/0"
diff --git a/terraform/aws/tgw-gwlb/variables.tf b/terraform/aws/tgw-gwlb/variables.tf
index 0620066e..6fda77eb 100755
--- a/terraform/aws/tgw-gwlb/variables.tf
+++ b/terraform/aws/tgw-gwlb/variables.tf
@@ -229,6 +229,11 @@ variable "gateway_password_hash" {
   type = string
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
 }
+variable "gateway_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateway_SICKey" {
   type = string
   description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
@@ -297,6 +302,11 @@ variable "management_password_hash" {
   description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
   default = ""
 }
+variable "management_maintenance_mode_password_hash" {
+  description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+  type = string
+  default = ""
+}
 variable "gateways_policy" {
   type = string
   description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"