• Home
  • Articles
  • CCME Real Exam Questions and Answers FREE 156-836 Updated on Nov 21, 2024 [Q35-Q56]

CCME Real Exam Questions and Answers FREE 156-836 Updated on Nov 21, 2024 [Q35-Q56]

Share

CCME 156-836 Real Exam Questions and Answers FREE Updated on Nov 21, 2024

156-836 Ultimate Study Guide - PassLeaderVCE


The Check Point Certified Maestro Expert - R81 (CCME) certification exam is an excellent opportunity for IT professionals to demonstrate their expertise in deploying and managing Check Point Maestro. By passing the exam, candidates can increase their credibility and marketability in the industry and open up new career opportunities.

 

NEW QUESTION # 35
For the MHO-175, which ports are Management ports?

  • A. Ports 5 - 26 are Management ports.
  • B. Ports 1 - 4 are Management ports.
  • C. Ports 49 - 55 are Management ports.
  • D. Ports 27 - 47 are Management ports.

Answer: B

Explanation:
Explanation
According to the Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-175 document1, ports 1 - 4 are Management ports that are used to connect the MHO to the customer's management infrastructure, such as SmartConsole or SmartDomain Manager. Ports 5 - 26 are Uplink ports that are used to connect the MHO to the customer's network infrastructure, such as switches, routers, or firewalls. Ports 27 -
47 are Downlink ports that are used to connect the MHO to the Security Group Modules (SGMs) in the Security Group. Ports 49 - 55 are Backplane ports that are used to connect the MHO to another MHO in a Dual Orchestrator environment.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 42
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3
*Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-1751


NEW QUESTION # 36
What cannot be a reason for "Failed to get remote orchestrator interfaces" error message, when clicking on
"Orchestrator" in WebUI

  • A. No Sync between orchestrators
  • B. Remote orchestrator has no empty interfaces
  • C. Single orchestrator environment, but configured Orchestrator amount is 2
  • D. One orchestrator only, but Orchestrator amount is 2 or no Sync in between orchestrators

Answer: B

Explanation:
Explanation
One of the possible reasons for the "Failed to get remote orchestrator interfaces" error message, when clicking on "Orchestrator" in WebUI, is that the remote orchestrator has no empty interfaces that can be assigned to a security group. This can happen if all the interfaces on the remote orchestrator are already part of configured security groups, or if the remote orchestrator has no physical interfaces at all. In this case, the WebUI cannot display the unassigned interfaces of the remote orchestrator, and shows the error message.
References
*Not able to see unassigned interfaces on checkpoint Orchestrator
*Maestro 140 not detecting Interfaces
*Maestro Expert (CCME) Course - Check Point Software, page


NEW QUESTION # 37
What will happen in case of NAT of the traffic passing through Management network?

  • A. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances
  • B. This traffic will pass with no inspection
  • C. Orchestrator will disable NAT and traffic will pass with no issue
  • D. This traffic will not pass correction, since it will be dropped

Answer: C

Explanation:
Explanation
According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.
References
*Check Point MAESTRO R80.20SP Administration Manual, page 291


NEW QUESTION # 38
What is the default Distribution mode?

  • A. Manual-General
  • B. User
  • C. Network
  • D. Auto-topology

Answer: D

Explanation:
Explanation
Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object.
Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network.
The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16


NEW QUESTION # 39
Maestro allows running commands globally in Expert mode by using global prefixes, such as:

  • A. g_all
  • B. asg all
  • C. global
  • D. all

Answer: A

Explanation:
Explanation
The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 40
Splitter cannot be used _______

  • A. To connect single port on orchestrator to multiple port on external switch
  • B. To connect single port on orchestrator to the same Appliance
  • C. To connect single port on orchestrator to multiple Appliances
  • D. To connect single port on Appliance to multiple ports on the orchestrator

Answer: B


NEW QUESTION # 41
What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?

  • A. Reserved for internal purposes. Not in use
  • B. Two Out-of-band interfaces for access to Orchestrator itself
  • C. 1Gbps connectivity for Security Groups
  • D. Out-of-band interface for access to Orchestrator itself and Serial Console connector

Answer: D

Explanation:
Explanation
The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.
References
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2
*Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4


NEW QUESTION # 42
What happens if the SMO Master fails?

  • A. The Security Group will no longer pass traffic and the issue must be resolved with the SMO Master.
  • B. A failover will occur on the MHO and traffic will continue to pass.
  • C. The Backup SMO Master will take over in the event of a failure with the SMO Master.
  • D. The next SGM with the current lowest SGM ID assumes the role of the SMO Master.

Answer: D

Explanation:
Explanation
This aligns with the principle of redundancy in network systems, where the next available device with the lowest ID typically takes over management roles in case of a failure.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 91
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 43
What cannot be learned from the output of lldpctl?

  • A. Distribution mode
  • B. Serial number of Appliance
  • C. Orchestrator's IP
  • D. Appliance model

Answer: A

Explanation:
Explanation
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration.
LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator's IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
LLDP, page 3-9
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Maestro basic setup documentation - Page 2 - Check Point CheckMates
*Log and Configuration Files - Check Point Software


NEW QUESTION # 44
What is the maximum number of Appliances within Security group in Dual-Site configuration?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: C


NEW QUESTION # 45
What does asg monitor command do?

  • A. Show real-time cluster status of Appliances in Security Group
  • B. Monitor health status of entire system
  • C. Monitor traffic on Appliances in Security Group
  • D. This command does not exist

Answer: A

Explanation:
Explanation
The "asg monitor" command generally would show real-time cluster status of appliances in a security group, focusing on health and operational status.


NEW QUESTION # 46
When security policy is installed

  • A. The SMO Master receives the policy and performs a policy verification the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other membersretrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.
  • B. The policy is installed on the SMO, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
  • C. All SGMs receive the security policy and simultaneous policy installation occurs.
  • D. All SGMs receive the security policy and one by one performs an independent policy verification. Then, all SGMs simultaneously install the policy.

Answer: A

Explanation:
Explanation
This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13
*Policy installation flow - Check Point Software


NEW QUESTION # 47
What happens if you apply a hotfix using gClish?

  • A. Logical groups "A" and "B" are created. Members of group "A" install and reboot first. Then members of group "B" does the same once reboots have finished with group "A."
  • B. If you apply a hotfix using gclish, the operation will fail because an outage would occur.
  • C. If you apply a hotfix using gclish, each SG members installs the hotfix and reboots after waiting it's turn to do so.
  • D. If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at roughly the same time.

Answer: A

Explanation:
Explanation
This is the correct answer because it describes the hotfix installation process using gClish on a Maestro Security Group. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. When a hotfix is applied using gClish, the SG members are divided into two logical groups: "A" and "B". The members of group "A" install the hotfix and reboot first, while the members of group "B" wait for their turn. After all the members of group "A" are back online, the members of group
"B" install the hotfix and reboot.This way, the SG maintains high availability and does not cause an outage.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 48
To display processes that are consuming excessive system resources, users should use the_____ command.

  • A. asg stat -v
  • B. asg perf -v
  • C. top
  • D. asg_perf_hogs

Answer: D

Explanation:
Explanation
The asg_perf_hogs command is a script that displays the processes that are consuming excessive system resources, such as CPU, memory, disk, and network, on the orchestrator and the appliances. It can help identify performance issues and bottlenecks in the Maestro environment.
References
*Software Provision and Performance hogs failed - Check Point CheckMates1
*CHECK POINT MAESTRO EXPERT, page 33


NEW QUESTION # 49
When working with Maestro, what is the difference between using Clish and gClish?

  • A. Clish commands are run on the SG members. gClish commands are run on the MHO and applied to all connected SG members in a specified group.
  • B. Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members, by default.
  • C. Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG members, by default.
  • D. Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members, by default.

Answer: B

Explanation:
Explanation
This is the correct answer because it describes the difference between using Clish and gClish when working with Maestro. Clish is the Check Point command line shell that allows users to configure and manage the SG members individually. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. UP SG members are theones that are in the UP state and have the same policy installed as the SMO Master.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 50
How does HyperSync work in a Dual Site environment?

  • A. Each active connection has a backup connection on the second site (remote site.)
  • B. Each active connection has a local backup (on the local site) and a second backup connection on the second site (remote site.)
  • C. Each active connection has two local backups (on the local site) and a third backup connection on the second site (remote site.)
  • D. Each active connection has a local backup (on the local site) and a second backup connection on each of the MHOs.

Answer: B

Explanation:
Explanation
HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of a failover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*Maestro Frequently Asked Questions (FAQ)
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 51
What command should be used for collecting diagnostic information about the orchestrator?

  • A. asg perf -v
  • B. orch_info
  • C. cpview
  • D. cpinfo

Answer: D

Explanation:
Explanation
The cpinfo command is a tool that collects diagnostic information about the orchestrator, such as hardware, software, network, configuration, and logs. The cpinfo command generates a file that can be sent to Check Point Support for analysis and troubleshooting. The cpinfo command can be run on the orchestrator's CLI or WebUI.
References =
*Check Point Maestro R81.X Administration Guide, page 68, section "cpinfo" 1
*Check Point Maestro R81.X Getting Started Guide, page 30, section "cpinfo" 2
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software 3
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
3: https://www.checkpoint.com/downloads/products/maestro-hyperscale-orchestrator-datasheet.pdf


NEW QUESTION # 52
Which feature is used to force trusted non-F2F traffic into the fully accelerated path for handling by SecureXL.

  • A. Fast Accelerator
  • B. hypersync
  • C. SecureXL
  • D. rate limiting

Answer: C

Explanation:
Explanation
SecureXL is typically used to accelerate trusted traffic, including non-F2F (face-to-face) traffic, through a secure, fast path.
References =
*SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above 1
*SecureXL Fast Accelerator - Need to clarify packet flow 2
1:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=
2:
https://community.checkpoint.com/t5/Security-Gateways/SecureXL-Fast-Accelerator-Need-to-clarify-packet-flo


NEW QUESTION # 53
There are two 10Gbps dual-port NIC installed on a 6800 appliance. Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators?

  • A. Port 1 in Slot 2 and Port 2 in Slot 1
  • B. Port 1 in Slot 1 and Port 1 in Slot 2
  • C. Port 1 in Slot 1 and Port 2 in Slot 1
  • D. Any pair of available ports

Answer: B

Explanation:
Explanation
The correct interfaces to connect to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.
References
*Check Point 156-835 Certification Flashcards | Quizlet1
*Maestro Expert (CCME) Course - Check Point Software, page 182
*Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide
163


NEW QUESTION # 54
What Maestro component is automatically designated the SMO Master?

  • A. The SGM with the highest member ID (the last one added to the security group.)
  • B. The first MHO configured is considered the SMO Master.
  • C. The SGM with the lowest member ID (the first one added to the security group.)
  • D. The MDS that pushes policy to the SMO is considered the SMO Master.

Answer: C

Explanation:
Explanation
The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.
References:
*Maestro Frequently Asked Questions (FAQ), under "What is a Single Management Object (SMO)?"
*Check Point Jump Start Course: Maestro, under "Maestro Security Groups"


NEW QUESTION # 55
What type of cluster can a Security Group can be compared to?

  • A. Load Sharing Active / Active
  • B. VSLS
  • C. Active / Standby
  • D. Active / Backup

Answer: A

Explanation:
Explanation
A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3


NEW QUESTION # 56
......

Ultimate Guide to Prepare 156-836 Certification Exam for CCME: https://www.passleadervce.com/CCME/reliable-156-836-exam-learning-guide.html

Use Real 156-836 Dumps - CheckPoint Correct Answers: https://drive.google.com/open?id=1Vf9MV1UDkEnYS3-LmMLy_4u0stoBFLHM

Related Articles

more
CheckPoint 156-836 Certification Practice Exam