Checkpoint 156-836 Check Point Certified Maestro Expert - R81 (CCME) Exam Practice Test

According to the Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-175 document1, ports 1 - 4 are Management ports that are used to connect the MHO to the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. Ports 5 - 26 are Uplink ports that are used to connect the MHO to the customer’s network infrastructure, such as switches, routers, or firewalls. Ports 27 - 47 are Downlink ports that are used to connect the MHO to the Security Group Modules (SGMs) in the Security Group. Ports 49 - 55 are Backplane ports that are used to connect the MHO to another MHO in a Dual Orchestrator environment.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 42

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3

•Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-1751

The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

One of the possible causes of a failure in a single SGM of a Security Group is that an administrator imported a hotfix into the CPUSE repository of a single SGM, instead of using the orchestrator to distribute the hotfix to all the SGMs in the Security Group. This can create a mismatch in the software versions and configurations of the SGMs, and lead to unexpected behavior and errors.

References

•Maestro Expert (CCME) Course - Check Point Software, page 251

•sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2

•sk180418: Security Gateway Member (SGM) is stuck after it is added to a Security Group with image auto cloning enabled on the Single Management Object (SMO)

The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

References:

•NAT and the Correction Layer on a Security Gateway - Check Point Software1

•Solved: Maestro queries - Check Point CheckMates

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

References:

•NAT and the Correction Layer on a VSX Gateway - Check Point Software1

•Solved: Maestro queries - Check Point CheckMates

A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 41

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of a failover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Maestro Frequently Asked Questions (FAQ)

•CHECK POINT MAESTRO EXPERT

A Dual Site environment can include either two or four orchestrators, depending on the scenario. There are three primary scenarios for Dual Site configuration:

•Direct connectivity between remote site orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

•Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

•Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that supports QinQ and MTU increment.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

•Maestro Frequently Asked Questions (FAQ)

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer’s network to the MHOs.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 41

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline

According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 42

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software, page 2

The asg monitor command is a tool to display the status and statistics of the Maestro Security Group Members and the Orchestrators. It shows information such as uptime, port status, CPU usage, memory usage, traffic distribution, and appliances cluster status. However, it does not show the security policy status, such as the policy name, installation time, or revision. To view the security policy status, other commands such as asg policy or fw stat can be used.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.1: asg monitor, page 4-3

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg monitor, page 4-3

•asg monitor - Check Point Software

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

Multi-Version Clustering (MVC) is a feature that allows different versions of Security Gateways to operate in the same cluster and provide seamless failover and load balancing. MVC is supported for Maestro environments as of R81, which means that it is possible to upgrade the Security Groups in a Maestro environment as a Multi-Version Cluster with zero downtime. This requires that the Maestro Orchestrators are upgraded to R81.20 first, and then the Security Groups can be upgraded one by one to R81.20 while maintaining full connectivity and synchronization.

References =

•Check Point R81.20 for Scalable Platforms - Check Point Software

•Maestro Dual Site configuration with a direct connection through L2 switches

•CHECK POINT MAESTRO EXPERT

The asg diag command is used for system diagnostics on both Maestro and Chassis systems. The asg diag command can perform various tests and checks on the system components, such as hardware, software, network, clock, ARP, and more. The asg diag command can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.

References =

•Check Point Maestro R81.X Administration Guide, page 66, section “asg diag” 1

•Check Point Maestro R81.X Getting Started Guide, page 28, section “asg diag” 2

•Check Point Maestro Under the Hood presentation by Lari Luoma, slide 25

1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm : https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20Maestro%20under%20the%20hood%202022.pptx

The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.

References

•Check Point 156-835 Certification Flashcards | Quizlet1

•Maestro Expert (CCME) Course - Check Point Software, page 182

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 163

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8

•Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

•Activation of a Quantum Maestro Orchestrator - Check Point Software

The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4

The Correction Layer is a mechanism that handles asymmetric connections in systems with several cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is asymmetric1

The Correction Layer works as follows:

•When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it processes the packet normally. If not, it checks the Correction table to find the owner of the connection.

•If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction Layer header. The owner then processes the packet and removes the Correction Layer header before sending it to the destination.

•If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator (MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to the source.

•The Correction tables are updated by the MHO whenever a new connection is established or an existing connection is terminated. The MHO sends Correction Layer messages to all clustermembers to inform them about the owner of each connection2