156-836 Exam Dumps - Check Point Certified Maestro Expert - R81 (CCME)

Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8

•Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

•Activation of a Quantum Maestro Orchestrator - Check Point Software

The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.

References:

•Maestro Frequently Asked Questions (FAQ), under “What is a Single Management Object (SMO)?”

•Check Point Jump Start Course: Maestro, under “Maestro Security Groups”

Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk147853

A Dual Site setup can have either two or four orchestrators, depending on the scenario. However, the maximum number of orchestrators per Security Group is four, regardless of the number of sites. This is because each Security Group can have up to two orchestrators on each site, and each site can have up to two orchestrators. Therefore, the maximum number of orchestrators in a Dual Site setup is four per Security Group.

References =

•Maestro Frequently Asked Questions (FAQ)

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

Page 313 from the training manual:

- Restart the service:

orchd restart

- Restart the service without confirmation

service orchd restart

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

References:

•NAT and the Correction Layer on a VSX Gateway - Check Point Software1

•Solved: Maestro queries - Check Point CheckMates

Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features

The sx_api_ports_dump.py command should be run on the Orchestrator, which is the device that manages the communication and the configuration of the Security Groups and the SGMs. The command shows the port mapping and the traffic distribution for each Security Group, as well as the backplane bonds and the Orchestrator ports. The command does not work on the Management server, the Security Group, or the SMO Appliance, as they do not have the same role and functionality as the Orchestrator.

References

•R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

•Maestro Expert (CCME) Course - Check Point Software, page 31

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 3

The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

References:

•NAT and the Correction Layer on a Security Gateway - Check Point Software1

•Solved: Maestro queries - Check Point CheckMates

•The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security Group Members.

•Reference: Working with the Distribution Mode

The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.

References:

•Maestro Frequently Asked Questions (FAQ), under “What is a Single Management Object (SMO)?”

•Check Point Jump Start Course: Maestro, under “Maestro Security Groups”

The Pre-Upgrade Verifier is a tool that checks the compatibility and readiness of the Maestro environment for the upgrade process. It verifies the current version, the target version, the hardware requirements, the configuration settings, and the license validity of the Maestro Orchestrators and the Security Groups. It also identifies any potential issues or risks that might affect the upgrade and provides recommendations on how to resolve them. The Pre-Upgrade Verifier should be run before importing the R81.10 software package and before performing the actual upgrade.

References =

•Check Point R81.10 for Scalable Platforms - Check Point Software

•CHECK POINT MAESTRO EXPERT

Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer’s network to the MHOs.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 41

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline

A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3

The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.

References

•Check Point 156-835 Certification Flashcards | Quizlet1

•Maestro Expert (CCME) Course - Check Point Software, page 182

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 163

In scalable security environments, initial IKE (Internet Key Exchange) handling by a central orchestrator before distributing traffic for encryption is a common approach to maintain efficiency and security.

The "asg monitor" command generally would show real-time cluster status of appliances in a security group, focusing on health and operational status.