Verified 156-836 dumps Q&As 100% Pass in First Attempt Guaranteed Updated Dump from BootcampPDF
Pass CCME 156-836 Exam With 77 Questions
CheckPoint 156-836, also known as the Check Point Certified Maestro Expert - R81 (CCME) certification exam, is designed for IT professionals who want to validate their skills in deploying, managing, and troubleshooting complex security infrastructures. Check Point Certified Maestro Expert - R81 (CCME) certification program is ideal for individuals who are responsible for designing and implementing large-scale security solutions using the Check Point Maestro technology.
NEW QUESTION # 19
Do all MHOs need to be upgraded before starting the SGM upgrades?
- A. All MHOs must first be upgraded before starting the SGM upgrades However, there is no requirement to upgrade all the SGMs during the same maintenance window as the MHOs.
- B. During the upgrade process all SGMs should be upgraded before upgrading all of the MHOs.
- C. MHOs do not need to be upgraded at all because Maestro supports the use of different versions between the MHOs and SGMs.
- D. A minimum of one of the MHOs should be upgraded before starting the SGM upgrades. However, there is no requirement to upgrade all the SGMs during the same maintenance window as the MHO
Answer: A
Explanation:
Explanation
This is the correct answer because it follows the upgrade order and procedure specified in the R81.10 and R81.20 Administration Guides for Maestro environments. The MHOs are responsible for managing and synchronizing the SGMs, so they must be upgraded to the target version before the SGMs. However, the SGMs can be upgraded one by one or in batches, as long as they are compatible with the MHOs. The upgrade process also supports Multi-Version Clustering, which allows different versions of SGMs to operate in the same Security Group with zero downtime.
References =
*Check Point R81.10 for Scalable Platforms - Check Point Software
*Check Point R81.20 for Scalable Platforms - Check Point Software
*CHECK POINT MAESTRO EXPERT
NEW QUESTION # 20
In what mode do MHOs process traffic?
- A. MHOs process traffic in Active-Standby mode
- B. MHOs process traffic in load sharing mode
- C. MHOs process traffic in VSLS mode
- D. MHOs process traffic in Active-Active mode
Answer: D
Explanation:
Explanation
MHOs process traffic in Active-Active mode, which means that both MHOs are active and share the load of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup.
Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.
References
*Maestro Expert (CCME) Course - Check Point Software, page 25
*CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2
NEW QUESTION # 21
What can be learned from the output of sx_api_ports_dump.py command?
- A. Orchestrator port status
- B. Information about downlink ports only
- C. Information about backplane bonds
- D. Information about Security Groups
Answer: C
Explanation:
Explanation
References
*R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2
*[Maestro Expert (CCME) Course - Check Point Software], page 31
*[Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge], page 3
NEW QUESTION # 22
In a dual MHO environment, MHO1 and MHO2 are connected to the SGM line cards in which way?
- A. MHO1 and MHO2 are connected to the line cards in any order administrators see fit.
- B. MHO1 and MHO2 are connected to the SGMs using the Sync cable.
- C. MHO 1 is connected to the odd-numbered ports, while MHO2 is connected to even-numbered ports.
- D. MHO 1 is connected to the even-numbered ports, while MHO2 is connected to odd-numbered ports.
Answer: D
Explanation:
Explanation
The correct way to connect MHO1 and MHO2 to the SGM line cards in a dual MHO environment is to use the even-numbered ports for MHO1 and the odd-numbered ports for MHO2. This is to ensure that each SGM has two downlinks to each MHO, and that the downlinks are balanced across the different NICs and links. This provides redundancy and high availability for the traffic flow between the SGMs and the MHOs.
References
*R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2
*Maestro Expert (CCME) Course - Check Point Software, page 18
*Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 16
NEW QUESTION # 23
Is it possible to define distribution mode per interface?
- A. No, only for the Security Group
- B. Yes, only for uplink interfaces
- C. Yes, only for downlink interfaces
- D. Yes, for both uplink and downlink interfaces
Answer: D
Explanation:
Explanation
Maestro allows you to define the distribution mode per interface, which determines how traffic is distributed among the Security Group Modules (SGMs) in a Security Group. You can configure the distribution mode for each interface individually, or use the default mode for all interfaces. The distribution mode can be set for both uplink and downlink interfaces.
References =
*Check Point Maestro R81.X Administration Guide, page 62, section "Distribution Mode" 1
*Check Point Maestro R81.X Getting Started Guide, page 25, section "Distribution Mode" 2
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
NEW QUESTION # 24
What is the default Distribution mode?
- A. Auto-topology
- B. Manual-General
- C. User
- D. Network
Answer: A
Explanation:
Explanation
Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object.
Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network.
The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16
NEW QUESTION # 25
Which feature is used to force trusted non-F2F traffic into the fully accelerated path for handling by SecureXL.
- A. Fast Accelerator
- B. SecureXL
- C. hypersync
- D. rate limiting
Answer: B
Explanation:
Explanation
SecureXL is typically used to accelerate trusted traffic, including non-F2F (face-to-face) traffic, through a secure, fast path.
References =
*SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above 1
*SecureXL Fast Accelerator - Need to clarify packet flow 2
1:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=
2:
https://community.checkpoint.com/t5/Security-Gateways/SecureXL-Fast-Accelerator-Need-to-clarify-packet-flo
NEW QUESTION # 26
How many orchestrators may Dual-Site include?
- A. Only 4
- B. 0
- C. 1
- D. 2 or 4
Answer: D
Explanation:
Explanation
A Dual Site environment can include either two or four orchestrators, depending on the scenario. There are three primary scenarios for Dual Site configuration:
*Direct connectivity between remote site orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.
*Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.
*Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that supports QinQ and MTU increment.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)
*Maestro Frequently Asked Questions (FAQ)
NEW QUESTION # 27
In a Maestro Dual Site environment, what is the definition of the term Active Site.
- A. The Active Site is the site where the SMO Master exists.
- B. There is no such thing as an active site. In a Dual Site environment, traffic is load balanced.
- C. The Active Site is the site that is not handling any traffic for the specific SG, but itsconnections are synced to its SGMs from the MHOs to be ready in the event of a failover.
- D. The Active Site is the site currently handling the enforcement on traffic passing for a specific SG.Connections are synced within the SGMs in the Active Site.
Answer: D
Explanation:
Explanation
In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.
References =
*Solved: Maestro dual site failover - Check Point CheckMates
*Maestro Dual Site configuration with a direct connection through L2 switches
NEW QUESTION # 28
Maestro allows running commands globally in Expert mode by using global prefixes, such as:
- A. g_all
- B. all
- C. asg all
- D. global
Answer: A
Explanation:
Explanation
The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates
NEW QUESTION # 29
What is an uplink interface used for?
- A. To connect in between appliances
- B. To connect in between Orchestrators
- C. To connect appliances to customer's infrastructure
- D. To connect Orchestrators to customer's infrastructure
Answer: D
Explanation:
Explanation
Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer's network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer's network to the MHOs.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 41
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline
NEW QUESTION # 30
What does the lldpctl command do?
- A. Show all devices discovered by LLDP protocol on all ports
- B. Show all devices discovered by LLDP protocol on downlink ports
- C. Discover orchestrators
- D. Show all devices discovered by LLDP protocol on uplink ports
Answer: A
Explanation:
Explanation
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration.
LLDP can help to discover the topology and connectivity of the Maestro environment.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
LLDP, page 3-9
NEW QUESTION # 31
What does asg monitor command do?
- A. Show real-time cluster status of Appliances in Security Group
- B. Monitor traffic on Appliances in Security Group
- C. Monitor health status of entire system
- D. This command does not exist
Answer: A
Explanation:
Explanation
The "asg monitor" command generally would show real-time cluster status of appliances in a security group, focusing on health and operational status.
NEW QUESTION # 32
What Maestro component is automatically designated the SMO Master?
- A. The MDS that pushes policy to the SMO is considered the SMO Master.
- B. The first MHO configured is considered the SMO Master.
- C. The SGM with the highest member ID (the last one added to the security group.)
- D. The SGM with the lowest member ID (the first one added to the security group.)
Answer: D
Explanation:
Explanation
The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.
References:
*Maestro Frequently Asked Questions (FAQ), under "What is a Single Management Object (SMO)?"
*Check Point Jump Start Course: Maestro, under "Maestro Security Groups"
NEW QUESTION # 33
What is the max amount of Orchestrators in Dual-site setup?
- A. 2 per Security Group
- B. 4 per Security Group
- C. 0
- D. 1
Answer: B
Explanation:
Explanation
A Dual Site setup can have either two or four orchestrators, depending on the scenario. However, the maximum number of orchestrators per Security Group is four, regardless of the number of sites. This is because each Security Group can have up to two orchestrators on each site, and each site can have up to two orchestrators. Therefore, the maximum number of orchestrators in a Dual Site setup is four per Security Group.
References =
*Maestro Frequently Asked Questions (FAQ)
*Maestro Dual Site configuration with a direct connection through L2 switches
*Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)
NEW QUESTION # 34
What cannot be learned from the output of asg monitor command?
- A. Port status
- B. Appliances cluster status
- C. Uptime
- D. Security Policy status
Answer: D
Explanation:
Explanation
The asg monitor command is a tool to display the status and statistics of the Maestro Security Group Members and the Orchestrators. It shows information such as uptime, port status, CPU usage, memory usage, traffic distribution, and appliances cluster status. However, it does not show the security policy status, such as the policy name, installation time, or revision. To view the security policy status, other commands such as asg policy or fw stat can be used.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.1: asg monitor, page 4-3
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg monitor, page 4-3
*asg monitor - Check Point Software
NEW QUESTION # 35
......
Ultimate Guide to Prepare Free 156-836 Exam Questions and Answer: https://drive.google.com/open?id=1Q9Mzt6z9Dlt3uNkjEfW2KF7bJZridGN1
Pass 156-836 Tests Engine pdf - All Free Dumps: https://www.bootcamppdf.com/156-836_exam-dumps.html