Checkpoint 156-836 Check Point Certified Maestro Expert (CCME) R81.X Exam Practice Test

The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10

•Maestro Commands for Security Groups - Check Point CheckMates

A Dual Site setup can have either two or four orchestrators, depending on the scenario. However, the maximum number of orchestrators per Security Group is four, regardless of the number of sites. This is because each Security Group can have up to two orchestrators on each site, and each site can have up to two orchestrators. Therefore, the maximum number of orchestrators in a Dual Site setup is four per Security Group.

References =

•Maestro Frequently Asked Questions (FAQ)

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

One of the possible causes of a failure in a single SGM of a Security Group is that an administrator imported a hotfix into the CPUSE repository of a single SGM, instead of using the orchestrator to distribute the hotfix to all the SGMs in the Security Group. This can create a mismatch in the software versions and configurations of the SGMs, and lead to unexpected behavior and errors.

References

•Maestro Expert (CCME) Course - Check Point Software, page 251

•sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2

•sk180418: Security Gateway Member (SGM) is stuck after it is added to a Security Group with image auto cloning enabled on the Single Management Object (SMO)

This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13

•Policy installation flow - Check Point Software

HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of a failover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Maestro Frequently Asked Questions (FAQ)

•CHECK POINT MAESTRO EXPERT

Multi-Version Clustering (MVC) is a feature that allows different versions of Security Gateways to operate in the same cluster and provide seamless failover and load balancing. MVC is supported for Maestro environments as of R81, which means that it is possible to upgrade the Security Groups in a Maestro environment as a Multi-Version Cluster with zero downtime. This requires that the Maestro Orchestrators are upgraded to R81.20 first, and then the Security Groups can be upgraded one by one to R81.20 while maintaining full connectivity and synchronization.

References =

•Check Point R81.20 for Scalable Platforms - Check Point Software

•Maestro Dual Site configuration with a direct connection through L2 switches

•CHECK POINT MAESTRO EXPERT

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8

•Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

•Activation of a Quantum Maestro Orchestrator - Check Point Software

A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 41

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline

The Correction Layer is a mechanism that handles asymmetric connections in systems with several cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is asymmetric1

The Correction Layer works as follows:

•When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it processes the packet normally. If not, it checks the Correction table to find the owner of the connection.

•If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction Layer header. The owner then processes the packet and removes the Correction Layer header before sending it to the destination.

•If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator (MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to the source.

•The Correction tables are updated by the MHO whenever a new connection is established or an existing connection is terminated. The MHO sends Correction Layer messages to all clustermembers to inform them about the owner of each connection2

The asg diag command is used for system diagnostics on both Maestro and Chassis systems. The asg diag command can perform various tests and checks on the system components, such as hardware, software, network, clock, ARP, and more. The asg diag command can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.

References =

•Check Point Maestro R81.X Administration Guide, page 66, section “asg diag” 1

•Check Point Maestro R81.X Getting Started Guide, page 28, section “asg diag” 2

•Check Point Maestro Under the Hood presentation by Lari Luoma, slide 25

1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm : https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20Maestro%20under%20the%20hood%202022.pptx

The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.

References

•Check Point 156-835 Certification Flashcards | Quizlet1

•Maestro Expert (CCME) Course - Check Point Software, page 182

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 163

The asg monitor command is a tool to display the status and statistics of the Maestro Security Group Members and the Orchestrators. It shows information such as uptime, port status, CPU usage, memory usage, traffic distribution, and appliances cluster status. However, it does not show the security policy status, such as the policy name, installation time, or revision. To view the security policy status, other commands such as asg policy or fw stat can be used.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.1: asg monitor, page 4-3

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg monitor, page 4-3

•asg monitor - Check Point Software

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16

According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 42

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software, page 2

Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk147853

HealthCheck Point (HCP) is a tool that can perform various tests and checks on the system components of the Security Group Modules (SGMs), such as hardware, software, network, clock,ARP, and more. It can also display the performance statistics of the SGMs, such as throughput, packet rate, CPU utilization, memory usage, and more. Additionally, HCP can provide a graphical representation of the Firewall topology for the Security Group, showing the connections and statuses of the SGMs and the Orchestrators. Furthermore, HCP can generate a report of the critical and informative events that occurred on the system, such as configuration changes, errors, warnings, and alerts. HCP can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.

References =

•HealthCheck Point (HCP) Release Updates - Check Point Software 1

•Professional Services Healthcheck - Check Point Software 2

•HealthCheck Point - Check Point CheckMates 3

The Pre-Upgrade Verifier is a tool that checks the compatibility and readiness of the Maestro environment for the upgrade process. It verifies the current version, the target version, the hardware requirements, the configuration settings, and the license validity of the Maestro Orchestrators and the Security Groups. It also identifies any potential issues or risks that might affect the upgrade and provides recommendations on how to resolve them. The Pre-Upgrade Verifier should be run before importing the R81.10 software package and before performing the actual upgrade.

References =

•Check Point R81.10 for Scalable Platforms - Check Point Software

•CHECK POINT MAESTRO EXPERT

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

References:

•NAT and the Correction Layer on a VSX Gateway - Check Point Software1

•Solved: Maestro queries - Check Point CheckMates