• Home
  • Articles
  • [Apr 25, 2024] Pass 156-836 Review Guide, Reliable 156-836 Test Engine [Q23-Q46]

[Apr 25, 2024] Pass 156-836 Review Guide, Reliable 156-836 Test Engine [Q23-Q46]

Share

[Apr 25, 2024] Pass 156-836 Review Guide, Reliable 156-836 Test Engine

156-836 Test Engine Practice Test Questions, Exam Dumps

NEW QUESTION # 23
What command can be run to show which SGM is selected to receive traffic?

  • A. g_tcpdump
  • B. dxl calc
  • C. asg monitor
  • D. asg calc

Answer: D

Explanation:
Explanation
The asg calc command is a tool to show which SGM is selected to receive traffic based on the distribution mode and the packet parameters. It takes the port number, the source IP, the destination IP, and optionally the source port and the destination port as arguments and returns the SGM ID and the hash value. For example, asg calc 1 10.0.0.1 20.0.0.2 1234 80 will show which SGM will receive the traffic from 10.0.0.1:1234 to
20.0.0.2:80 on port 1.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using theCommand Line Interface and WebUI, Lesson 4.1: asg calc, page 4-5
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg calc, page 4-5
*asg calc - Check Point Software


NEW QUESTION # 24
What is the Correction Layer?

  • A. Correction Layer is a mechanism which handles asymmetric connections in multi-appliance system. For example, in case of NAT
  • B. Correction Layer is a daemon which corrects errors on Backplane interfaces
  • C. Correction Layer is a mechanism which activated in case of asymmetric routing
  • D. Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute

Answer: A

Explanation:
Explanation
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
*NAT and the Correction Layer on a Security Gateway - Check Point Software1
*Solved: Maestro queries - Check Point CheckMates


NEW QUESTION # 25
After you import the R81.10 software package, what do you use to verify that it is possible to upgrade an MHO or SG?

  • A. Run HCP. One of the tests will list upgrade eligibility status for the MHO or SG.
  • B. Nothing. CPUSE will run a verification during the upgrade process to ensure the package is compatible.
  • C. Run the Pre-Upgrade Verifier to make sure it is possible to upgrade
  • D. The package is verified during the import process and a warning or error will be displayed at that time.

Answer: C

Explanation:
Explanation
The Pre-Upgrade Verifier is a tool that checks the compatibility and readiness of the Maestro environment for the upgrade process. It verifies the current version, the target version, the hardware requirements, the configuration settings, and the license validity of the Maestro Orchestrators and the Security Groups. It also identifies any potential issues or risks that might affect the upgrade and provides recommendations on how to resolve them. The Pre-Upgrade Verifier should be run before importing the R81.10 software package and before performing the actual upgrade.
References =
*Check Point R81.10 for Scalable Platforms - Check Point Software
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 26
What is the throughput penalty of Security Group?

  • A. Depends on the type of Appliance
  • B. 1% per member
  • C. 10% per Security Group with no relation to the number of members
  • D. 5% per member

Answer: B

Explanation:
Explanation
Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 27
What will happen in case of NAT of the traffic passing through Management network?

  • A. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances
  • B. Orchestrator will disable NAT and traffic will pass with no issue
  • C. This traffic will pass with no inspection
  • D. This traffic will not pass correction, since it will be dropped

Answer: B

Explanation:
Explanation
According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.
References
*Check Point MAESTRO R80.20SP Administration Manual, page 291


NEW QUESTION # 28
What does asg monitor command do?

  • A. Monitor traffic on Appliances in Security Group
  • B. Monitor health status of entire system
  • C. Show real-time cluster status of Appliances in Security Group
  • D. This command does not exist

Answer: C

Explanation:
Explanation
The "asg monitor" command generally would show real-time cluster status of appliances in a security group, focusing on health and operational status.


NEW QUESTION # 29
What is the purpose of g_tcpdump command?

  • A. Collects traffic dump from Sync network
  • B. Collects traffic dump from all Active Appliances within Security Group
  • C. The same as tcpdump, just on Scalable Platform
  • D. Collects traffic dump from CIN network

Answer: B

Explanation:
Explanation
_tcpdump" probably collects traffic dumps from all active appliances within a security group, aligning with the naming convention and function of similar commands in scalable platforms.
References
*Maestro Expert (CCME) Course - Check Point Software, page 331
*What is 'IN' and 'OUT' of g_tcpdump? - Check Point CheckMates2
*CHECK POINT MAESTRO EXPERT, page 23


NEW QUESTION # 30
Logs without a dedicated log file can be found in

  • A. /var/log/junk.log.dbg
  • B. /var/log/messages
  • C. $FWDIR/log/fw.log
  • D. $RTDIR/log/junk.log

Answer: B

Explanation:
Explanation
The /var/log/messages file is a general system log file that contains information about various system events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs without a dedicated log file can be found in this file, as well as some Maestro Gaia Clishcommands that are not saved in the
/var/log/command_logger.log file.
References
*Maestro Audit Logs - Where are they? - Check Point CheckMates1
*sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2
*Maestro Expert (CCME) Course - Check Point Software, page 33


NEW QUESTION # 31
Do all MHOs need to be upgraded before starting the SGM upgrades?

  • A. MHOs do not need to be upgraded at all because Maestro supports the use of different versions between the MHOs and SGMs.
  • B. During the upgrade process all SGMs should be upgraded before upgrading all of the MHOs.
  • C. All MHOs must first be upgraded before starting the SGM upgrades However, there is no requirement to upgrade all the SGMs during the same maintenance window as the MHOs.
  • D. A minimum of one of the MHOs should be upgraded before starting the SGM upgrades. However, there is no requirement to upgrade all the SGMs during the same maintenance window as the MHO

Answer: C

Explanation:
Explanation
This is the correct answer because it follows the upgrade order and procedure specified in the R81.10 and R81.20 Administration Guides for Maestro environments. The MHOs are responsible for managing and synchronizing the SGMs, so they must be upgraded to the target version before the SGMs. However, the SGMs can be upgraded one by one or in batches, as long as they are compatible with the MHOs. The upgrade process also supports Multi-Version Clustering, which allows different versions of SGMs to operate in the same Security Group with zero downtime.
References =
*Check Point R81.10 for Scalable Platforms - Check Point Software
*Check Point R81.20 for Scalable Platforms - Check Point Software
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 32
When working with Maestro, what is the difference between using Clish and gClish?

  • A. Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG members, by default.
  • B. Clish commands are run on the SG members. gClish commands are run on the MHO and applied to all connected SG members in a specified group.
  • C. Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members, by default.
  • D. Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members, by default.

Answer: C

Explanation:
Explanation
This is the correct answer because it describes the difference between using Clish and gClish when working with Maestro. Clish is the Check Point command line shell that allows users to configure and manage the SG members individually. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. UP SG members are theones that are in the UP state and have the same policy installed as the SMO Master.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 33
What kinds of transceivers are supported on Orchestrator MHO-170?

  • A. SFP, SFP+, SFP28
  • B. QSFP, QSFP28
  • C. SFP+, SFP28, QSFP
  • D. SFP, QSFP, QSFP28

Answer: B

Explanation:
Explanation
The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density connectivity for the Maestro environment.
References
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2
*Maestro Transceiver & DAC Inventory - Check Point CheckMates


NEW QUESTION # 34
Splitter cannot be used _______

  • A. To connect single port on orchestrator to the same Appliance
  • B. To connect single port on orchestrator to multiple port on external switch
  • C. To connect single port on Appliance to multiple ports on the orchestrator
  • D. To connect single port on orchestrator to multiple Appliances

Answer: A


NEW QUESTION # 35
What is the maximum number of Appliances within Security group in Dual-Site configuration?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: C


NEW QUESTION # 36
What type of license is required for an MHO?

  • A. The MHO does not require a license.
  • B. The MHO requires a VSX license.
  • C. A license is needed for each attached SGM.
  • D. The MHO requires a NGTP license.

Answer: A

Explanation:
Explanation
The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM (Security Group Module) that is attached to the MHO needs a license. The license type depends on the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it needs a VSX license.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 71
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 37
In what mode do MHOs process traffic?

  • A. MHOs process traffic in VSLS mode
  • B. MHOs process traffic in Active-Active mode
  • C. MHOs process traffic in load sharing mode
  • D. MHOs process traffic in Active-Standby mode

Answer: B

Explanation:
Explanation
MHOs process traffic in Active-Active mode, which means that both MHOs are active and share the load of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup.
Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.
References
*Maestro Expert (CCME) Course - Check Point Software, page 25
*CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2


NEW QUESTION # 38
What is the Correction Layer mechanism?

  • A. The load-balancing mechanism used by the MHO.
  • B. Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs.
  • C. Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in the SG.
  • D. The MHO's distribution algorithm which determines the handling SGM for a given connection.

Answer: B

Explanation:
Explanation
The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
*NAT and the Correction Layer on a VSX Gateway - Check Point Software1
*Solved: Maestro queries - Check Point CheckMates


NEW QUESTION # 39
What kinds of transceivers are supported on Orchestrator MHO-140?

  • A. SFP, SFP+, QSFP, QSFP28
  • B. SFP+, SFP28, QSFP
  • C. SFP, SFP+, SFP28
  • D. SFP, QSFP, QSFP28

Answer: C

Explanation:
Explanation
According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 42
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software, page 2


NEW QUESTION # 40
Possibilities for a failure in a single SGM of a Security Group include.

  • A. A change was made with clish instead of gClish, causing the SGM to handle traffic differently than the other SGMs.
  • B. SecureXL is not enabled on the SGM.
  • C. An administrator imported a hotfix into the CPUSE repository of a single SGM.
  • D. There are too many active SGMs in the SG.

Answer: C

Explanation:
Explanation
One of the possible causes of a failure in a single SGM of a Security Group is that an administrator imported a hotfix into the CPUSE repository of a single SGM, instead of using the orchestrator to distribute the hotfix to all the SGMs in the Security Group. This can create a mismatch in the software versions and configurations of the SGMs, and lead to unexpected behavior and errors.
References
*Maestro Expert (CCME) Course - Check Point Software, page 251
*sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2
*sk180418: Security Gateway Member (SGM) is stuck after it is added to a Security Group with image auto cloning enabled on the Single Management Object (SMO)


NEW QUESTION # 41
What is the default Distribution mode?

  • A. User
  • B. Auto-topology
  • C. Network
  • D. Manual-General

Answer: B

Explanation:
Explanation
Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object.
Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network.
The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16


NEW QUESTION # 42
When security policy is installed

  • A. All SGMs receive the security policy and simultaneous policy installation occurs.
  • B. All SGMs receive the security policy and one by one performs an independent policy verification. Then, all SGMs simultaneously install the policy.
  • C. The policy is installed on the SMO, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
  • D. The SMO Master receives the policy and performs a policy verification the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other membersretrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.

Answer: D

Explanation:
Explanation
This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13
*Policy installation flow - Check Point Software


NEW QUESTION # 43
The _______ command will allow users to update the specified file on all SGMs.

  • A. g_all"
  • B. g_update_conf_file
  • C. sed
  • D. g_cat

Answer: B

Explanation:
Explanation
The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10
*Maestro Commands for Security Groups - Check Point CheckMates


NEW QUESTION # 44
What can be learned from the output of sx_api_ports_dump.py command?

  • A. Information about downlink ports only
  • B. Orchestrator port status
  • C. Information about backplane bonds
  • D. Information about Security Groups

Answer: C

Explanation:
Explanation
References
*R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2
*[Maestro Expert (CCME) Course - Check Point Software], page 31
*[Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge], page 3


NEW QUESTION # 45
What command should be used for collecting diagnostic information about the orchestrator?

  • A. asg perf -v
  • B. orch_info
  • C. cpinfo
  • D. cpview

Answer: C

Explanation:
Explanation
The cpinfo command is a tool that collects diagnostic information about the orchestrator, such as hardware, software, network, configuration, and logs. The cpinfo command generates a file that can be sent to Check Point Support for analysis and troubleshooting. The cpinfo command can be run on the orchestrator's CLI or WebUI.
References =
*Check Point Maestro R81.X Administration Guide, page 68, section "cpinfo" 1
*Check Point Maestro R81.X Getting Started Guide, page 30, section "cpinfo" 2
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software 3
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
3: https://www.checkpoint.com/downloads/products/maestro-hyperscale-orchestrator-datasheet.pdf


NEW QUESTION # 46
......


CheckPoint 156-836 (Check Point Certified Maestro Expert - R81 (CCME)) Certification Exam is designed for IT professionals who want to master the skills and knowledge required to design, deploy, configure, and manage a Check Point Maestro solution. It is an advanced level technical certification exam that focuses on validating the candidates' expertise in the most up-to-date concepts, tools, and practices related to Maestro technology.

 

100% Free 156-836 Daily Practice Exam With 77 Questions: https://www.lead2passed.com/CheckPoint/156-836-practice-exam-dumps.html

156-836 exam torrent CheckPoint study guide: https://drive.google.com/open?id=1Lzpc4KufNmNoljyH6eji5D-Zn_zt7AQu

Related Articles

more
CheckPoint 156-836 Certification Practice Exam