
2024 Latest CheckPoint 156-836 Real Exam Dumps PDF
156-836 Exam Dumps, 156-836 Practice Test Questions
The CCME certification exam covers a wide range of topics, including the deployment and configuration of Check Point Maestro, the use of advanced networking and security features, and the troubleshooting of common issues that arise during the management of complex network infrastructures. 156-836 exam is designed to test the candidate's ability to use Check Point Maestro to manage large-scale networks and to ensure that they can effectively troubleshoot any problems that may arise.
NEW QUESTION # 33
There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1, 2 and 3 accordingly. Which interfaces should be connected to Orchestrator 1 for downlinks' intra- orchestrator redundancy when using two Orchestrators?
- A. Port 1 in Slot 1 and Port 2 in Slot 1
- B. This configuration is not supported
- C. Any pair of available ports
- D. Port 1 in Slot 2 and Port 2 in Slot 1
Answer: A
Explanation:
Explanation
This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
Downlinks, page 3-8
*Check Point 23800 Appliance Datasheet - Check Point Software, page 2
NEW QUESTION # 34
What command should be used for collecting diagnostic information about the orchestrator?
- A. cpview
- B. cpinfo
- C. orch_info
- D. asg perf -v
Answer: B
Explanation:
Explanation
The cpinfo command is a tool that collects diagnostic information about the orchestrator, such as hardware, software, network, configuration, and logs. The cpinfo command generates a file that can be sent to Check Point Support for analysis and troubleshooting. The cpinfo command can be run on the orchestrator's CLI or WebUI.
References =
*Check Point Maestro R81.X Administration Guide, page 68, section "cpinfo" 1
*Check Point Maestro R81.X Getting Started Guide, page 30, section "cpinfo" 2
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software 3
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
3: https://www.checkpoint.com/downloads/products/maestro-hyperscale-orchestrator-datasheet.pdf
NEW QUESTION # 35
What is the Correction Layer?
- A. Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute
- B. Correction Layer is a daemon which corrects errors on Backplane interfaces
- C. Correction Layer is a mechanism which activated in case of asymmetric routing
- D. Correction Layer is a mechanism which handles asymmetric connections in multi-appliance system. For example, in case of NAT
Answer: D
Explanation:
Explanation
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
*NAT and the Correction Layer on a Security Gateway - Check Point Software1
*Solved: Maestro queries - Check Point CheckMates
NEW QUESTION # 36
Layer 4 distribution is enabled by default in Maestro. Which is not a scenario when you would want to leave this enabled?
- A. When dynamic routing protocols, such as BGP or OSPF are used.
- B. When there is a heavy imbalance of traffic between the SGMs that are members of the same SG.
- C. When the SG is NATing a very high percentage of traffic passing through it.
- D. When there is a large number of source ports in use by protocols such as HTTP, HTTPS, and DNS.
Answer: A
Explanation:
Explanation
This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8
*Layer 4 Distribution - Yes or No? - Check Point CheckMates
*Support, Support Requests, Training ... - Check Point Software
NEW QUESTION # 37
The _______ command will allow users to update the specified file on all SGMs.
- A. g_update_conf_file
- B. g_cat
- C. sed
- D. g_all"
Answer: A
Explanation:
Explanation
The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10
*Maestro Commands for Security Groups - Check Point CheckMates
NEW QUESTION # 38
In what mode do MHOs process traffic?
- A. MHOs process traffic in load sharing mode
- B. MHOs process traffic in Active-Active mode
- C. MHOs process traffic in Active-Standby mode
- D. MHOs process traffic in VSLS mode
Answer: B
Explanation:
Explanation
MHOs process traffic in Active-Active mode, which means that both MHOs are active and share the load of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup.
Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.
References
*Maestro Expert (CCME) Course - Check Point Software, page 25
*CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2
NEW QUESTION # 39
What is a downlink interface used for?
- A. To connect appliances to Orchestrators
- B. To connect appliances to customer's infrastructure
- C. To connect Orchestrators to customer's infrastructure
- D. To connect in between Orchestrators
Answer: B
NEW QUESTION # 40
What cannot be learned from the output of lldpctl?
- A. Appliance model
- B. Serial number of Appliance
- C. Orchestrator's IP
- D. Distribution mode
Answer: D
Explanation:
Explanation
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration.
LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator's IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
LLDP, page 3-9
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Maestro basic setup documentation - Page 2 - Check Point CheckMates
*Log and Configuration Files - Check Point Software
NEW QUESTION # 41
In a Maestro Dual Site environment, what is the definition of the term Active Site.
- A. The Active Site is the site currently handling the enforcement on traffic passing for a specific SG.Connections are synced within the SGMs in the Active Site.
- B. There is no such thing as an active site. In a Dual Site environment, traffic is load balanced.
- C. The Active Site is the site where the SMO Master exists.
- D. The Active Site is the site that is not handling any traffic for the specific SG, but itsconnections are synced to its SGMs from the MHOs to be ready in the event of a failover.
Answer: A
Explanation:
Explanation
In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.
References =
*Solved: Maestro dual site failover - Check Point CheckMates
*Maestro Dual Site configuration with a direct connection through L2 switches
NEW QUESTION # 42
Possibilities for a failure in a single SGM of a Security Group include.
- A. There are too many active SGMs in the SG.
- B. An administrator imported a hotfix into the CPUSE repository of a single SGM.
- C. SecureXL is not enabled on the SGM.
- D. A change was made with clish instead of gClish, causing the SGM to handle traffic differently than the other SGMs.
Answer: B
Explanation:
Explanation
One of the possible causes of a failure in a single SGM of a Security Group is that an administrator imported a hotfix into the CPUSE repository of a single SGM, instead of using the orchestrator to distribute the hotfix to all the SGMs in the Security Group. This can create a mismatch in the software versions and configurations of the SGMs, and lead to unexpected behavior and errors.
References
*Maestro Expert (CCME) Course - Check Point Software, page 251
*sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2
*sk180418: Security Gateway Member (SGM) is stuck after it is added to a Security Group with image auto cloning enabled on the Single Management Object (SMO)
NEW QUESTION # 43
What is the purpose of g_tcpdump command?
- A. Collects traffic dump from all Active Appliances within Security Group
- B. Collects traffic dump from Sync network
- C. Collects traffic dump from CIN network
- D. The same as tcpdump, just on Scalable Platform
Answer: A
Explanation:
Explanation
_tcpdump" probably collects traffic dumps from all active appliances within a security group, aligning with the naming convention and function of similar commands in scalable platforms.
References
*Maestro Expert (CCME) Course - Check Point Software, page 331
*What is 'IN' and 'OUT' of g_tcpdump? - Check Point CheckMates2
*CHECK POINT MAESTRO EXPERT, page 23
NEW QUESTION # 44
How does HyperSync work in a Dual Site environment?
- A. Each active connection has a local backup (on the local site) and a second backup connection on each of the MHOs.
- B. Each active connection has a backup connection on the second site (remote site.)
- C. Each active connection has two local backups (on the local site) and a third backup connection on the second site (remote site.)
- D. Each active connection has a local backup (on the local site) and a second backup connection on the second site (remote site.)
Answer: D
NEW QUESTION # 45
When a VPN tunnel is formed with a Maestro SGM,
- A. SGM 1 analyzes the policy and topology. If encryption is required, it calculates the tunnel owner's IP address. SGM 1 sends a clear packet to the tunnel owner. SGM 2 is now the connectionand tunnel owner.
- B. The MHO handles the IKE before distributing the traffic to a SGM to handle all encrypted traffic. This helps to prevent any issues with the correction layer.
- C. The receiving SGM makes an encryption decision. The SGM then syncs the traffic to two backup SGMs: one for clear traffic and one for encrypted traffic.
- D. The MHO distributes copies of the packets to two different SGMs because SGM 1 will handle the clear traffic IKE exchange packets, while SGM2 handles encrypted packets.
Answer: B
Explanation:
Explanation
In scalable security environments, initial IKE (Internet Key Exchange) handling by a central orchestrator before distributing traffic for encryption is a common approach to maintain efficiency and security.
NEW QUESTION # 46
What is the default Distribution mode?
- A. User
- B. Auto-topology
- C. Network
- D. Manual-General
Answer: B
Explanation:
Explanation
Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object.
Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network.
The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16
NEW QUESTION # 47
Logs without a dedicated log file can be found in
- A. $RTDIR/log/junk.log
- B. /var/log/messages
- C. /var/log/junk.log.dbg
- D. $FWDIR/log/fw.log
Answer: B
Explanation:
Explanation
The /var/log/messages file is a general system log file that contains information about various system events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs without a dedicated log file can be found in this file, as well as some Maestro Gaia Clishcommands that are not saved in the
/var/log/command_logger.log file.
References
*Maestro Audit Logs - Where are they? - Check Point CheckMates1
*sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2
*Maestro Expert (CCME) Course - Check Point Software, page 33
NEW QUESTION # 48
The drop_monitor command is useful for
- A. Viewing all drops by Check Point code or the Gaia OS, such as RX-DRP, RX-ERR, and Gaia OS drops.
- B. Viewing all interface drops such as RX-ERR, RX-DRP, and RX-OVR
- C. Showing the system temperature in real-time for multiple components, such as CPU, fan, and SSDs.
- D. Monitoring Check Point code drops
Answer: A
Explanation:
Explanation
The drop_monitor command is a tool that monitors and displays the packets that are dropped by the Check Point code or the Gaia OS on the orchestrator and the appliances. It can help troubleshoot network issues and optimize performance. The command shows the drop reason, source, destination, protocol, and port of the dropped packets, as well as the interface and the module that dropped them.
References
*R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates1
*Support, Support Requests, Training ... - Check Point Software2
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge
NEW QUESTION # 49
Splitter cannot be used _______
- A. To connect single port on Appliance to multiple ports on the orchestrator
- B. To connect single port on orchestrator to the same Appliance
- C. To connect single port on orchestrator to multiple port on external switch
- D. To connect single port on orchestrator to multiple Appliances
Answer: B
NEW QUESTION # 50
What is one benefit of a Dual MHO environment?
- A. Dual MHOs allow better synchronization to occur between SGMs.
- B. Dual MHOs provide redundancy to the Maestro environment by increasing throughput by at least 50 percent.
- C. Dual MHOs allow additional SGMs to be added to the SG.
- D. Dual MHOs can be used to achieve increased scalability and redundancy.
.
Answer: D
Explanation:
Explanation
One of the benefits of a Dual MHO environment is that it can provide both scalability and redundancy to the Maestro system. Scalability means that the system can handle more traffic and SGMs as the demand grows, and redundancy means that the system can survive the failure of one or more components without losing functionality or performance. Dual MHOs can achieve these benefits by distributing the load and the management tasks among two orchestrators, and by providing backup and failover mechanisms for each other.
References
*Maestro Expert (CCME) Course - Check Point Software, page 251
*CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 22
*Check Point Certified Maestro Expert (CCME) R81.X, page 23
NEW QUESTION # 51
Which distribution mode assigns packets to an SGM based solely on the packet destination IP?
- A. Auto-topology mode
- B. User mode
- C. Network mode
- D. Manual mode
Answer: C
Explanation:
Explanation
Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Maestro basic setup documentation - Page 2 - Check Point CheckMates
NEW QUESTION # 52
How does HyperSync work in a Dual Site environment?
- A. Each active connection has a local backup (on the local site) and a second backup connection on each of the MHOs.
- B. Each active connection has a backup connection on the second site (remote site.)
- C. Each active connection has two local backups (on the local site) and a third backup connection on the second site (remote site.)
- D. Each active connection has a local backup (on the local site) and a second backup connection on the second site (remote site.)
Answer: D
Explanation:
Explanation
HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of a failover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*Maestro Frequently Asked Questions (FAQ)
*CHECK POINT MAESTRO EXPERT
NEW QUESTION # 53
What cannot be learned from the output of asg monitor command?
- A. Security Policy status
- B. Uptime
- C. Port status
- D. Appliances cluster status
Answer: A
Explanation:
Explanation
The asg monitor command is a tool to display the status and statistics of the Maestro Security Group Members and the Orchestrators. It shows information such as uptime, port status, CPU usage, memory usage, traffic distribution, and appliances cluster status. However, it does not show the security policy status, such as the policy name, installation time, or revision. To view the security policy status, other commands such as asg policy or fw stat can be used.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.1: asg monitor, page 4-3
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg monitor, page 4-3
*asg monitor - Check Point Software
NEW QUESTION # 54
What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?
- A. Out-of-band interface for access to Orchestrator itself and Serial Console connector
- B. Two Out-of-band interfaces for access to Orchestrator itself
- C. 1Gbps connectivity for Security Groups
- D. Reserved for internal purposes. Not in use
Answer: A
Explanation:
Explanation
The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.
References
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2
*Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4
NEW QUESTION # 55
......
PDF (New 2024) Actual CheckPoint 156-836 Exam Questions: https://www.dumps4pdf.com/156-836-valid-braindumps.html
Dumps Moneyack Guarantee - 156-836 Dumps UpTo 90% Off: https://drive.google.com/open?id=1v2zN_X7smIWT5KWZLk7I5su5j4iQlbDX