Checkpoint 156-836 Check Point Certified Maestro Expert (CCME) R81.X Exam Practice Test

Maestro allows you to define the distribution mode per interface, which determines how traffic is distributed among the Security Group Modules (SGMs) in a Security Group. You can configure the distribution mode for each interface individually, or use the default mode for all interfaces. The distribution mode can be set for both uplink and downlink interfaces.

References =

•Check Point Maestro R81.X Administration Guide, page 62, section “Distribution Mode” 1

•Check Point Maestro R81.X Getting Started Guide, page 25, section “Distribution Mode” 2

1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm

The /var/log/messages file is a general system log file that contains information about various system events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs without a dedicated log file can be found in this file, as well as some Maestro Gaia Clish commands that are not saved in the /var/log/command_logger.log file.

References

•Maestro Audit Logs - Where are they? - Check Point CheckMates1

•sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2

•Maestro Expert (CCME) Course - Check Point Software, page 33

One of the possible reasons for the “Failed to get remote orchestrator interfaces” error message, when clicking on “Orchestrator” in WebUI, is that the remote orchestrator has no empty interfaces that can be assigned to a security group. This can happen if all the interfaces on the remote orchestrator are already part of configured security groups, or if the remote orchestrator has no physical interfaces at all. In this case, the WebUI cannot display the unassigned interfaces of the remote orchestrator, and shows the error message.

References

•Not able to see unassigned interfaces on checkpoint Orchestrator

•Maestro 140 not detecting Interfaces

•Maestro Expert (CCME) Course - Check Point Software, page

The SMO Master is the SGM that is responsible for managing the Security Group and communicating with the MHO. If the SMO Master fails, the Backup SMO Master, which is the SGM with the next lowest SGM ID, will take over the role of the SMO Master and ensure the continuity of the Security Group operations.

References = Maestro Expert (CCME) Course - Check Point Software, page 14; Check Point Accredited Maestro Expert - New exam a… - Check Point CheckMates, page 1.

A Dual Site setup can have either two or four orchestrators, depending on the scenario. However, the maximum number of orchestrators per Security Group is four, regardless of the number of sites. This is because each Security Group can have up to two orchestrators on each site, and each site can have up to two orchestrators. Therefore, the maximum number of orchestrators in a Dual Site setup is four per Security Group.

References =

•Maestro Frequently Asked Questions (FAQ)

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16

References

•Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes

•Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations

•Check Point SNMP MIB files, Section: Revision History

A Dual Site environment can include either two or four orchestrators, depending on the scenario. There are three primary scenarios for Dual Site configuration:

•Direct connectivity between remote site orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

•Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

•Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that supports QinQ and MTU increment.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

•Maestro Frequently Asked Questions (FAQ)

The asg stat -v command is used to verify the status of Security Group Members (SGMs) during an upgrade in a Maestro environment. This command provides detailed status information, including whether SGMs are in the UP state, which is critical before proceeding with upgrades to other SGMs to ensure system stability and continuity.

Exact Extract:

“The command ‘asg stat -v’ can be used during an upgrade to verify that the upgraded Security Group Members (SGMs) have returned to UP status before upgrading other SGMs. This command provides a detailed view of the status of all SGMs in the Security Group, ensuring that the upgraded members are operational.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.4: System Diagnostics, page 4-16

—Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: System Diagnostics, page 4-13

Explanation of Options:

A. asg monitor: Incorrect, as asg monitor is used for real-time monitoring but does not provide detailed status verification for SGMs during upgrades.

B. cpview: Incorrect, as cpview provides performance and system statistics but is not specific to verifying SGM status post-upgrade.

C. asg perf -v: Incorrect, as asg perf -v focuses on performance metrics, not SGM status verification.

D. asg stat -v: Correct, as this command is explicitly used to check the UP status of SGMs during upgrades, as per the documentation.

References =

•Check Point Maestro R81.X Administration Guide, page 64, section “Correction Layer” 1

•Check Point Maestro R81.X Getting Started Guide, page 26, section “Correction Layer” 2

•Check Point Maestro Under the Hood presentation by Lari Luoma, slide 23

•Check Point Maestro Frequently Asked Questions (FAQ), question 9

1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm : https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20Maestro%20under%20the%20hood%202022.pptx :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk147853&partition=Basic&product=Maestro

The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.

References

•Check Point 156-835 Certification Flashcards | Quizlet1

•Maestro Expert (CCME) Course - Check Point Software, page 182

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 163

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security GroupModules, Section: LLDP, page 3-9

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

•Log and Configuration Files - Check Point Software

The asg_perf_hogs command is a script that displays the processes that are consuming excessive system resources, such as CPU, memory, disk, and network, on the orchestrator and the appliances. It can help identify performance issues and bottlenecks in the Maestro environment.

References

•Software Provision and Performance hogs failed - Check Point CheckMates1

•CHECK POINT MAESTRO EXPERT, page 33

The maximum number of appliances within the same security group is 31. This is because a security group can have up to 31 Security Group Modules (SGMs) of the same or different models, and each SGM is an appliance that runs the Check Point software. A security group can span across multiple chassis, and each chassis can have up to 16 SGMs. However, the total number of SGMs in a security group cannot exceed 31.

The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

The Correction Layer is a mechanism that handles asymmetric connections in systems with several cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is asymmetric1

The Correction Layer works as follows:

•When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it processes the packet normally. If not, it checks the Correction table to find the owner of the connection.

•If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction Layer header. The owner then processes the packet and removes the Correction Layer header before sending it to the destination.

•If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator (MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to the source.

•The Correction tables are updated by the MHO whenever a new connection is established or an existing connection is terminated. The MHO sends Correction Layer messages to all cluster members to inform them about the owner of each connection2

The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of afailover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Maestro Frequently Asked Questions (FAQ)

•CHECK POINT MAESTRO EXPERT

Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features

MHOs process traffic in Active-Active mode, which means that both MHOs are active and share theload of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup. Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.

References

•Maestro Expert (CCME) Course - Check Point Software, page 25

•CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

•Layer 4 Distribution - Yes or No? - Check Point CheckMates

•Support, Support Requests, Training … - Check Point Software