156-836 Check Point Certified Maestro Expert (CCME) R81.X Questions and Answers

The /var/log/messages file is a general system log file that contains information about various system events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs without a dedicated log file can be found in this file, as well as some Maestro Gaia Clish commands that are not saved in the /var/log/command_logger.log file.

References

•Maestro Audit Logs - Where are they? - Check Point CheckMates1

•sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2

•Maestro Expert (CCME) Course - Check Point Software, page 33

This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13

•Policy installation flow - Check Point Software

According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.

References

•Check Point MAESTRO R80.20SP Administration Manual, page 291

The correct way to connect MHO1 and MHO2 to the SGM line cards in a dual MHO environment is to use the even-numbered ports for MHO1 and the odd-numbered ports for MHO2. This is to ensure that each SGM has two downlinks to each MHO, and that the downlinks are balanced across the different NICs and links. This provides redundancy and high availability for the traffic flow between the SGMs and the MHOs.

References

•R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

•Maestro Expert (CCME) Course - Check Point Software, page 18

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 16

The Maestro Hyperscale Orchestrator MHO-140 supports a variety of transceivers to provide high-speed and high-density connectivity. Specifically, it supports SFP, SFP+, QSFP, and QSFP28 transceivers, which cater to different port speeds and connectivity requirements in the Maestro environment.

Exact Extract:

“The Orchestrator MHO-140 supports SFP, SFP+, QSFP, and QSFP28 transceivers on its ports. SFP stands for Small Form-factor Pluggable, SFP+ supports up to 10 Gbps, QSFP (Quad Small Form-factor Pluggable) supports up to 40 Gbps, and QSFP28 supports up to 100 Gbps per port.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing and Hardware, page 1-8

—Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6

—Check Point Quantum Maestro Orchestrator Datasheet, page 3

Explanation of Options:

A. SFP, QSFP, QSFP28: Incorrect, as it omits SFP+, which is supported by the MHO-140.

B. SFP+, SFP28, QSFP: Incorrect, as SFP28 is not explicitly listed as supported on the MHO-140, and SFP is missing.

C. SFP, SFP+, SFP28: Incorrect, as SFP28 is not supported, and QSFP and QSFP28 are omitted.

D. SFP, SFP+, QSFP, QSFP28: Correct, as this option includes all transceivers supported by the MHO-140, as per the official documentation.

The correction rate is the percentage of connections that require correction by the correction layer, which is a mechanism that ensures that the traffic is processed by the correct SGM in the Security Group. The correction rate depends on the distribution mode (Layer 3 or Layer 4) and the traffic pattern. In some scenarios, such as when the traffic is asymmetric or when the distribution mode is Layer 4, the correction rate can approach 100 percent of all connections. This is not a problem, as the correction layer is designed to handle such situations without affecting the performance or availability of the Security Group1.

References = Maestro Expert (CCME) Course - Check Point Software, page 16.

MHOs process traffic in Active-Active mode, which means that both MHOs are active and share theload of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup. Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.

References

•Maestro Expert (CCME) Course - Check Point Software, page 25

•CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2

This is not one of the ways to configure a Security Group in a Dual Site environment, because load balancers are not required or supported for the inter-site communication between the Maestro Orchestrators (MHOs). The MHOs use the Site-Sync port and VLANs to synchronize the resources and connections across the sites. The three valid scenarios for Dual Site configuration are:

•Direct connectivity between remote site Orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

•Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

•Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that support QinQ and MTU increment.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•[Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)]

•[Maestro Frequently Asked Questions (FAQ)]

A downlink interface is a physical or virtual interface that connects a security gateway to an orchestrator. It allows the security gateway to send and receive configuration updates, policy changes, and other data from the orchestrator.

References = [Check Point R81.10 for Scalable Platforms - Check Point Software], [Scalable Platforms (Maestro and Chassis) comparison between versions - Check Point Software], [Check Point R81.10 AI & ML Driven Threat Prevention and Security Management - Check Point Blog].

The maximum number of appliances within the same security group is 31. This is because a security group can have up to 31 Security Group Modules (SGMs) of the same or different models, and each SGM is an appliance that runs the Check Point software. A security group can span across multiple chassis, and each chassis can have up to 16 SGMs. However, the total number of SGMs in a security group cannot exceed 31.

The Scalable Platform software allows you to easily add or remove security gateways from a security group without affecting the existing configuration. You can also use the command line interface or the web UI to reconfigure the security group on demand.

References = Check Point R81.10 for Scalable Platforms - Check Point Software, Scalable Platforms (Maestro and Chassis) comparison between versions - Check Point Software, [Check Point R81.10 AI & ML Driven Threat Prevention and Security Management - Check Point Blog]

The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4

References

•Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes

•Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations

•Check Point SNMP MIB files, Section: Revision History

The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

In a Check Point Maestro environment, a splitter is used to divide a single high-speed port (e.g., QSFP or QSFP28) into multiple lower-speed ports (e.g., SFP or SFP+). However, a splitter cannot be used to connect a single port on an Orchestrator to the same Appliance, as this would not align with the purpose of a splitter, which is to expand connectivity to multiple devices or ports, not to loop back to a single device.

Exact Extract:

“A splitter is used to divide a single high-speed port on the Orchestrator (e.g., QSFP or QSFP28) into multiple lower-speed ports (e.g., SFP or SFP+). Splitters are typically used to connect a single Orchestrator port to multiple ports on an external switch or to multiple Appliances. However, a splitter cannot be used to connect a single Orchestrator port to the same Appliance, as this does not align with the splitter’s purpose of expanding connectivity.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.2: Connectivity Options, page 3-10

—Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Connectivity, page 3-10

Explanation of Options:

A. To connect a single port on an Orchestrator to the same Appliance: Correct, as a splitter is not designed for this purpose and cannot be used to connect an Orchestrator port to a single Appliance.

B. To connect a single port on an Orchestrator to multiple ports on an external switch: Incorrect, as this is a valid use case for a splitter.

C. To connect a single port on an Appliance to multiple ports on the Orchestrator: Incorrect, as splitters can be used in configurations where an Appliance connects to multipleOrchestrator ports.

D. To connect a single port on an Orchestrator to multiple Appliances: Incorrect, as this is another valid use case for a splitter.

The Orchestratoris a device that connects multiple security gateways into a unified system, called a security group. It manages the configuration, policy, software, and routing of the security group, and distributes the network traffic among the security gateways using a load-balancing algorithm. It also acts as a network switch for the internal and external networks.

References = Maestro Hyperscale Orchestrator Datasheet - Check Point Software, Check Point Maestro Hyperscale Network Security, 7 Reasons to Use Check Point Maestro and … - Check Point Software

References =

•[Maestro Frequently Asked Questions (FAQ)]

•Maestro Dual Site configuration with a direct connection through L2 switches

•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

•CHECK POINT MAESTRO EXPERT

The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM (Security Group Module) that is attached to the MHO needs a license. The license type depends on the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it needs a VSX license.

HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of afailover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Maestro Frequently Asked Questions (FAQ)

•CHECK POINT MAESTRO EXPERT

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system.This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.