Question #1
What Maestro component is automatically designated the SMO Master?
- A . The SGM with the lowest member ID (the first one added to the security group.)
- B . The MDS that pushes policy to the SMO is considered the SMO Master.
- C . The first MHO configured is considered the SMO Master.
- D . The SGM with the highest member ID (the last one added to the security group.)
Correct Answer: A
A
Explanation:
The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with
the other SGMs in the security group. The SMO Master is automatically designated as the SGM with
the lowest member ID, which is usually the first one added to the security group. The SMO Master
can be changed manually if needed.
Reference:
• Maestro Frequently Asked Questions (FAQ), under “What is a Single Management Object (SMO)?”
• Check Point Jump Start Course: Maestro, under “Maestro Security Groups”
A
Explanation:
The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with
the other SGMs in the security group. The SMO Master is automatically designated as the SGM with
the lowest member ID, which is usually the first one added to the security group. The SMO Master
can be changed manually if needed.
Reference:
• Maestro Frequently Asked Questions (FAQ), under “What is a Single Management Object (SMO)?”
• Check Point Jump Start Course: Maestro, under “Maestro Security Groups”
Question #2
What is a downlink interface used for?
- A . To connect appliances to Orchestrators
- B . To connect appliances to customer’s infrastructure
- C . To connect in between Orchestrators
- D . To connect Orchestrators to customer’s infrastructure
Correct Answer: B
Question #3
What type of license is required for an MHO?
- A . The MHO requires a NGTP license.
- B . The MHO requires a VSX license.
- C . The MHO does not require a license.
- D . A license is needed for each attached SGM.
Correct Answer: C
C
Explanation:
The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM
(Security Group Module) that is attached to the MHO needs a license. The license type depends on
the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it
needs a VSX license.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 71
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
C
Explanation:
The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM
(Security Group Module) that is attached to the MHO needs a license. The license type depends on
the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it
needs a VSX license.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 71
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
Question #4
What Maestro component acts as a load balancer and network switch?
- A . Security Switching Module (SSM)
- B . Maestro Hyperscale Orchestrator (MHO)
- C . Security Group (SG)
- D . Security Gateway Module (SGM)
Correct Answer: B
B
Explanation:
• The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security Group Members.
• Reference: Working with the Distribution Mode
B
Explanation:
• The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security Group Members.
• Reference: Working with the Distribution Mode
Question #5
What is an uplink interface used for?
- A . To connect in between appliances
- B . To connect appliances to customer’s infrastructure
- C . To connect Orchestrators to customer’s infrastructure
- D . To connect in between Orchestrators
Correct Answer: C
C
Explanation:
Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer’s network to the MHOs.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
C
Explanation:
Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer’s network to the MHOs.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
Question #6
What is a security group?
- A . A solution for Security Gateway redundancy and Load Sharing.
- B . A set of appliances of the same model that are collectively managed by the MHO.
- C . A set of network interfaces and individual SGMs assigned to a logical group.
- D . A set of objects in SmartConsole that are responsible for enforcing an access policy.
Correct Answer: A
A
Explanation:
Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features
A
Explanation:
Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features
Question #7
What is the Orchestrator?
- A . Network Switch
- B . Manager of compute and network resources, load balancer and network switch
- C . Load balancer
- D . None of above
Correct Answer: B
B
Explanation:
The Orchestrator is a Maestro component that manages the compute and network resources of the
Security Group Modules (SGMs) in a Security Group. It also acts as a load balancer and a network
switch, distributing traffic among the SGMs and connecting them to the customer’s network
infrastructure.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
B
Explanation:
The Orchestrator is a Maestro component that manages the compute and network resources of the
Security Group Modules (SGMs) in a Security Group. It also acts as a load balancer and a network
switch, distributing traffic among the SGMs and connecting them to the customer’s network
infrastructure.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
Question #8
What is the Correction Layer?
- A . Correction Layer is a daemon which corrects errors on Backplane interfaces
- B . Correction Layer is a mechanism which handles asymmetric connections in multi-appliance
system. For example, in case of NAT - C . Correction Layer is a mechanism which activated in case of asymmetric routing
- D . Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute
Correct Answer: B
B
Explanation:
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
Reference:
• NAT and the Correction Layer on a Security Gateway – Check Point Software1
• Solved: Maestro queries – Check Point CheckMates
B
Explanation:
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
Reference:
• NAT and the Correction Layer on a Security Gateway – Check Point Software1
• Solved: Maestro queries – Check Point CheckMates
Question #9
What is the Correction Layer mechanism?
- A . Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs.
- B . The load-balancing mechanism used by the MHO.
- C . The MHO’s distribution algorithm which determines the handling SGM for a given connection.
- D . Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in the SG.
Correct Answer: A
A
Explanation:
The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
Reference:
• NAT and the Correction Layer on a VSX Gateway – Check Point Software1
• Solved: Maestro queries – Check Point CheckMates
A
Explanation:
The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
Reference:
• NAT and the Correction Layer on a VSX Gateway – Check Point Software1
• Solved: Maestro queries – Check Point CheckMates
Question #10
What is the maximum number of Appliances within Security group in Dual-Site configuration?
- A . 28
- B . 31
- C . 15
- D . 16
Correct Answer: A
Question #11
At a minimum, how many management and Uplink ports does a SG require?
- A . Only one of the two interfaces is needed for the Security Group.
- B . Neither are required.
- C . Two of each.
- D . One each.
Correct Answer: D
D
Explanation:
A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
D
Explanation:
A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
Question #12
What is the maximum number of Appliances within the same Security Group?
- A . 31
- B . 8
- C . 52
- D . 16
Correct Answer: A
A
Explanation:
The maximum number of appliances within the same security group is 31. This is because a security group can have up to 31 Security Group Modules (SGMs) of the same or different models, and each SGM is an appliance that runs the Check Point software. A security group can span across multiple chassis, and each chassis can have up to 16 SGMs. However, the total number of SGMs in a security group cannot exceed 31.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 51
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
A
Explanation:
The maximum number of appliances within the same security group is 31. This is because a security group can have up to 31 Security Group Modules (SGMs) of the same or different models, and each SGM is an appliance that runs the Check Point software. A security group can span across multiple chassis, and each chassis can have up to 16 SGMs. However, the total number of SGMs in a security group cannot exceed 31.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 51
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
Question #13
For the MHO-175, which ports are Management ports?
- A . Ports 49 – 55 are Management ports.
- B . Ports 1 – 4 are Management ports.
- C . Ports 27 – 47 are Management ports.
- D . Ports 5 – 26 are Management ports.
Correct Answer: B
B
Explanation:
According to the Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-175 document1, ports 1 – 4 are Management ports that are used to connect the MHO to the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. Ports 5 – 26 are Uplink ports that are used to connect the MHO to the customer’s network infrastructure, such as switches,
routers, or firewalls. Ports 27 – 47 are Downlink ports that are used to connect the MHO to the Security Group Modules (SGMs) in the Security Group. Ports 49 – 55 are Backplane ports that are used to connect the MHO to another MHO in a Dual Orchestrator environment.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 42
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline3
• Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-1751
B
Explanation:
According to the Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-175 document1, ports 1 – 4 are Management ports that are used to connect the MHO to the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. Ports 5 – 26 are Uplink ports that are used to connect the MHO to the customer’s network infrastructure, such as switches,
routers, or firewalls. Ports 27 – 47 are Downlink ports that are used to connect the MHO to the Security Group Modules (SGMs) in the Security Group. Ports 49 – 55 are Backplane ports that are used to connect the MHO to another MHO in a Dual Orchestrator environment.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 42
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline3
• Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-1751
Question #14
What kinds of transceivers are supported on Orchestrator MHO-140?
- A . SFP, QSFP, QSFP28
- B . SFP+, SFP28, QSFP
- C . SFP, SFP+, SFP28
- D . SFP, SFP+, QSFP, QSFP28
Correct Answer: C
C
Explanation:
According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 42
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline3
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software, page 2
C
Explanation:
According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 42
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline3
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software, page 2
Question #15
What happens if the SMO Master fails?
- A . The next SGM with the current lowest SGM ID assumes the role of the SMO Master.
- B . The Backup SMO Master will take over in the event of a failure with the SMO Master.
- C . A failover will occur on the MHO and traffic will continue to pass.
- D . The Security Group will no longer pass traffic and the issue must be resolved with the SMO Master.
Correct Answer: B
B
Explanation:
The SMO Master is the SGM that is responsible for managing the Security Group and communicating with the MHO. If the SMO Master fails, the Backup SMO Master, which is the SGM with the next lowest SGM ID, will take over the role of the SMO Master and ensure the continuity of the Security Group operations.
Reference = Maestro Expert (CCME) Course – Check Point Software, page 14; Check Point Accredited Maestro Expert – New exam a… – Check Point CheckMates, page 1.
B
Explanation:
The SMO Master is the SGM that is responsible for managing the Security Group and communicating with the MHO. If the SMO Master fails, the Backup SMO Master, which is the SGM with the next lowest SGM ID, will take over the role of the SMO Master and ensure the continuity of the Security Group operations.
Reference = Maestro Expert (CCME) Course – Check Point Software, page 14; Check Point Accredited Maestro Expert – New exam a… – Check Point CheckMates, page 1.
Question #16
What does the lldpctl command do?
- A . Show all devices discovered by LLDP protocol on downlink ports
- B . Show all devices discovered by LLDP protocol on all ports
- C . Discover orchestrators
- D . Show all devices discovered by LLDP protocol on uplink ports
Correct Answer: B
B
Explanation:
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment. Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9
B
Explanation:
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment. Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9
Question #17
What type of cluster can a Security Group can be compared to?
- A . Load Sharing Active / Active
- B . VSLS
- C . Active / Backup
- D . Active / Standby
Correct Answer: A
A
Explanation:
A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3
A
Explanation:
A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3
Question #18
What kinds of transceivers are supported on Orchestrator MHO-170?
- A . SFP, QSFP, QSFP28
- B . SFP+, SFP28, QSFP
- C . SFP, SFP+, SFP28
- D . QSFP, QSFP28
Correct Answer: D
D
Explanation:
The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density connectivity for the Maestro environment.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Maestro Transceiver & DAC Inventory – Check Point CheckMates
D
Explanation:
The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density connectivity for the Maestro environment.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Maestro Transceiver & DAC Inventory – Check Point CheckMates
Question #19
There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1, 2 and 3 accordingly.
Which interfaces should be connected to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators?
- A . Port 1 in Slot 2 and Port 2 in Slot 1
- B . This configuration is not supported
- C . Any pair of available ports
- D . Port 1 in Slot 1 and Port 2 in Slot 1
Correct Answer: D
D
Explanation:
This configuration likely provides balanced and redundant connectivity for orchestrator redundancy. Reference
• Check Point Certified Maestro Expert (CCME) Courseware, Module 3: Dual
Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8
• Check Point 23800 Appliance Datasheet – Check Point Software, page 2
D
Explanation:
This configuration likely provides balanced and redundant connectivity for orchestrator redundancy. Reference
• Check Point Certified Maestro Expert (CCME) Courseware, Module 3: Dual
Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8
• Check Point 23800 Appliance Datasheet – Check Point Software, page 2
Question #20
Which licenses should be issued for the Orchestrator?
- A . No licenses are required for Orchestrator
- B . Depends on Software Blades enabled on connected appliances
- C . The Orchestrator is considered a Management server, hence it’s licensed the same way
- D . The Orchestrator requires NGTX license
Correct Answer: A
A
Explanation:
Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8
• Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6
• Activation of a Quantum Maestro Orchestrator – Check Point Software
A
Explanation:
Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8
• Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6
• Activation of a Quantum Maestro Orchestrator – Check Point Software
Question #21
When security policy is installed
- A . All SGMs receive the security policy and one by one performs an independent policy verification.
Then, all SGMs simultaneously install the policy. - B . The SMO Master receives the policy and performs a policy verification the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.
- C . All SGMs receive the security policy and simultaneous policy installation occurs.
- D . The policy is installed on the SMO, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
Correct Answer: B
B
Explanation:
This is the correct answer because it describes the security policy installation flow for a Maestro
Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13
• Policy installation flow – Check Point Software
B
Explanation:
This is the correct answer because it describes the security policy installation flow for a Maestro
Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13
• Policy installation flow – Check Point Software
Question #22
What cannot be learned from the output of asg monitor command?
- A . Uptime
- B . Port status
- C . Security Policy status
- D . Appliances cluster status
Correct Answer: D
Question #23
Maestro allows running commands globally in Expert mode by using global prefixes, such as:
- A . asg all
- B . g_all
- C . all
- D . global
Correct Answer: B
B
Explanation:
The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode. Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
• Global Expert Mode Commands – Check Point CheckMates
B
Explanation:
The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode. Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
• Global Expert Mode Commands – Check Point CheckMates
Question #24
The ______________ command will allow users to update the specified file on all SGMs.
- A . g_update_conf_file
- B . g_all"
- C . sed
- D . g_cat
Correct Answer: A
A
Explanation:
The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12
• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10
• Maestro Commands for Security Groups – Check Point CheckMates
A
Explanation:
The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12
• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10
• Maestro Commands for Security Groups – Check Point CheckMates
Question #25
What happens when you make changes from Clish on the SMO Master?
- A . The changes are synchronized to the SMS/MDS as a backup.
- B . The changes are synchronized to the MHO as a backup.
- C . Changes are only applied on the SMO Master.
- D . Changes are applied to all members in the SG.
Correct Answer: C
C
Explanation:
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.2: Security Group Configuration, page 2-10
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Configuration, page 2-9
• Security Group Configuration – Check Point Software
C
Explanation:
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.2: Security Group Configuration, page 2-10
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Configuration, page 2-9
• Security Group Configuration – Check Point Software
Question #26
When working with Maestro, what is the difference between using Clish and gClish?
- A . Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG members, by default.
- B . Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members, by default.
- C . Clish commands are run on the SG members. gClish commands are run on the MHO and applied to all connected SG members in a specified group.
- D . Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members, by default.
Correct Answer: C
Question #27
What cannot be learned from the output of lldpctl?
- A . Serial number of Appliance
- B . Appliance model
- C . Distribution mode
- D . Orchestrator’s IP
Correct Answer: C
C
Explanation:
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.
The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the
connected devices, but it cannot show the distribution mode of the Security Group. The distribution
mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among
the Security Group Members. To view the distribution mode, other commands such as asg monitor
or asg stat can be used.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Maestro basic setup documentation – Page 2 – Check Point CheckMates
• Log and Configuration Files – Check Point Software
C
Explanation:
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.
The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the
connected devices, but it cannot show the distribution mode of the Security Group. The distribution
mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among
the Security Group Members. To view the distribution mode, other commands such as asg monitor
or asg stat can be used.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Maestro basic setup documentation – Page 2 – Check Point CheckMates
• Log and Configuration Files – Check Point Software
Question #28
What is the purpose of Management ports located on the Rear Panel of the Orchestrator MHO-140?
- A . 1Gbps connectivity for Security Groups
- B . Reserved for internal purposes. Not in use.
- C . Out-of-band interfaces for access to Orchestrator itself
- D . Additional ports used as uplinks
Correct Answer: C
C
Explanation:
The Management ports located on the Rear Panel of the Orchestrator MHO-140 are out-of-band interfaces that provide access to the Orchestrator itself for configuration and management purposes. They are not used for traffic distribution or connectivity to the Security Groups or the external networks. They are 1Gbps RJ-45 ports that can be connected to a switch or a router.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Quantum Maestro Getting Started Guide – Check Point CheckMates2, page 4
C
Explanation:
The Management ports located on the Rear Panel of the Orchestrator MHO-140 are out-of-band interfaces that provide access to the Orchestrator itself for configuration and management purposes. They are not used for traffic distribution or connectivity to the Security Groups or the external networks. They are 1Gbps RJ-45 ports that can be connected to a switch or a router.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Quantum Maestro Getting Started Guide – Check Point CheckMates2, page 4
Question #29
What happens if you apply a hotfix using gClish?
- A . If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at roughly the same time.
- B . If you apply a hotfix using gclish, each SG members installs the hotfix and reboots after waiting it’s turn to do so.
- C . Logical groups "A" and "B" are created. Members of group "A" install and reboot first. Then members of group "B" does the same once reboots have finished with group "A."
- D . If you apply a hotfix using gclish, the operation will fail because an outage would occur.
Correct Answer: B
B
Explanation:
According to the Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators, page 1, when you apply a hotfix using gclish, the MHO distributes the hotfix to all SGMs in the Security Group. The SGMs install the hotfix and reboot one by one, in ascending order of their SGM IDs. The SGMs wait for the previous SGM to finish rebooting before starting their own reboot. This ensures that there is no outage for the entire Security Group.
Reference = Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators, page 1; Maestro R81.10 Jumbo Hotfix install – Check Point CheckMates, page 1.
B
Explanation:
According to the Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators, page 1, when you apply a hotfix using gclish, the MHO distributes the hotfix to all SGMs in the Security Group. The SGMs install the hotfix and reboot one by one, in ascending order of their SGM IDs. The SGMs wait for the previous SGM to finish rebooting before starting their own reboot. This ensures that there is no outage for the entire Security Group.
Reference = Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators, page 1; Maestro R81.10 Jumbo Hotfix install – Check Point CheckMates, page 1.
Question #30
What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?
- A . Two Out-of-band interfaces for access to Orchestrator itself
- B . 1Gbps connectivity for Security Groups
- C . Out-of-band interface for access to Orchestrator itself and Serial Console connector
- D . Reserved for internal purposes. Not in use
Correct Answer: C
C
Explanation:
The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes.
The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Quantum Maestro Getting Started Guide – Check Point CheckMates, page 4
C
Explanation:
The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes.
The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Quantum Maestro Getting Started Guide – Check Point CheckMates, page 4
Question #31
What does asg monitor command do?
- A . This command does not exist
- B . Monitor health status of entire system
- C . Monitor traffic on Appliances in Security Group
- D . Show real-time cluster status of Appliances in Security Group
Correct Answer: D
D
Explanation:
The "asg monitor" command generally would show real-time cluster status of appliances in a security group, focusing on health and operational status.
D
Explanation:
The "asg monitor" command generally would show real-time cluster status of appliances in a security group, focusing on health and operational status.
Question #32
What will happen in case of NAT of the traffic passing through Management network?
- A . This traffic will not pass correction, since it will be dropped
- B . Orchestrator will disable NAT and traffic will pass with no issue
- C . Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances
- D . This traffic will pass with no inspection
Correct Answer: B
B
Explanation:
According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.
Reference
• Check Point MAESTRO R80.20SP Administration Manual, page 291
B
Explanation:
According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.
Reference
• Check Point MAESTRO R80.20SP Administration Manual, page 291
Question #33
Which distribution mode assigns packets to an SGM based solely on the packet destination IP?
- A . User mode
- B . Manual mode
- C . Network mode
- D . Auto-topology mode
Correct Answer: C
C
Explanation:
Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Maestro basic setup documentation – Page 2 – Check Point CheckMates
C
Explanation:
Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Maestro basic setup documentation – Page 2 – Check Point CheckMates
Question #34
When a VPN tunnel is formed with a Maestro SGM,
- A . The receiving SGM makes an encryption decision. The SGM then syncs the traffic to two backup SGMs: one for clear traffic and one for encrypted traffic.
- B . SGM 1 analyzes the policy and topology. If encryption is required, it calculates the tunnel owner’s IP address. SGM 1 sends a clear packet to the tunnel owner. SGM 2 is now the connection and tunnel owner.
- C . The MHO handles the IKE before distributing the traffic to a SGM to handle all encrypted traffic.
This helps to prevent any issues with the correction layer. - D . The MHO distributes copies of the packets to two different SGMs because SGM 1 will handle the clear traffic IKE exchange packets, while SGM2 handles encrypted packets.
Correct Answer: B
Question #35
What is the default Distribution mode?
- A . Auto-topology
- B . User
- C . Manual-General
- D . Network
Correct Answer: A
A
Explanation:
Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology.
User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16
A
Explanation:
Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology.
User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16