Checkpoint 156-836 Dumps

The Correction Layer is a mechanism that handles asymmetric connections in systems with several cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is asymmetric1

The Correction Layer works as follows:

•When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it processes the packet normally. If not, it checks the Correction table to find the owner of the connection.

•If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction Layer header. The owner then processes the packet and removes the Correction Layer header before sending it to the destination.

•If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator (MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to the source.

•The Correction tables are updated by the MHO whenever a new connection is established or an existing connection is terminated. The MHO sends Correction Layer messages to all cluster members to inform them about the owner of each connection2

One of the benefits of a Dual MHO environment is that it can provide both scalability and redundancy to the Maestro system. Scalability means that the system can handle more traffic and SGMs as the demand grows, and redundancy means that the system can survive the failure of one or more components without losing functionality or performance. Dual MHOs can achieve these benefits by distributing the load and the management tasks among two orchestrators, and by providing backup and failover mechanisms for each other.

References

•Maestro Expert (CCME) Course - Check Point Software, page 251

•CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 22

•Check Point Certified Maestro Expert (CCME) R81.X, page 23

References =

•[Maestro Frequently Asked Questions (FAQ)]

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

•CHECK POINT MAESTRO EXPERT

The Maestro Hyperscale Orchestrator MHO-140 supports a variety of transceivers to provide high-speed and high-density connectivity. Specifically, it supports SFP, SFP+, QSFP, and QSFP28 transceivers, which cater to different port speeds and connectivity requirements in the Maestro environment.

Exact Extract:

“The Orchestrator MHO-140 supports SFP, SFP+, QSFP, and QSFP28 transceivers on its ports. SFP stands for Small Form-factor Pluggable, SFP+ supports up to 10 Gbps, QSFP (Quad Small Form-factor Pluggable) supports up to 40 Gbps, and QSFP28 supports up to 100 Gbps per port.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing and Hardware, page 1-8

—Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

—Check Point Quantum Maestro Orchestrator Datasheet, page 3

Explanation of Options:

A. SFP, QSFP, QSFP28: Incorrect, as it omits SFP+, which is supported by the MHO-140.

B. SFP+, SFP28, QSFP: Incorrect, as SFP28 is not explicitly listed as supported on the MHO-140, and SFP is missing.

C. SFP, SFP+, SFP28: Incorrect, as SFP28 is not supported, and QSFP and QSFP28 are omitted.

D. SFP, SFP+, QSFP, QSFP28: Correct, as this option includes all transceivers supported by the MHO-140, as per the official documentation.

Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

The asg perf -v command is used to find bottlenecks in the system that are affecting performance, even functionality in some cases. The asg perf -v command displays the performance statistics of the Security Group Modules (SGMs) in the Security Group, such as throughput, packet rate, CPU utilization, memory usage, and more. The asg perf -v command also shows the distribution mode and the correction rate of each SGM, which can indicate potential issues with asymmetric routing or load balancing. The asg perf -v command can help identify which SGMs are overloaded, underutilized, or misconfigured, and provide insights for troubleshooting and optimization.

References =

•Check Point Maestro R81.X Administration Guide, page 67, section “asg perf” 1

•Check Point Maestro R81.X Getting Started Guide, page 29, section “asg perf” 2

•Check Point Maestro Under the Hood presentation by Lari Luoma, slide 26

1: 2: :

The SMO Master is the SGM that is responsible for managing the Security Group and communicating with the MHO. If the SMO Master fails, the Backup SMO Master, which is the SGM with the next lowest SGM ID, will take over the role of the SMO Master and ensure the continuity of the Security Group operations.

References = Maestro Expert (CCME) Course - Check Point Software, page 14; Check Point Accredited Maestro Expert - New exam a… - Check Point CheckMates, page 1.

The Management ports located on the Rear Panel of the Orchestrator MHO-140 are out-of-band interfaces that provide access to the Orchestrator itself for configuration and management purposes. They are not used for traffic distribution or connectivity to the Security Groups or the external networks. They are 1Gbps RJ-45 ports that can be connected to a switch or a router.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Quantum Maestro Getting Started Guide - Check Point CheckMates2, page 4

HealthCheck Point (HCP) is a tool that can perform various tests and checks on the system components of the Security Group Modules (SGMs), such as hardware, software, network, clock, ARP, and more. It can also display the performance statistics of the SGMs, such as throughput, packet rate, CPU utilization, memory usage, and more. Additionally, HCP can provide a graphical representation of the Firewall topology for the Security Group, showing the connections and statuses of the SGMs and the Orchestrators. Furthermore, HCP can generate a report of the critical and informative events that occurred on the system, such as configuration changes, errors, warnings, and alerts. HCP can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.

References =

•HealthCheck Point (HCP) Release Updates - Check Point Software 1

•Professional Services Healthcheck - Check Point Software 2

•HealthCheck Point - Check Point CheckMates 3

The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10

•Maestro Commands for Security Groups - Check Point CheckMates

A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3

In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.

References =

•Solved: Maestro dual site failover - Check Point CheckMates

•Maestro Dual Site configuration with a direct connection through L2 switches

Page 313 from the training manual:

- Restart the service:

orchd restart

- Restart the service without confirmation

service orchd restart

This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13

•Policy installation flow - Check Point Software

Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8

•Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

•Activation of a Quantum Maestro Orchestrator - Check Point Software

"Asg stat -v" could be a part of the core diagnostic tools, providing valuable statistics and information for manual diagnostics.

References =

•Maestro Expert (CCME) Course - Check Point Software 3

•Check Point Maestro R81.X Administration Guide 1

•Check Point Maestro R81.X Getting Started Guide 2

3: 1: 2:

The /var/log/messages file is a general system log file that contains information about various system events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs without a dedicated log file can be found in this file, as well as some Maestro Gaia Clish commands that are not saved in the /var/log/command_logger.log file.

References

•Maestro Audit Logs - Where are they? - Check Point CheckMates1

•sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2

•Maestro Expert (CCME) Course - Check Point Software, page 33

One of the possible reasons for the “Failed to get remote orchestrator interfaces” error message, when clicking on “Orchestrator” in WebUI, is that the remote orchestrator has no empty interfaces that can be assigned to a security group. This can happen if all the interfaces on the remote orchestrator are already part of configured security groups, or if the remote orchestrator has no physical interfaces at all. In this case, the WebUI cannot display the unassigned interfaces of the remote orchestrator, and shows the error message.

References

•Not able to see unassigned interfaces on checkpoint Orchestrator

•Maestro 140 not detecting Interfaces

•Maestro Expert (CCME) Course - Check Point Software, page

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.

References

•Check Point MAESTRO R80.20SP Administration Manual, page 291

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.2: Security Group Configuration, page 2-10

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Configuration, page 2-9

•Security Group Configuration - Check Point Software

References

•R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

•[Maestro Expert (CCME) Course - Check Point Software], page 31

•[Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge], page 3