• Home
  • Blogs
  • 156-836 Exam Questions Dumps, Selling CheckPoint Products [Q44-Q66]

156-836 Exam Questions Dumps, Selling CheckPoint Products [Q44-Q66]

Share

156-836 Exam Questions Dumps, Selling CheckPoint Products

156-836 Cert Guide PDF 100% Cover Real Exam Questions


The Check Point Certified Maestro Expert - R81 (CCME) certification is globally recognized and validates the candidate's ability to work with complex security architectures. By earning the Check Point Certified Maestro Expert - R81 (CCME) certification, candidates can demonstrate their expertise in a critical area of network security architecture, which can enhance their career prospects in the cybersecurity industry. As the demand for cybersecurity professionals continues to grow, earning this certification can help individuals stand out in the job market and secure high-paying job roles in top organizations.


The CCME exam tests the candidate's ability to design, configure, deploy, and troubleshoot Check Point Maestro solutions. It covers a broad range of topics, including Maestro architecture and deployment, network management and troubleshooting, advanced security features, and automation and orchestration. 156-836 exam consists of 90 multiple-choice questions and must be completed within 90 minutes. To pass the exam, candidates must score at least 70%. The CCME certification is valid for two years and can be renewed by passing a renewal exam or earning continuing education credits.


Earning the CCME certification is a great way to demonstrate your expertise in Check Point's advanced security solutions and enhance your career prospects. Check Point Certified Maestro Expert - R81 (CCME) certification is highly valued in the IT industry and is recognized by top organizations worldwide. By passing the CCME exam, you'll gain a deep understanding of Check Point Maestro and the skills needed to deploy, manage, and troubleshoot complex security infrastructures, making you a highly sought-after professional in the field of cybersecurity.

 

NEW QUESTION # 44
What is the maximum number of Appliances within the same Security Group?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: D

Explanation:
Explanation
The maximum number of appliances within the same security group is 31. This is because a security group can have up to 31 Security Group Modules (SGMs) of the same or different models, and each SGM is an appliance that runs the Check Point software. A security group can span across multiple chassis, and each chassis can have up to 16 SGMs. However, the total number of SGMs in a security group cannot exceed 31.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 51
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 45
Is it possible to define distribution mode per interface?

  • A. No, only for the Security Group
  • B. Yes, only for downlink interfaces
  • C. Yes, for both uplink and downlink interfaces
  • D. Yes, only for uplink interfaces

Answer: C

Explanation:
Explanation
Maestro allows you to define the distribution mode per interface, which determines how traffic is distributed among the Security Group Modules (SGMs) in a Security Group. You can configure the distribution mode for each interface individually, or use the default mode for all interfaces. The distribution mode can be set for both uplink and downlink interfaces.
References =
*Check Point Maestro R81.X Administration Guide, page 62, section "Distribution Mode" 1
*Check Point Maestro R81.X Getting Started Guide, page 25, section "Distribution Mode" 2
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame


NEW QUESTION # 46
When working with Maestro, what is the difference between using Clish and gClish?

  • A. Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members, by default.
  • B. Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG members, by default.
  • C. Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members, by default.
  • D. Clish commands are run on the SG members. gClish commands are run on the MHO and applied to all connected SG members in a specified group.

Answer: A

Explanation:
Explanation
This is the correct answer because it describes the difference between using Clish and gClish when working with Maestro. Clish is the Check Point command line shell that allows users to configure and manage the SG members individually. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. UP SG members are theones that are in the UP state and have the same policy installed as the SMO Master.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 47
There are two appliances within the same Security Group. One of them is connected by One downlink only, another one by Two downlinks. Assuming there's no NAT and no VPN, what would be proportion of traffic distribution done by Orchestrator?

  • A. 66%/33%
  • B. 100%/0%
  • C. 33%/66%
  • D. 50%/50%

Answer: D

Explanation:
Explanation
The proportion of traffic distribution done by Orchestrator depends on the traffic distribution mode that is configured for the Security Group. There are three modes: Round Robin, Load Sharing, andActive/Standby1.
*Round Robin mode distributes the traffic equally among all the appliances in the Security Group, regardless of the number of downlinks they have. This mode is suitable for scenarios where all the appliances have similar performance and capacity. In this mode, the proportion of traffic distribution would be 50%/50% for two appliances with one and two downlinks respectively.
*Load Sharing mode distributes the traffic proportionally to the number of downlinks each appliance has. This mode is suitable for scenarios where the appliances have different performance and capacity. In this mode, the proportion of traffic distribution would be 33%/66% for two appliances with one and two downlinks respectively.
*Active/Standby mode distributes the traffic to only one appliance at a time, while the other appliances are in standby mode. This mode is suitable for scenarios where high availability is required. In this mode, the proportion of traffic distribution would be 100%/0% or 0%/100% for two appliances with one and two downlinks respectively, depending on which appliance is active.
Since the question does not specify the traffic distribution mode, the default mode is Round Robin2.
Therefore, the proportion of traffic distribution would be 50%/50% for two appliances with one and two downlinks respectively.


NEW QUESTION # 48
There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1, 2 and 3 accordingly. Which interfaces should be connected to Orchestrator 1 for downlinks' intra- orchestrator redundancy when using two Orchestrators?

  • A. Any pair of available ports
  • B. Port 1 in Slot 2 and Port 2 in Slot 1
  • C. This configuration is not supported
  • D. Port 1 in Slot 1 and Port 2 in Slot 1

Answer: D

Explanation:
Explanation
This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
Downlinks, page 3-8
*Check Point 23800 Appliance Datasheet - Check Point Software, page 2


NEW QUESTION # 49
During an upgrade, Is Multi-Version Clustering (MVC) supported?

  • A. No, Maestro does not support MVC.
  • B. Maestro supports MVC or full connectivity upgrade as of R80.40.
  • C. No. Maestro does not support MVC because ClusterXL is disabled during an upgrade.
  • D. Yes, MVC is supported as of R81 for Maestro.

Answer: D

Explanation:
Explanation
Multi-Version Clustering (MVC) is a feature that allows different versions of Security Gateways to operate in the same cluster and provide seamless failover and load balancing. MVC is supported for Maestro environments as of R81, which means that it is possible to upgrade the Security Groups in a Maestro environment as a Multi-Version Cluster with zero downtime. This requires that the Maestro Orchestrators are upgraded to R81.20 first, and then the Security Groups can be upgraded one by one to R81.20 while maintaining full connectivity and synchronization.
References =
*Check Point R81.20 for Scalable Platforms - Check Point Software
*Maestro Dual Site configuration with a direct connection through L2 switches
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 50
Which distribution mode assigns packets to an SGM based solely on the packet destination IP?

  • A. Network mode
  • B. Manual mode
  • C. Auto-topology mode
  • D. User mode

Answer: A

Explanation:
Explanation
Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Maestro basic setup documentation - Page 2 - Check Point CheckMates


NEW QUESTION # 51
What is the Correction Layer?

  • A. Correction Layer is a mechanism which activated in case of asymmetric routing
  • B. Correction Layer is a mechanism which handles asymmetric connections in multi-appliance system. For example, in case of NAT
  • C. Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute
  • D. Correction Layer is a daemon which corrects errors on Backplane interfaces

Answer: B

Explanation:
Explanation
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
*NAT and the Correction Layer on a Security Gateway - Check Point Software1
*Solved: Maestro queries - Check Point CheckMates


NEW QUESTION # 52
What cannot be learned from the output of lldpctl?

  • A. Distribution mode
  • B. Serial number of Appliance
  • C. Appliance model
  • D. Orchestrator's IP

Answer: A

Explanation:
Explanation
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration.
LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator's IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
LLDP, page 3-9
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Maestro basic setup documentation - Page 2 - Check Point CheckMates
*Log and Configuration Files - Check Point Software


NEW QUESTION # 53
At a minimum, how many management and Uplink ports does a SG require?

  • A. Only one of the two interfaces is needed for the Security Group.
  • B. One each.
  • C. Two of each.
  • D. Neither are required.

Answer: B

Explanation:
Explanation
A Security Group (SG) requires at least one management port and one uplink port to function properly. The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the customer's management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink port is used to connect the SG to the customer's network infrastructure, such as switches, routers, or firewalls. The uplink port is also used to send and receive traffic from the customer's network to the SG.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 41
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 54
Maestro allows running commands globally in Expert mode by using global prefixes, such as:

  • A. global
  • B. g_all
  • C. all
  • D. asg all

Answer: B

Explanation:
Explanation
The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 55
There are two 10Gbps dual-port NIC installed on a 6800 appliance. Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators?

  • A. Port 1 in Slot 1 and Port 2 in Slot 1
  • B. Any pair of available ports
  • C. Port 1 in Slot 2 and Port 2 in Slot 1
  • D. Port 1 in Slot 1 and Port 1 in Slot 2

Answer: D

Explanation:
Explanation
The correct interfaces to connect to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.
References
*Check Point 156-835 Certification Flashcards | Quizlet1
*Maestro Expert (CCME) Course - Check Point Software, page 182
*Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide
163


NEW QUESTION # 56
What type of license is required for an MHO?

  • A. The MHO requires a VSX license.
  • B. A license is needed for each attached SGM.
  • C. The MHO does not require a license.
  • D. The MHO requires a NGTP license.

Answer: C

Explanation:
Explanation
The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM (Security Group Module) that is attached to the MHO needs a license. The license type depends on the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it needs a VSX license.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 71
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 57
What is a security group?

  • A. A solution for Security Gateway redundancy and Load Sharing.
  • B. A set of appliances of the same model that are collectively managed by the MHO.
  • C. A set of network interfaces and individual SGMs assigned to a logical group.
  • D. A set of objects in SmartConsole that are responsible for enforcing an access policy.

Answer: A

Explanation:
Explanation
Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features


NEW QUESTION # 58
When security policy is installed

  • A. All SGMs receive the security policy and one by one performs an independent policy verification. Then, all SGMs simultaneously install the policy.
  • B. The policy is installed on the SMO, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
  • C. All SGMs receive the security policy and simultaneous policy installation occurs.
  • D. The SMO Master receives the policy and performs a policy verification the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other membersretrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.

Answer: D

Explanation:
Explanation
This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13
*Policy installation flow - Check Point Software


NEW QUESTION # 59
Logs without a dedicated log file can be found in

  • A. $FWDIR/log/fw.log
  • B. $RTDIR/log/junk.log
  • C. /var/log/messages
  • D. /var/log/junk.log.dbg

Answer: C

Explanation:
Explanation
The /var/log/messages file is a general system log file that contains information about various system events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs without a dedicated log file can be found in this file, as well as some Maestro Gaia Clishcommands that are not saved in the
/var/log/command_logger.log file.
References
*Maestro Audit Logs - Where are they? - Check Point CheckMates1
*sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2
*Maestro Expert (CCME) Course - Check Point Software, page 33


NEW QUESTION # 60
The drop_monitor command is useful for

  • A. Viewing all interface drops such as RX-ERR, RX-DRP, and RX-OVR
  • B. Viewing all drops by Check Point code or the Gaia OS, such as RX-DRP, RX-ERR, and Gaia OS drops.
  • C. Monitoring Check Point code drops
  • D. Showing the system temperature in real-time for multiple components, such as CPU, fan, and SSDs.

Answer: B

Explanation:
Explanation
The drop_monitor command is a tool that monitors and displays the packets that are dropped by the Check Point code or the Gaia OS on the orchestrator and the appliances. It can help troubleshoot network issues and optimize performance. The command shows the drop reason, source, destination, protocol, and port of the dropped packets, as well as the interface and the module that dropped them.
References
*R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates1
*Support, Support Requests, Training ... - Check Point Software2
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge


NEW QUESTION # 61
Where should sx_api_ports_dump.py command be ran?

  • A. Orchestrator
  • B. Management server
  • C. Security Group
  • D. SMO Appliance

Answer: A

Explanation:
Explanation
The sx_api_ports_dump.py command should be run on the Orchestrator, which is the device that manages the communication and the configuration of the Security Groups and the SGMs. The command shows the port mapping and the traffic distribution for each Security Group, as well as the backplane bonds and the Orchestrator ports. The command does not work on the Management server, the Security Group, or the SMO Appliance, as they do not have the same role and functionality as the Orchestrator.
References
*R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2
*Maestro Expert (CCME) Course - Check Point Software, page 31
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 3


NEW QUESTION # 62
What will happen in case of NAT of the traffic passing through Management network?

  • A. Orchestrator will disable NAT and traffic will pass with no issue
  • B. This traffic will pass with no inspection
  • C. This traffic will not pass correction, since it will be dropped
  • D. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances

Answer: A

Explanation:
Explanation
According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.
References
*Check Point MAESTRO R80.20SP Administration Manual, page 291


NEW QUESTION # 63
How does HyperSync work in a Dual Site environment?

  • A. Each active connection has a local backup (on the local site) and a second backup connection on the second site (remote site.)
  • B. Each active connection has a backup connection on the second site (remote site.)
  • C. Each active connection has two local backups (on the local site) and a third backup connection on the second site (remote site.)
  • D. Each active connection has a local backup (on the local site) and a second backup connection on each of the MHOs.

Answer: A

Explanation:
Explanation
HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of a failover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*Maestro Frequently Asked Questions (FAQ)
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 64
There is a Security group of 10 Appliances and all of them are up and running. How many Appliances within a Security Group keep the same connection in its connection table in case of NAT?

  • A. 0
  • B. Between 2 and 4
  • C. 1
  • D. All 10

Answer: B

Explanation:
Explanation
References =
*Check Point Maestro R81.X Administration Guide, page 64, section "Correction Layer" 1
*Check Point Maestro R81.X Getting Started Guide, page 26, section "Correction Layer" 2
*Check Point Maestro Under the Hood presentation by Lari Luoma, slide 23
*Check Point Maestro Frequently Asked Questions (FAQ), question 9
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20M
:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 65
What does the lldpctl command do?

  • A. Show all devices discovered by LLDP protocol on all ports
  • B. Discover orchestrators
  • C. Show all devices discovered by LLDP protocol on uplink ports
  • D. Show all devices discovered by LLDP protocol on downlink ports

Answer: A

Explanation:
Explanation
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration.
LLDP can help to discover the topology and connectivity of the Maestro environment.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
LLDP, page 3-9


NEW QUESTION # 66
......

Pass 156-836 Exam - Real Questions and Answers: https://www.prep4away.com/CheckPoint-certification/braindumps.156-836.ete.file.html

Pass 156-836 Review Guide, Reliable 156-836 Test Engine: https://drive.google.com/open?id=1YqPeyZNKHkDEuaKr2fr7DpOlTIKHjdzR

Related Blogs

more
CheckPoint 156-836 Certification Practice Exam