What Maestro component is automatically designated the SMO Master?
- A . The SGM with the lowest member ID (the first one added to the security group.)
- B . The MDS that pushes policy to the SMO is considered the SMO Master.
- C . The first MHO configured is considered the SMO Master.
- D . The SGM with the highest member ID (the last one added to the security group.)
C
Explanation:
In Check Point Maestro’s orchestration environment, the Master Orchestrator (MHO) plays a crucial role in managing the Security Group’s operation. The first MHO that you configure in a Maestro environment takes on the role of the SMO Master. This MHO is responsible for controlling and managing the entire security environment and ensures all configurations and policies are correctly implemented across the security group.
What is a downlink interface used for?
- A . To connect appliances to Orchestrators
- B . To connect appliances to customer’s infrastructure
- C . To connect in between Orchestrators
- D . To connect Orchestrators to customer’s infrastructure
What type of license is required for an MHO?
- A . The MHO requires a NGTP license.
- B . The MHO requires a VSX license.
- C . The MHO does not require a license.
- D . A license is needed for each attached SGM.
C
Explanation:
The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM
(Security Group Module) that is attached to the MHO needs a license. The license type depends on
the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it
needs a VSX license.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 71
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
What Maestro component acts as a load balancer and network switch?
- A . Security Switching Module (SSM)
- B . Maestro Hyperscale Orchestrator (MHO)
- C . Security Group (SG)
- D . Security Gateway Module (SGM)
B
Explanation:
• The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security Group Members.
• Reference: Working with the Distribution Mode
What is an uplink interface used for?
- A . To connect in between appliances
- B . To connect appliances to customer’s infrastructure
- C . To connect Orchestrators to customer’s infrastructure
- D . To connect in between Orchestrators
C
Explanation:
Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer’s network to the MHOs.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
What is a security group?
- A . A solution for Security Gateway redundancy and Load Sharing.
- B . A set of appliances of the same model that are collectively managed by the MHO.
- C . A set of network interfaces and individual SGMs assigned to a logical group.
- D . A set of objects in SmartConsole that are responsible for enforcing an access policy.
A
Explanation:
Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features
What is the Orchestrator?
- A . Network Switch
- B . Manager of compute and network resources, load balancer and network switch
- C . Load balancer
- D . None of above
B
Explanation:
The Orchestrator is a Maestro component that manages the compute and network resources of the
Security Group Modules (SGMs) in a Security Group. It also acts as a load balancer and a network
switch, distributing traffic among the SGMs and connecting them to the customer’s network
infrastructure.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
What is the Correction Layer?
- A . Correction Layer is a daemon which corrects errors on Backplane interfaces
- B . Correction Layer is a mechanism which handles asymmetric connections in multi-appliance
system. For example, in case of NAT - C . Correction Layer is a mechanism which activated in case of asymmetric routing
- D . Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute
B
Explanation:
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
Reference:
• NAT and the Correction Layer on a Security Gateway – Check Point Software1
• Solved: Maestro queries – Check Point CheckMates
What is the Correction Layer mechanism?
- A . Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs.
- B . The load-balancing mechanism used by the MHO.
- C . The MHO’s distribution algorithm which determines the handling SGM for a given connection.
- D . Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in the SG.
A
Explanation:
The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
Reference:
• NAT and the Correction Layer on a VSX Gateway – Check Point Software1
• Solved: Maestro queries – Check Point CheckMates
What is the maximum number of Appliances within Security group in Dual-Site configuration?
- A . 28
- B . 31
- C . 15
- D . 16
At a minimum, how many management and Uplink ports does a SG require?
- A . Only one of the two interfaces is needed for the Security Group.
- B . Neither are required.
- C . Two of each.
- D . One each.
D
Explanation:
A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.
Reference:
• Maestro Expert (CCME) Course – Check Point Software, page 41
• Check Point Certified Maestro Expert (CCME) R81.X – Global Knowledge, course outline
What is the maximum number of Appliances within the same Security Group?
- A . 31
- B . 8
- C . 52
- D . 16
C
Explanation:
In a Check Point Maestro environment, the maximum number of appliances that can be managed within the same Security Group is 52. This capability highlights the extensive scalability offered by Maestro, allowing organizations to significantly expand their security infrastructure to handle higher traffic volumes and more complex network configurations.
For the MHO-175, which ports are Management ports?
- A . Ports 49 – 55 are Management ports.
- B . Ports 1 – 4 are Management ports.
- C . Ports 27 – 47 are Management ports.
- D . Ports 5 – 26 are Management ports.
A
Explanation:
In the MHO-175 Maestro Orchestrator, ports numbered from 49 to 55 are designated as Management ports. These ports are utilized for managing the device itself and for orchestrating the network and security tasks across connected appliances within the environment.
What kinds of transceivers are supported on Orchestrator MHO-140?
- A . SFP, QSFP, QSFP28
- B . SFP+, SFP28, QSFP
- C . SFP, SFP+, SFP28
- D . SFP, SFP+, QSFP, QSFP28
D
Explanation:
The Orchestrator MHO-140 supports a wide range of transceiver types, including SFP, SFP+, QSFP, and QSFP28. This range of compatibility allows for flexibility in network configurations and ensures that the Orchestrator can interface effectively with a variety of network hardware and speeds, accommodating different data rate requirements and connectivity options.
What happens if the SMO Master fails?
- A . The next SGM with the current lowest SGM ID assumes the role of the SMO Master.
- B . The Backup SMO Master will take over in the event of a failure with the SMO Master.
- C . A failover will occur on the MHO and traffic will continue to pass.
- D . The Security Group will no longer pass traffic and the issue must be resolved with the SMO Master.
B
Explanation:
The SMO Master is the SGM that is responsible for managing the Security Group and communicating with the MHO. If the SMO Master fails, the Backup SMO Master, which is the SGM with the next lowest SGM ID, will take over the role of the SMO Master and ensure the continuity of the Security Group operations.
Reference = Maestro Expert (CCME) Course – Check Point Software, page 14; Check Point Accredited Maestro Expert – New exam a… – Check Point CheckMates, page 1.
What does the lldpctl command do?
- A . Show all devices discovered by LLDP protocol on downlink ports
- B . Show all devices discovered by LLDP protocol on all ports
- C . Discover orchestrators
- D . Show all devices discovered by LLDP protocol on uplink ports
B
Explanation:
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment. Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9
What type of cluster can a Security Group can be compared to?
- A . Load Sharing Active / Active
- B . VSLS
- C . Active / Backup
- D . Active / Standby
A
Explanation:
A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3
What kinds of transceivers are supported on Orchestrator MHO-170?
- A . SFP, QSFP, QSFP28
- B . SFP+, SFP28, QSFP
- C . SFP, SFP+, SFP28
- D . QSFP, QSFP28
D
Explanation:
The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density connectivity for the Maestro environment.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Maestro Transceiver & DAC Inventory – Check Point CheckMates
There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1, 2 and 3 accordingly.
Which interfaces should be connected to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators?
- A . Port 1 in Slot 2 and Port 2 in Slot 1
- B . This configuration is not supported
- C . Any pair of available ports
- D . Port 1 in Slot 1 and Port 2 in Slot 1
A
Explanation:
This configuration allows for intra-orchestrator redundancy by utilizing ports from different NICs in different slots. This setup provides a failover capability, ensuring that if one NIC or its associated slot encounters an issue, the other can take over without loss of connectivity or function. This strategic arrangement of connections enhances the resilience and reliability of the network configuration when using two Orchestrators.
Which licenses should be issued for the Orchestrator?
- A . No licenses are required for Orchestrator
- B . Depends on Software Blades enabled on connected appliances
- C . The Orchestrator is considered a Management server, hence it’s licensed the same way
- D . The Orchestrator requires NGTX license
A
Explanation:
Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8
• Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Maestro Licensing, page 1-6
• Activation of a Quantum Maestro Orchestrator – Check Point Software
When security policy is installed
- A . All SGMs receive the security policy and one by one performs an independent policy verification.
Then, all SGMs simultaneously install the policy. - B . The SMO Master receives the policy and performs a policy verification the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.
- C . All SGMs receive the security policy and simultaneous policy installation occurs.
- D . The policy is installed on the SMO, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
D
Explanation:
This process ensures that the security policy is centrally managed and distributed by the SMO Master, maintaining consistency across the security group while allowing individual SGMs to verify the policy independently before installation. This method helps to ensure that all configurations and security policies are correctly applied and functional across the network.
What cannot be learned from the output of asg monitor command?
- A . Uptime
- B . Port status
- C . Security Policy status
- D . Appliances cluster status
Maestro allows running commands globally in Expert mode by using global prefixes, such as:
- A . asg all
- B . g_all
- C . all
- D . global
B
Explanation:
The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode. Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
• Global Expert Mode Commands – Check Point CheckMates
The ______________ command will allow users to update the specified file on all SGMs.
- A . g_update_conf_file
- B . g_all"
- C . sed
- D . g_cat
A
Explanation:
The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12
• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10
• Maestro Commands for Security Groups – Check Point CheckMates
What happens when you make changes from Clish on the SMO Master?
- A . The changes are synchronized to the SMS/MDS as a backup.
- B . The changes are synchronized to the MHO as a backup.
- C . Changes are only applied on the SMO Master.
- D . Changes are applied to all members in the SG.
C
Explanation:
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.2: Security Group Configuration, page 2-10
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Configuration, page 2-9
• Security Group Configuration – Check Point Software
When working with Maestro, what is the difference between using Clish and gClish?
- A . Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG members, by default.
- B . Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members, by default.
- C . Clish commands are run on the SG members. gClish commands are run on the MHO and applied to all connected SG members in a specified group.
- D . Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members, by default.
What cannot be learned from the output of lldpctl?
- A . Serial number of Appliance
- B . Appliance model
- C . Distribution mode
- D . Orchestrator’s IP
C
Explanation:
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.
The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the
connected devices, but it cannot show the distribution mode of the Security Group. The distribution
mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among
the Security Group Members. To view the distribution mode, other commands such as asg monitor
or asg stat can be used.
Reference
• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9
• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
• Maestro basic setup documentation – Page 2 – Check Point CheckMates
• Log and Configuration Files – Check Point Software
What is the purpose of Management ports located on the Rear Panel of the Orchestrator MHO-140?
- A . 1Gbps connectivity for Security Groups
- B . Reserved for internal purposes. Not in use.
- C . Out-of-band interfaces for access to Orchestrator itself
- D . Additional ports used as uplinks
C
Explanation:
The Management ports located on the Rear Panel of the Orchestrator MHO-140 are out-of-band interfaces that provide access to the Orchestrator itself for configuration and management purposes. They are not used for traffic distribution or connectivity to the Security Groups or the external networks. They are 1Gbps RJ-45 ports that can be connected to a switch or a router.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Quantum Maestro Getting Started Guide – Check Point CheckMates2, page 4
What happens if you apply a hotfix using gClish?
- A . If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at roughly the same time.
- B . If you apply a hotfix using gclish, each SG members installs the hotfix and reboots after waiting it’s turn to do so.
- C . Logical groups "A" and "B" are created. Members of group "A" install and reboot first. Then members of group "B" does the same once reboots have finished with group "A."
- D . If you apply a hotfix using gclish, the operation will fail because an outage would occur.
C
Explanation:
When applying a hotfix using gClish in a Check Point Maestro environment, the process is managed to minimize downtime and ensure continuous protection. The SG members are divided into groups to stagger the installation and reboot processes. This careful management ensures that not all devices go offline at the same time, maintaining network integrity and security during the update process.
What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?
- A . Two Out-of-band interfaces for access to Orchestrator itself
- B . 1Gbps connectivity for Security Groups
- C . Out-of-band interface for access to Orchestrator itself and Serial Console connector
- D . Reserved for internal purposes. Not in use
C
Explanation:
The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes.
The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.
Reference
• Maestro Hyperscale Orchestrator Datasheet – Check Point Software1, page 2
• Quantum Maestro Getting Started Guide – Check Point CheckMates, page 4