Checkpoint 156-836 Dumps

Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16

MHOs process traffic in Active-Active mode, which means that both MHOs are active and share the load of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup. Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.

References

•Maestro Expert (CCME) Course - Check Point Software, page 25

•CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2

This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13

•Policy installation flow - Check Point Software

The asg diag command is used for system diagnostics on both Maestro and Chassis systems. The asg diag command can perform various tests and checks on the system components, such as hardware, software, network, clock, ARP, and more. The asg diag command can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.

References =

•Check Point Maestro R81.X Administration Guide, page 66, section “asg diag” 1

•Check Point Maestro R81.X Getting Started Guide, page 28, section “asg diag” 2

•Check Point Maestro Under the Hood presentation by Lari Luoma, slide 25

1: 2: :

•The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security Group Members.

•Reference: Working with the Distribution Mode

In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.

References =

•Solved: Maestro dual site failover - Check Point CheckMates

•Maestro Dual Site configuration with a direct connection through L2 switches

In scalable security environments, initial IKE (Internet Key Exchange) handling by a central orchestrator before distributing traffic for encryption is a common approach to maintain efficiency and security.

A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 41

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline

The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density connectivity for the Maestro environment.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Maestro Transceiver & DAC Inventory - Check Point CheckMates

Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features

Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8

•Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

•Activation of a Quantum Maestro Orchestrator - Check Point Software

The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.

References

•Check Point 156-835 Certification Flashcards | Quizlet1

•Maestro Expert (CCME) Course - Check Point Software, page 182

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 163

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

References

•Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes

•Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations

•Check Point SNMP MIB files, Section: Revision History

HealthCheck Point (HCP) is a tool that can perform various tests and checks on the system components of the Security Group Modules (SGMs), such as hardware, software, network, clock,ARP, and more. It can also display the performance statistics of the SGMs, such as throughput, packet rate, CPU utilization, memory usage, and more. Additionally, HCP can provide a graphical representation of the Firewall topology for the Security Group, showing the connections and statuses of the SGMs and the Orchestrators. Furthermore, HCP can generate a report of the critical and informative events that occurred on the system, such as configuration changes, errors, warnings, and alerts. HCP can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.

References =

•HealthCheck Point (HCP) Release Updates - Check Point Software 1

•Professional Services Healthcheck - Check Point Software 2

•HealthCheck Point - Check Point CheckMates 3

A Dual Site environment can include either two or four orchestrators, depending on the scenario. There are three primary scenarios for Dual Site configuration:

•Direct connectivity between remote site orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

•Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

•Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that supports QinQ and MTU increment.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

•Maestro Frequently Asked Questions (FAQ)

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

References:

•NAT and the Correction Layer on a VSX Gateway - Check Point Software1

•Solved: Maestro queries - Check Point CheckMates

According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 42

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software, page 2