Pass the Checkpoint CCME 156-836 Questions and answers with CertsForce

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

•Layer 4 Distribution - Yes or No? - Check Point CheckMates

•Support, Support Requests, Training … - Check Point Software

Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk147853

A downlink interface is a physical or virtual interface that connects a security gateway to an orchestrator. It allows the security gateway to send and receive configuration updates, policy changes, and other data from the orchestrator.

References = [Check Point R81.10 for Scalable Platforms - Check Point Software], [Scalable Platforms (Maestro and Chassis) comparison between versions - Check Point Software], [Check Point R81.10 AI & ML Driven Threat Prevention and Security Management - Check Point Blog].

In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.

References =

•Solved: Maestro dual site failover - Check Point CheckMates

•Maestro Dual Site configuration with a direct connection through L2 switches

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system.This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density connectivity for the Maestro environment.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Maestro Transceiver & DAC Inventory - Check Point CheckMates

This is not one of the ways to configure a Security Group in a Dual Site environment, because load balancers are not required or supported for the inter-site communication between the Maestro Orchestrators (MHOs). The MHOs use the Site-Sync port and VLANs to synchronize the resources and connections across the sites. The three valid scenarios for Dual Site configuration are:

•Direct connectivity between remote site Orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

•Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

•Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that support QinQ and MTU increment.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•[Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)]

•[Maestro Frequently Asked Questions (FAQ)]

The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.

References

•Check Point 156-835 Certification Flashcards | Quizlet1

•Maestro Expert (CCME) Course - Check Point Software, page 182

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 163

This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13

•Policy installation flow - Check Point Software