156-836 Check Point Certified Maestro Expert (CCME) R81.X Questions and Answers

The proportion of traffic distribution done by Orchestrator depends on the traffic distribution mode that is configured for the Security Group. There are three modes: Round Robin, Load Sharing, andActive/Standby1.

•Round Robin mode distributes the traffic equally among all the appliances in the Security Group, regardless of the number of downlinks they have. This mode is suitable for scenarios where all the appliances have similar performance and capacity. In this mode, the proportion of traffic distribution would be 50%/50% for two appliances with one and two downlinks respectively.

•Load Sharing mode distributes the traffic proportionally to the number of downlinks each appliance has. This mode is suitable for scenarios where the appliances have different performance and capacity. In this mode, the proportion of traffic distribution would be 33%/66% for two appliances with one and two downlinks respectively.

•Active/Standby mode distributes the traffic to only one appliance at a time, while the other appliances are in standby mode. This mode is suitable for scenarios where high availability is required. In this mode, the proportion of traffic distribution would be 100%/0% or 0%/100% for two appliances with one and two downlinks respectively, depending on which appliance is active.

Since the question does not specify the traffic distribution mode, the default mode is Round Robin2. Therefore, the proportion of traffic distribution would be 50%/50% for two appliances with one and two downlinks respectively.

The Pre-Upgrade Verifier is a tool that checks the compatibility and readiness of the Maestro environment for the upgrade process. It verifies the current version, the target version, the hardware requirements, the configuration settings, and the license validity of the Maestro Orchestrators and the Security Groups. It also identifies any potential issues or risks that might affect the upgrade and provides recommendations on how to resolve them. The Pre-Upgrade Verifier should be run before importing the R81.10 software package and before performing the actual upgrade.

References =

•Check Point R81.10 for Scalable Platforms - Check Point Software

•CHECK POINT MAESTRO EXPERT

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features

Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk147853

In scalable security environments, initial IKE (Internet Key Exchange) handling by a central orchestrator before distributing traffic for encryption is a common approach to maintain efficiency and security.

The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.

References:

•Maestro Frequently Asked Questions (FAQ), under “What is a Single Management Object (SMO)?”

•Check Point Jump Start Course: Maestro, under “Maestro Security Groups”

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

This is the correct answer because it describes the hotfix installation process using gClish on a Maestro Security Group. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. When a hotfix is applied using gClish, the SG members are divided into two logical groups: “A” and “B”. The members of group “A” install the hotfix and reboot first, while the members of group “B” wait for their turn. After all the members of group “A” are back online, the members of group “B” install the hotfix and reboot.This way, the SG maintains high availability and does not cause an outage.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

•Layer 4 Distribution - Yes or No? - Check Point CheckMates

•Support, Support Requests, Training … - Check Point Software

The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.

References =

•Solved: Maestro dual site failover - Check Point CheckMates

•Maestro Dual Site configuration with a direct connection through L2 switches

The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM (Security Group Module) that is attached to the MHO needs a license. The license type depends on the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it needs a VSX license.

References:

•Maestro Expert (CCME) Course - Check Point Software, page 71

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

References

•Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes

•Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations

•Check Point SNMP MIB files, Section: Revision History

Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features