Prévia do material em texto

<p>Http://www.passcert.com</p><p>The safer , easier way to help you pass any IT exams.</p><p>1 / 33</p><p>Exam : 156-836</p><p>Title :</p><p>Version : V10.03</p><p>Check Point Certified</p><p>Maestro Expert - R81</p><p>(CCME)</p><p>The safer , easier way to help you pass any IT exams.</p><p>2 / 33</p><p>1.What Maestro component is automatically designated the SMO Master?</p><p>A. The SGM with the lowest member ID (the first one added to the security group.)</p><p>B. The MDS that pushes policy to the SMO is considered the SMO Master.</p><p>C. The first MHO configured is considered the SMO Master.</p><p>D. The SGM with the highest member ID (the last one added to the security group.)</p><p>Answer: C</p><p>Explanation:</p><p>In Check Point Maestro's orchestration environment, the Master Orchestrator (MHO) plays a crucial role</p><p>in managing the Security Group's operation. The first MHO that you configure in a Maestro environment</p><p>takes on the role of the SMO Master. This MHO is responsible for controlling and managing the entire</p><p>security environment and ensures all configurations and policies are correctly implemented across the</p><p>security group.</p><p>2.What is a downlink interface used for?</p><p>A. To connect appliances to Orchestrators</p><p>B. To connect appliances to customer's infrastructure</p><p>C. To connect in between Orchestrators</p><p>D. To connect Orchestrators to customer's infrastructure</p><p>Answer: B</p><p>3.What type of license is required for an MHO?</p><p>A. The MHO requires a NGTP license.</p><p>B. The MHO requires a VSX license.</p><p>C. The MHO does not require a license.</p><p>D. A license is needed for each attached SGM.</p><p>Answer: C</p><p>Explanation:</p><p>The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM</p><p>(Security Group Module) that is attached to the MHO needs a license. The license type depends on</p><p>the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it</p><p>needs a VSX license.</p><p>Reference:</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 71</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline</p><p>4.What Maestro component acts as a load balancer and network switch?</p><p>A. Security Switching Module (SSM)</p><p>B. Maestro Hyperscale Orchestrator (MHO)</p><p>C. Security Group (SG)</p><p>D. Security Gateway Module (SGM)</p><p>Answer: B</p><p>Explanation:</p><p>• The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security</p><p>Group Members.</p><p>The safer , easier way to help you pass any IT exams.</p><p>3 / 33</p><p>• Reference: Working with the Distribution Mode</p><p>5.What is an uplink interface used for?</p><p>A. To connect in between appliances</p><p>B. To connect appliances to customer's infrastructure</p><p>C. To connect Orchestrators to customer's infrastructure</p><p>D. To connect in between Orchestrators</p><p>Answer: C</p><p>Explanation:</p><p>Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s</p><p>network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive</p><p>management and control traffic from the customer’s network to the MHOs.</p><p>Reference:</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 41</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline</p><p>6.What is a security group?</p><p>A. A solution for Security Gateway redundancy and Load Sharing.</p><p>B. A set of appliances of the same model that are collectively managed by the MHO.</p><p>C. A set of network interfaces and individual SGMs assigned to a logical group.</p><p>D. A set of objects in SmartConsole that are responsible for enforcing an access policy.</p><p>Answer: A</p><p>Explanation:</p><p>Security groups are used to simplify management and policy enforcement across multiple devices or</p><p>network segments, often offering redundancy and load balancing features</p><p>7.What is the Orchestrator?</p><p>A. Network Switch</p><p>B. Manager of compute and network resources, load balancer and network switch</p><p>C. Load balancer</p><p>D. None of above</p><p>Answer: B</p><p>Explanation:</p><p>The Orchestrator is a Maestro component that manages the compute and network resources of the</p><p>Security Group Modules (SGMs) in a Security Group. It also acts as a load balancer and a network</p><p>switch, distributing traffic among the SGMs and connecting them to the customer’s network</p><p>infrastructure.</p><p>Reference:</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 41</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline</p><p>8.What is the Correction Layer?</p><p>A. Correction Layer is a daemon which corrects errors on Backplane interfaces</p><p>B. Correction Layer is a mechanism which handles asymmetric connections in multi-appliance</p><p>The safer , easier way to help you pass any IT exams.</p><p>4 / 33</p><p>system. For example, in case of NAT</p><p>C. Correction Layer is a mechanism which activated in case of asymmetric routing</p><p>D. Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to</p><p>execute</p><p>Answer: B</p><p>Explanation:</p><p>The Correction Layer is a Maestro component that ensures that packets from the same connection are</p><p>handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially</p><p>important when NAT is involved, as packets sent from the client to the server can be distributed to a</p><p>different SGM than packets from the same session sent from the server to the client. The Correction</p><p>Layer must then forward the packet to the correct SGM.</p><p>Reference:</p><p>• NAT and the Correction Layer on a Security Gateway - Check Point Software1</p><p>• Solved: Maestro queries - Check Point CheckMates</p><p>9.What is the Correction Layer mechanism?</p><p>A. Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs.</p><p>B. The load-balancing mechanism used by the MHO.</p><p>C. The MHO's distribution algorithm which determines the handling SGM for a given connection.</p><p>D. Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in</p><p>the SG.</p><p>Answer: A</p><p>Explanation:</p><p>The Correction Layer mechanism is a Maestro component that ensures that packets from the same</p><p>connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is</p><p>especially important when NAT or VPNs are involved, as packets sent from the client to the server can</p><p>be distributed to a different SGM than packets from the same session sent from the server to the client.</p><p>The Correction Layer must then forward the packet to the correct SGM.</p><p>Reference:</p><p>• NAT and the Correction Layer on a VSX Gateway - Check Point Software1</p><p>• Solved: Maestro queries - Check Point CheckMates</p><p>10.What is the maximum number of Appliances within Security group in Dual-Site configuration?</p><p>A. 28</p><p>B. 31</p><p>C. 15</p><p>D. 16</p><p>Answer: B</p><p>11.At a minimum, how many management and Uplink ports does a SG require?</p><p>A. Only one of the two interfaces is needed for the Security Group.</p><p>B. Neither are required.</p><p>C. Two of each.</p><p>D. One each.</p><p>The safer , easier way to help you pass any IT exams.</p><p>5 / 33</p><p>Answer: D</p><p>Explanation:</p><p>A Security Group (SG) requires at least one management port and one uplink port to function properly.</p><p>The management port is used to connect the SG to the Maestro Hyperscale Orchestrator (MHO) and the</p><p>customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. The uplink</p><p>port is used to connect the SG to the customer’s network infrastructure, such as switches, routers, or</p><p>firewalls. The uplink port is also used to send and receive traffic from the customer’s network to the SG.</p><p>Reference:</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 41</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline</p><p>12.What is the maximum number of Appliances within the same Security Group?</p><p>A. 31</p><p>B. 8</p><p>C. 52</p><p>D. 16</p><p>Answer: C</p><p>Explanation:</p><p>In a Check Point Maestro environment, the maximum number of appliances that can be managed within</p><p>the same Security Group is 52. This capability highlights</p><p>SGMs assigned to a logical group.</p><p>D. A set of objects in SmartConsole that are responsible for enforcing an access policy.</p><p>Answer: A</p><p>Explanation:</p><p>In Check Point's Maestro environment, a Security Group is a configuration that groups multiple Security</p><p>Gateway Modules (SGMs) to operate together for enhanced redundancy and load sharing. This setup</p><p>The safer , easier way to help you pass any IT exams.</p><p>31 / 33</p><p>allows for high availability and scalability by distributing network traffic among several gateways,</p><p>ensuring that the network can handle large volumes of traffic and providing continuity in the event of a</p><p>gateway failure.</p><p>82.What is the Correction Layer mechanism?</p><p>A. Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs.</p><p>B. The load-balancing mechanism used by the MHO.</p><p>C. The MHO's distribution algorithm which determines the handling SGM for a given connection.</p><p>D. Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in</p><p>the SG.</p><p>Answer: A</p><p>Explanation:</p><p>The Correction Layer is a mechanism that handles asymmetric connections in systems with several</p><p>cluster members. It adds metadata to the packets to ensure that they are routed correctly and the</p><p>connection is maintained.</p><p>Reference = correction layer statistics - Check Point CheckMates, Lari Luoma | Lead Consultant |</p><p>Maestro SME | Check Point Evangelist, Maestro Frequently Asked Questions (FAQ) - Check Point</p><p>Software.</p><p>83.What is an uplink interface used for?</p><p>A. To connect in between appliances</p><p>B. To connect appliances to customer's infrastructure</p><p>C. To connect Orchestrators to customer's infrastructure</p><p>D. To connect in between Orchestrators</p><p>Answer: C</p><p>Explanation:</p><p>An uplink interface is used primarily for linking the orchestrators within a network environment to the</p><p>customer's broader infrastructure. This setup enables the orchestrators to manage traffic effectively,</p><p>providing a pathway for communication between the internal security mechanisms and the external</p><p>network, thereby ensuring seamless integration and data flow across different network segments. This</p><p>connection is critical for the overall functionality and management of network operations, facilitating</p><p>reliable and secure communication between the orchestrated environment and the customer's</p><p>operational network.</p><p>84.What is the Orchestrator?</p><p>A. Network Switch</p><p>B. Manager of compute and network resources, load balancer and network switch</p><p>C. Load balancer</p><p>D. None of above</p><p>Answer: B</p><p>Explanation:</p><p>The Orchestrator is a device that connects multiple security gateways into a unified system, called a</p><p>security group. It manages the configuration, policy, software, and routing of the security group, and</p><p>distributes the network traffic among the security gateways using a load-balancing algorithm. It also acts</p><p>The safer , easier way to help you pass any IT exams.</p><p>32 / 33</p><p>as a network switch for the internal and external networks.</p><p>Reference = Maestro Hyperscale Orchestrator Datasheet - Check Point Software, Check Point Maestro</p><p>Hyperscale Network Security, 7 Reasons to Use Check Point Maestro and … - Check Point Software</p><p>85.What kinds of transceivers are supported on Orchestrator MHO-170?</p><p>A. SFP, QSFP, QSFP28</p><p>B. SFP+, SFP28, QSFP</p><p>C. SFP, SFP+, SFP28</p><p>D. QSFP, QSFP28</p><p>Answer: D</p><p>86.There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1,</p><p>2 and 3 accordingly.</p><p>Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy</p><p>when using two Orchestrators?</p><p>A. Port 1 in Slot 2 and Port 2 in Slot 1</p><p>B. This configuration is not supported</p><p>C. Any pair of available ports</p><p>D. Port 1 in Slot 1 and Port 2 in Slot 1</p><p>Answer: A</p><p>87.What is the purpose of interface bonding?</p><p>A. A bond interface can be configured for high availability redundancy.</p><p>B. A bond interface is used for passing synchronization traffic between the SGMs.</p><p>C. For load sharing which increases connection throughput above that which is possible using one</p><p>physical interface.</p><p>D. A bond interface can be configured for high availability redundancy or for load sharing which</p><p>increases connection throughput above that which is possible using one physical interface.</p><p>Answer: D</p><p>88.What is the maximum number of Appliances within the same Security Group?</p><p>A. 31</p><p>B. 8</p><p>C. 52</p><p>D. 16</p><p>Answer: C</p><p>89.What type of cluster can a Security Group can be compared to?</p><p>A. Load Sharing Active / Active</p><p>B. VSLS</p><p>C. Active / Backup</p><p>D. Active / Standby</p><p>Answer: A</p><p>The safer , easier way to help you pass any IT exams.</p><p>33 / 33</p><p>90.On the MHO, to view connected ports and their functions, use the following command:</p><p>A. asg_ifconfig</p><p>B. show ports</p><p>C. orch_stat -c</p><p>D. orch_stat -p</p><p>Answer: D</p><p>91.What command will be used for updating fwkern.conf file on all Appliances within Security Group?</p><p>A. vi</p><p>B. g_all update_conf_file</p><p>C. g_update_kernel</p><p>D. g_update_conf_file</p><p>Answer: D</p><p>92.Each morning at 1:00 am, a series of automatic diagnostics on all the SGMs runs by automatic</p><p>execution of which command?</p><p>A. hcp -r all</p><p>B. asg diag list</p><p>C. asg diag verify</p><p>D. asg perf -v</p><p>Answer: C</p><p>93.Common Layer 1 issues include</p><p>A. Routing</p><p>B. Distribution</p><p>C. MAC addresses</p><p>D. Loose or bad cables</p><p>Answer: D</p><p>94.The __________command can be used during an upgrade to verify that the upgraded SGMs have</p><p>returned to UP status before upgrading other SGMs.</p><p>A. asg monitor</p><p>B. cpview</p><p>C. asg perf -v</p><p>D. watch asg stat -v</p><p>Answer: D</p><p>the extensive scalability offered by Maestro,</p><p>allowing organizations to significantly expand their security infrastructure to handle higher traffic volumes</p><p>and more complex network configurations.</p><p>13.For the MHO-175, which ports are Management ports?</p><p>A. Ports 49 - 55 are Management ports.</p><p>B. Ports 1 - 4 are Management ports.</p><p>C. Ports 27 - 47 are Management ports.</p><p>D. Ports 5 - 26 are Management ports.</p><p>Answer: A</p><p>Explanation:</p><p>In the MHO-175 Maestro Orchestrator, ports numbered from 49 to 55 are designated as Management</p><p>ports. These ports are utilized for managing the device itself and for orchestrating the network and</p><p>security tasks across connected appliances within the environment.</p><p>14.What kinds of transceivers are supported on Orchestrator MHO-140?</p><p>A. SFP, QSFP, QSFP28</p><p>B. SFP+, SFP28, QSFP</p><p>C. SFP, SFP+, SFP28</p><p>D. SFP, SFP+, QSFP, QSFP28</p><p>Answer: D</p><p>Explanation:</p><p>The Orchestrator MHO-140 supports a wide range of transceiver types, including SFP, SFP+, QSFP, and</p><p>QSFP28. This range of compatibility allows for flexibility in network configurations and ensures that the</p><p>Orchestrator can interface effectively with a variety of network hardware and speeds, accommodating</p><p>The safer , easier way to help you pass any IT exams.</p><p>6 / 33</p><p>different data rate requirements and connectivity options.</p><p>15.What happens if the SMO Master fails?</p><p>A. The next SGM with the current lowest SGM ID assumes the role of the SMO Master.</p><p>B. The Backup SMO Master will take over in the event of a failure with the SMO Master.</p><p>C. A failover will occur on the MHO and traffic will continue to pass.</p><p>D. The Security Group will no longer pass traffic and the issue must be resolved with the SMO Master.</p><p>Answer: B</p><p>Explanation:</p><p>The SMO Master is the SGM that is responsible for managing the Security Group and communicating</p><p>with the MHO. If the SMO Master fails, the Backup SMO Master, which is the SGM with the next lowest</p><p>SGM ID, will take over the role of the SMO Master and ensure the continuity of the Security Group</p><p>operations.</p><p>Reference = Maestro Expert (CCME) Course - Check Point Software, page 14; Check Point Accredited</p><p>Maestro Expert - New exam a… - Check Point CheckMates, page 1.</p><p>16.What does the lldpctl command do?</p><p>A. Show all devices discovered by LLDP protocol on downlink ports</p><p>B. Show all devices discovered by LLDP protocol on all ports</p><p>C. Discover orchestrators</p><p>D. Show all devices discovered by LLDP protocol on uplink ports</p><p>Answer: B</p><p>Explanation:</p><p>The lldpctl command is a tool to display information about the devices discovered by the Link Layer</p><p>Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members.</p><p>LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and</p><p>configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line</p><p>Interface and WebUI, Lesson 4.2: LLDP, page 4-9</p><p>• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules,</p><p>Section: LLDP, page 3-9</p><p>17.What type of cluster can a Security Group can be compared to?</p><p>A. Load Sharing Active / Active</p><p>B. VSLS</p><p>C. Active / Backup</p><p>D. Active / Standby</p><p>Answer: A</p><p>Explanation:</p><p>A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of</p><p>multiple Security Group Members that share the traffic load and provide high availability and scalability.</p><p>Each Security Group Member is an active firewall that processes traffic according to the Security Group</p><p>policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer</p><p>The safer , easier way to help you pass any IT exams.</p><p>7 / 33</p><p>that distributes the traffic among the Security Group Members based on their capacity and availability.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups,</p><p>Lesson 2.1: Introduction to Security Groups, page 2-4</p><p>• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security</p><p>Group Overview, page 2-3</p><p>18.What kinds of transceivers are supported on Orchestrator MHO-170?</p><p>A. SFP, QSFP, QSFP28</p><p>B. SFP+, SFP28, QSFP</p><p>C. SFP, SFP+, SFP28</p><p>D. QSFP, QSFP28</p><p>Answer: D</p><p>Explanation:</p><p>The Orchestrator MHO-170 supports QSFP and QSFP28 transceivers on its 32x 100 GbE ports. QSFP</p><p>stands for Quad Small Form-factor Pluggable and QSFP28 is an enhanced version of QSFP that</p><p>supports up to 28 Gbps per lane. These transceivers can provide high-speed and high-density</p><p>connectivity for the Maestro environment.</p><p>Reference</p><p>• Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2</p><p>• Maestro Transceiver & DAC Inventory - Check Point CheckMates</p><p>19.There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1,</p><p>2 and 3 accordingly.</p><p>Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy</p><p>when using two Orchestrators?</p><p>A. Port 1 in Slot 2 and Port 2 in Slot 1</p><p>B. This configuration is not supported</p><p>C. Any pair of available ports</p><p>D. Port 1 in Slot 1 and Port 2 in Slot 1</p><p>Answer: A</p><p>Explanation:</p><p>This configuration allows for intra-orchestrator redundancy by utilizing ports from different NICs in</p><p>different slots. This setup provides a failover capability, ensuring that if one NIC or its associated slot</p><p>encounters an issue, the other can take over without loss of connectivity or function. This strategic</p><p>arrangement of connections enhances the resilience and reliability of the network configuration when</p><p>using two Orchestrators.</p><p>20.Which licenses should be issued for the Orchestrator?</p><p>A. No licenses are required for Orchestrator</p><p>B. Depends on Software Blades enabled on connected appliances</p><p>C. The Orchestrator is considered a Management server, hence it's licensed the same way</p><p>D. The Orchestrator requires NGTX license</p><p>Answer: A</p><p>The safer , easier way to help you pass any IT exams.</p><p>8 / 33</p><p>Explanation:</p><p>Orchestrators in many network environments do not require separate licenses, as they primarily function</p><p>to manage and distribute network traffic.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check</p><p>Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8</p><p>• Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro,</p><p>Section: Maestro Licensing, page 1-6</p><p>• Activation of a Quantum Maestro Orchestrator - Check Point Software</p><p>21.When security policy is installed</p><p>A. All SGMs receive the security policy and one by one performs an independent policy verification.</p><p>Then, all SGMs simultaneously install the policy.</p><p>B. The SMO Master receives the policy and performs a policy verification the policy is installed on the</p><p>SMO Master, the SMO Master broadcasts the available package, other members retrieve the new policy</p><p>from the SMO Master, then the non-SMO Master SGMs install the policy.</p><p>C. All SGMs receive the security policy and simultaneous policy installation occurs.</p><p>D. The policy is installed on the SMO, the SMO Master broadcasts the available package, other</p><p>members retrieve the new policy from the SMO Master and perform an independent policy verification,</p><p>then the non-SMO Master SGMs install the policy.</p><p>Answer: D</p><p>Explanation:</p><p>This process ensures that the security policy is centrally managed and distributed by the SMO Master,</p><p>maintaining consistency across the security group while allowing individual SGMs to verify the policy</p><p>independently before installation. This method helps to ensure that all configurations and security</p><p>policies are correctly applied and functional across the network.</p><p>22.What cannot be learned from the output of asg monitor command?</p><p>A. Uptime</p><p>B. Port status</p><p>C. Security Policy status</p><p>D. Appliances cluster status</p><p>Answer: C</p><p>23.Maestro allows running commands globally in Expert mode by using global prefixes, such as:</p><p>A. asg all</p><p>B. g_all</p><p>C. all</p><p>D. global</p><p>Answer: B</p><p>Explanation:</p><p>The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the</p><p>current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The</p><p>other prefixes are not valid for global commands in Expert mode. Reference</p><p>The safer , easier way to help you pass any IT exams.</p><p>9 / 33</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line</p><p>Interface and WebUI, Lesson 4.3: Global Commands, page 4-11</p><p>• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and</p><p>WebUI, Section: Global Commands, page 4-9</p><p>• Global Expert Mode Commands - Check Point CheckMates</p><p>24.The ______________ command will allow users to update the specified file on all SGMs.</p><p>A. g_update_conf_file</p><p>B. g_all"</p><p>C. sed</p><p>D. g_cat</p><p>Answer: A</p><p>Explanation:</p><p>The g_update_conf_file command is a global command that allows users to update the specified file on</p><p>all Security Group Members of the current Security Group. The command takes the file name and the</p><p>parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file</p><p>fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file</p><p>on all SGMs.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line</p><p>Interface and WebUI, Lesson 4.3: Global Commands, page 4-12</p><p>• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and</p><p>WebUI, Section: Global Commands, page 4-10</p><p>• Maestro Commands for Security Groups - Check Point CheckMates</p><p>25.What happens when you make changes from Clish on the SMO Master?</p><p>A. The changes are synchronized to the SMS/MDS as a backup.</p><p>B. The changes are synchronized to the MHO as a backup.</p><p>C. Changes are only applied on the SMO Master.</p><p>D. Changes are applied to all members in the SG.</p><p>Answer: C</p><p>Explanation:</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups,</p><p>Lesson 2.2: Security Group Configuration, page 2-10</p><p>• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security</p><p>Group Configuration, page 2-9</p><p>• Security Group Configuration - Check Point Software</p><p>26.When working with Maestro, what is the difference between using Clish and gClish?</p><p>A. Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG</p><p>members, by default.</p><p>B. Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members,</p><p>by default.</p><p>The safer , easier way to help you pass any IT exams.</p><p>10 / 33</p><p>C. Clish commands are run on the SG members. gClish commands are run on the MHO and applied to</p><p>all connected SG members in a specified group.</p><p>D. Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members,</p><p>by default.</p><p>Answer: D</p><p>27.What cannot be learned from the output of lldpctl?</p><p>A. Serial number of Appliance</p><p>B. Appliance model</p><p>C. Distribution mode</p><p>D. Orchestrator's IP</p><p>Answer: C</p><p>Explanation:</p><p>The lldpctl command is a tool to display information about the devices discovered by the Link Layer</p><p>Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members.</p><p>LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and</p><p>configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.</p><p>The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the</p><p>connected devices, but it cannot show the distribution mode of the Security Group. The distribution</p><p>mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among</p><p>the Security Group Members. To view the distribution mode, other commands such as asg monitor</p><p>or asg stat can be used.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line</p><p>Interface and WebUI, Lesson 4.2: LLDP, page 4-9</p><p>• Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules,</p><p>Section: LLDP, page 3-9</p><p>• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic</p><p>Distribution, page 2-7</p><p>• Maestro basic setup documentation - Page 2 - Check Point CheckMates</p><p>• Log and Configuration Files - Check Point Software</p><p>28.What is the purpose of Management ports located on the Rear Panel of the Orchestrator MHO-140?</p><p>A. 1Gbps connectivity for Security Groups</p><p>B. Reserved for internal purposes. Not in use.</p><p>C. Out-of-band interfaces for access to Orchestrator itself</p><p>D. Additional ports used as uplinks</p><p>Answer: C</p><p>Explanation:</p><p>The Management ports located on the Rear Panel of the Orchestrator MHO-140 are out-of-band</p><p>interfaces that provide access to the Orchestrator itself for configuration and management purposes.</p><p>They are not used for traffic distribution or connectivity to the Security Groups or the external networks.</p><p>They are 1Gbps RJ-45 ports that can be connected to a switch or a router.</p><p>Reference</p><p>The safer , easier way to help you pass any IT exams.</p><p>11 / 33</p><p>• Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2</p><p>• Quantum Maestro Getting Started Guide - Check Point CheckMates2, page 4</p><p>29.What happens if you apply a hotfix using gClish?</p><p>A. If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at</p><p>roughly the same time.</p><p>B. If you apply a hotfix using gclish, each SG members installs the hotfix and reboots after waiting it's</p><p>turn to do so.</p><p>C. Logical groups "A" and "B" are created. Members of group "A" install and reboot first. Then members</p><p>of group "B" does the same once reboots have finished with group "A."</p><p>D. If you apply a hotfix using gclish, the operation will fail because an outage would occur.</p><p>Answer: C</p><p>Explanation:</p><p>When applying a hotfix using gClish in a Check Point Maestro environment, the process is managed to</p><p>minimize downtime and ensure continuous protection. The SG members are divided into groups to</p><p>stagger the installation and reboot processes. This careful management ensures that not all devices go</p><p>offline at the same time, maintaining network integrity and security during the update process.</p><p>30.What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?</p><p>A. Two Out-of-band interfaces for access to Orchestrator itself</p><p>B. 1Gbps connectivity for Security Groups</p><p>C. Out-of-band interface for access to Orchestrator itself and Serial Console connector</p><p>D. Reserved for internal purposes. Not in use</p><p>Answer: C</p><p>Explanation:</p><p>The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band</p><p>management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-</p><p>band interface for accessing the Orchestrator itself for configuration and management purposes.</p><p>The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and</p><p>troubleshooting.</p><p>Reference</p><p>• Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2</p><p>• Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4</p><p>31.What does asg monitor command do?</p><p>A. This command does not exist</p><p>B. Monitor health status of entire system</p><p>C. Monitor traffic on Appliances in Security Group</p><p>D. Show real-time cluster status of Appliances in Security Group</p><p>Answer: D</p><p>Explanation:</p><p>The "asg monitor" command generally would show real-time cluster status of appliances in a security</p><p>group, focusing on health and operational status.</p><p>The safer , easier way to help you pass any IT exams.</p><p>12 / 33</p><p>32.What will happen in case of NAT of the traffic passing through Management network?</p><p>A. This traffic will not pass correction, since it will be dropped</p><p>B. Orchestrator will disable NAT and traffic will pass with no issue</p><p>C. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-</p><p>distribute traffic to other Appliances</p><p>D. This traffic will pass with no inspection</p><p>Answer: A</p><p>Explanation:</p><p>When managing traffic through the Management network in a Check Point environment, especially in</p><p>scenarios involving Network Address Translation (NAT), it is crucial to handle the traffic correctly to</p><p>ensure security and network integrity. If NAT is applied incorrectly or inappropriately within the</p><p>management traffic, it can lead to issues where the traffic is dropped due to mismatches or errors in</p><p>handling, as it does not pass through the normal inspection or correction processes that would typically</p><p>manage and rectify such issues.</p><p>33.Which distribution mode assigns packets to an SGM based solely on the packet destination IP?</p><p>A. User mode</p><p>B. Manual mode</p><p>C. Network mode</p><p>D. Auto-topology mode</p><p>Answer: C</p><p>Explanation:</p><p>Network mode is the distribution mode that assigns packets to an SGM based solely on the packet</p><p>destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a</p><p>specific SGM. This mode ensures that all packets with the same destination IP are processed by the</p><p>same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination</p><p>IP is the main factor for load balancing, such as NAT or VPN.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups,</p><p>Lesson 2.4: Traffic Flow, page 2-19</p><p>• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic</p><p>Distribution, page 2-7</p><p>• Maestro basic setup documentation - Page 2 - Check Point CheckMates</p><p>34.When a VPN tunnel is formed with a Maestro SGM,</p><p>A. The receiving SGM makes an encryption decision. The SGM then syncs the traffic to two backup</p><p>SGMs: one for clear traffic and one for encrypted traffic.</p><p>B. SGM 1 analyzes the policy and topology. If encryption is required, it calculates the tunnel owner's IP</p><p>address. SGM 1 sends a clear packet to the tunnel owner. SGM 2 is now the connection and tunnel</p><p>owner.</p><p>C. The MHO handles the IKE before distributing the traffic to a SGM to handle all encrypted traffic.</p><p>This helps to prevent any issues with the correction layer.</p><p>D. The MHO distributes copies of the packets to two different SGMs because SGM 1 will handle the</p><p>clear traffic IKE exchange packets, while SGM2 handles encrypted packets.</p><p>The safer , easier way to help you pass any IT exams.</p><p>13 / 33</p><p>Answer: B</p><p>35.What is the default Distribution mode?</p><p>A. Auto-topology</p><p>B. User</p><p>C. Manual-General</p><p>D. Network</p><p>Answer: A</p><p>Explanation:</p><p>Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the</p><p>Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in</p><p>the gateway object. Each port is either in user mode or network mode depending on the topology.</p><p>User mode means that the port is connected to the internal network and network mode means that the</p><p>port is connected to the external network. The Orchestrator uses a hash function to map each source IP</p><p>or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all</p><p>packets with the same source IP or destination IP are processed by the same SGM, regardless of the</p><p>port or protocol.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups,</p><p>Lesson 2.4: Traffic Flow, page 2-18</p><p>• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic</p><p>Distribution, page 2-7</p><p>• Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16</p><p>36.Layer 4 distribution is enabled by default in Maestro.</p><p>Which is not a scenario when you would want to leave this enabled?</p><p>A. When there is a large number of source ports in use by protocols such as HTTP, HTTPS, and DNS.</p><p>B. When dynamic routing protocols, such as BGP or OSPF are used.</p><p>C. When there is a heavy imbalance of traffic between the SGMs that are members of the same SG.</p><p>D. When the SG is NATing a very high percentage of traffic passing through it.</p><p>Answer: B</p><p>Explanation:</p><p>This is the correct answer because Layer 4 distribution is not recommended when dynamic routing</p><p>protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination</p><p>ports to the distribution equation, which can improve the load balancing among the SGMs. However, it</p><p>can also cause issues with the correction layer, which is a mechanism that ensures the packets are</p><p>processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to</p><p>exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it</p><p>can interfere with the routing protocol packets and cause routing instability or failures.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups,</p><p>Lesson 2.4: Traffic Flow, page 2-20</p><p>• Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic</p><p>Distribution, page 2-8</p><p>The safer , easier way to help you pass any IT exams.</p><p>14 / 33</p><p>• Layer 4 Distribution - Yes or No? - Check Point CheckMates</p><p>• Support, Support Requests, Training … - Check Point Software</p><p>37.What command can be run to show which SGM is selected to receive traffic?</p><p>A. g_tcpdump</p><p>B. asg monitor</p><p>C. dxl calc</p><p>D. asg calc</p><p>Answer: D</p><p>Explanation:</p><p>The asg calc command is a tool to show which SGM is selected to receive traffic based on the</p><p>distribution mode and the packet parameters. It takes the port number, the source IP, the destination IP,</p><p>and optionally the source port and the destination port as arguments and returns the SGM ID and the</p><p>hash value. For example, asg calc 1 10.0.0.1 20.0.0.2 1234 80 will show which SGM will receive the</p><p>traffic from 10.0.0.1:1234 to 20.0.0.2:80 on port 1.</p><p>Reference</p><p>• Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line</p><p>Interface and WebUI, Lesson 4.1: asg calc, page 4-5</p><p>• Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and</p><p>WebUI, Section: asg calc, page 4-5</p><p>• asg calc - Check Point Software</p><p>38.Is it possible to define distribution mode per interface?</p><p>A. Yes, only for downlink interfaces</p><p>B. No, only for the Security Group</p><p>C. Yes, only for uplink interfaces</p><p>D. Yes, for both uplink and downlink interfaces</p><p>Answer: D</p><p>Explanation:</p><p>Maestro allows you to define the distribution mode per interface, which determines how traffic is</p><p>distributed among the Security Group Modules (SGMs) in a Security Group. You can configure the</p><p>distribution mode for each interface individually, or use the default mode for all interfaces. The</p><p>distribution mode can be set for both uplink and downlink interfaces.</p><p>Reference =</p><p>• Check Point Maestro R81.X Administration Guide, page 62, section “Distribution Mode” 1</p><p>• Check Point Maestro R81.X Getting Started Guide, page 25, section “Distribution Mode” 2 1:</p><p>https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:</p><p>https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarte</p><p>d/html_frameset.htm</p><p>39.There are two appliances within the same Security Group. One of them is connected by One</p><p>downlink only, another one by Two downlinks.</p><p>Assuming there's no NAT and no VPN, what would be proportion of traffic distribution done by</p><p>Orchestrator?</p><p>The safer , easier way to help you pass any IT exams.</p><p>15 / 33</p><p>A. 100%/0%</p><p>B. 33%/66%</p><p>C. 50%/50%</p><p>D. 66%/33%</p><p>Answer: B</p><p>40.In</p><p>case of Correction, where is information about Owner stored?</p><p>A. In Correction table of Target Appliance</p><p>B. In Connection tables of all Appliances participating in Correction Layer flow</p><p>C. In Correction tables of all Appliances participating in Correction Layer flow</p><p>D. In Connection table of Target Appliances</p><p>Answer: C</p><p>Explanation:</p><p>The Correction Layer is a mechanism that handles asymmetric connections in systems with several</p><p>cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is</p><p>asymmetric1</p><p>The Correction Layer works as follows:</p><p>• When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it</p><p>processes the packet normally. If not, it checks the Correction table to find the owner of the connection.</p><p>• If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction</p><p>Layer header. The owner then processes the packet and removes the Correction Layer header before</p><p>sending it to the destination.</p><p>• If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator</p><p>(MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner</p><p>of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction</p><p>Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to</p><p>the source.</p><p>• The Correction tables are updated by the MHO whenever a new connection is established or an</p><p>existing connection is terminated. The MHO sends Correction Layer messages to all cluster members to</p><p>inform them about the owner of each connection2</p><p>41.While looking at your system's correction statistics, you notice you have a correction rate approaching</p><p>100 percent. Is this a problem?</p><p>A. A correction rate above 90 percent indicates a need to disable Layer 4 Distribution.</p><p>B. A correction rate approaching 100 percent of all connections is unusual. This is a cause for concern</p><p>because the SGMs may fail to process traffic.</p><p>C. If correction rates are higher than 80 percent, latency is expected.</p><p>D. In some scenarios, a correction rate approaching 100 percent of all connections is not unusual.</p><p>This is not usually a cause for concern as the correction mechanism is fast and efficient.</p><p>Answer: D</p><p>Explanation:</p><p>The correction rate is the percentage of connections that require correction by the correction layer, which</p><p>is a mechanism that ensures that the traffic is processed by the correct SGM in the Security Group. The</p><p>correction rate depends on the distribution mode (Layer 3 or Layer 4) and the traffic pattern. In some</p><p>The safer , easier way to help you pass any IT exams.</p><p>16 / 33</p><p>scenarios, such as when the traffic is asymmetric or when the distribution mode is Layer 4, the correction</p><p>rate can approach 100 percent of all connections. This is not a problem, as the correction layer is</p><p>designed to handle such situations without affecting the performance or availability of the Security</p><p>Group1.</p><p>Reference = Maestro Expert (CCME) Course - Check Point Software, page 16.</p><p>42.There is a Security group of 10 Appliances and all of them are up and running.</p><p>How many Appliances within a Security Group keep the same connection in its connection table in case</p><p>of NAT?</p><p>A. Between 2 and 4</p><p>B. All 10</p><p>C. 2</p><p>D. 3</p><p>Answer: C</p><p>Explanation:</p><p>In a security group configuration where Network Address Translation (NAT) is involved, generally only</p><p>two appliances within the group—the one that first processes and translates the traffic (the entry point)</p><p>and the one that last handles the exit traffic—maintain the connection details in their connection tables.</p><p>This setup is efficient for managing the NAT process across multiple appliances, ensuring that the</p><p>translation remains consistent and is applied correctly as traffic enters and exits the security</p><p>infrastructure.</p><p>43.Which command do you use to find bottlenecks in the system that are affecting performance, even</p><p>functionality in some cases?</p><p>A. asg stat -v</p><p>B. asg diag verify</p><p>C. asg perf -v</p><p>D. asg monitor</p><p>Answer: C</p><p>Explanation:</p><p>The asg perf -v command is used to find bottlenecks in the system that are affecting performance, even</p><p>functionality in some cases. The asg perf -v command displays the performance statistics of the Security</p><p>Group Modules (SGMs) in the Security Group, such as throughput, packet rate, CPU utilization, memory</p><p>usage, and more. The asg perf -v command also shows the distribution mode and the correction rate of</p><p>each SGM, which can indicate potential issues with asymmetric routing or load balancing. The asg perf -</p><p>v command can help identify which SGMs are overloaded, underutilized, or misconfigured, and provide</p><p>insights for troubleshooting and optimization.</p><p>Reference =</p><p>• Check Point Maestro R81.X Administration Guide, page 67, section “asg perf” 1</p><p>• Check Point Maestro R81.X Getting Started Guide, page 29, section “asg perf” 2</p><p>• Check Point Maestro Under the Hood presentation by Lari Luoma, slide 26</p><p>1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:</p><p>https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/htm</p><p>l_frameset.htm:</p><p>The safer , easier way to help you pass any IT exams.</p><p>17 / 33</p><p>https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates</p><p>%20Maestro%20under%20the%20hood%202022.pptx</p><p>44.What is the command 'asg diag' used for?</p><p>A. Asg diag used for system diagnostics on Chassis only. It does not exist on Maestro</p><p>B. Asg diag is used for system backup</p><p>C. Asg diag is used for system diagnostics</p><p>D. Asg diag is used for creating traffic flow diagrams</p><p>Answer: C</p><p>Explanation:</p><p>The asg diag command is used for system diagnostics on both Maestro and Chassis systems. The asg</p><p>diag command can perform various tests and checks on the system components, such as hardware,</p><p>software, network, clock, ARP, and more. The asg diag command can help identify and troubleshoot any</p><p>issues or errors that may affect the system functionality or performance.</p><p>Reference =</p><p>• Check Point Maestro R81.X Administration Guide, page 66, section “asg diag” 1</p><p>• Check Point Maestro R81.X Getting Started Guide, page 28, section “asg diag” 2</p><p>• Check Point Maestro Under the Hood presentation by Lari Luoma, slide 25</p><p>1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:</p><p>https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/htm</p><p>l_frameset.htm:</p><p>https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates</p><p>%20Maestro%20under%20the%20hood%202022.pptx</p><p>45.HealthCheck Point _____</p><p>A. is a self-updatable suite of tools for MHOs with the capability to assess the health of the system and</p><p>provide a timeline of critical and informative events that might have occurred in a production system.</p><p>B. performs a system health check and is meant to replace both a CPInfo and the health check script.</p><p>C. can be used to let you visualize the Firewall topology for the SG and view live statistics, which</p><p>includes throughput, problem notes, and CPU utilization.</p><p>D. is a self-updatable suite of tools for SGMs with the capability to assess the health of the system,</p><p>visualize the Firewall topology, provide a timeline of critical and informative events that might have</p><p>occurred in a production system.</p><p>Answer: D</p><p>Explanation:</p><p>HealthCheck Point (HCP) is a tool that can perform various tests and checks on the system components</p><p>of the Security Group Modules (SGMs), such as hardware, software, network, clock, ARP, and more. It</p><p>can also display the performance statistics of the SGMs, such as throughput, packet rate, CPU</p><p>utilization, memory usage, and more. Additionally, HCP can provide a graphical representation of the</p><p>Firewall topology for the Security Group, showing the connections and statuses of the SGMs and the</p><p>Orchestrators.</p><p>Furthermore, HCP can generate a report of the critical and informative events that</p><p>occurred on the system, such as configuration changes, errors, warnings, and alerts. HCP can help</p><p>identify and troubleshoot any issues or errors that may affect the system functionality or performance.</p><p>Reference =</p><p>The safer , easier way to help you pass any IT exams.</p><p>18 / 33</p><p>• HealthCheck Point (HCP) Release Updates - Check Point Software 1</p><p>• Professional Services Healthcheck - Check Point Software 2</p><p>• HealthCheck Point - Check Point CheckMates 3</p><p>46.What command should be used for collecting diagnostic information about the orchestrator?</p><p>A. cpinfo</p><p>B. asg perf -v</p><p>C. cpview</p><p>D. orch_info</p><p>Answer: A</p><p>Explanation:</p><p>The cpinfo command is a tool that collects diagnostic information about the orchestrator, such as</p><p>hardware, software, network, configuration, and logs. The cpinfo command generates a file that can be</p><p>sent to Check Point Support for analysis and troubleshooting. The cpinfo command can be run on the</p><p>orchestrator’s CLI or WebUI.</p><p>Reference =</p><p>• Check Point Maestro R81.X Administration Guide, page 68, section “cpinfo” 1</p><p>• Check Point Maestro R81.X Getting Started Guide, page 30, section “cpinfo” 2</p><p>• Maestro Hyperscale Orchestrator Datasheet - Check Point Software 3</p><p>1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html</p><p>2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarte</p><p>d/html_frameset.htm 3: https://www.checkpoint.com/downloads/products/maestro-hyperscale-</p><p>orchestrator-datasheet.pdf</p><p>47.The core four manual diagnostic tools include:</p><p>asg diag verify, asg perf -v, orch_stat -all, and</p><p>A. asg diag verify</p><p>B. cpinfo</p><p>C. hcp -r all</p><p>D. asg stat -v</p><p>Answer: D</p><p>Explanation:</p><p>"Asg stat -v" could be a part of the core diagnostic tools, providing valuable statistics and information for</p><p>manual diagnostics.</p><p>Reference =</p><p>• Maestro Expert (CCME) Course - Check Point Software 3</p><p>• Check Point Maestro R81.X Administration Guide 1</p><p>• Check Point Maestro R81.X Getting Started Guide 2</p><p>3: https://www.checkpoint.com/downloads/training/ccme-maestro-expert-r81.10-course.pdf 1:</p><p>https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:</p><p>https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarte</p><p>d/html_frameset.htm</p><p>48.Which feature is used to force trusted non-F2F traffic into the fully accelerated path for handling by</p><p>The safer , easier way to help you pass any IT exams.</p><p>19 / 33</p><p>SecureXL.</p><p>A. Fast Accelerator</p><p>B. hypersync</p><p>C. rate limiting</p><p>D. SecureXL</p><p>Answer: D</p><p>Explanation:</p><p>SecureXL is typically used to accelerate trusted traffic, including non-F2F (face-to-face) traffic, through a</p><p>secure, fast path.</p><p>Reference =</p><p>• SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above 1</p><p>• SecureXL Fast Accelerator - Need to clarify packet flow 2</p><p>1: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails</p><p>=&solutionid=sk156672</p><p>2: https://community.checkpoint.com/t5/Security-Gateways/SecureXL-Fast-Accelerator-Need-to-clarify-</p><p>packet-flow/td-p/114651</p><p>49.Splitter cannot be used _______</p><p>A. To connect single port on orchestrator to the same Appliance</p><p>B. To connect single port on orchestrator to multiple port on external switch</p><p>C. To connect single port on Appliance to multiple ports on the orchestrator</p><p>D. To connect single port on orchestrator to multiple Appliances</p><p>Answer: A</p><p>50.What is the purpose of g_tcpdump command?</p><p>A. Collects traffic dump from all Active Appliances within Security Group</p><p>B. Collects traffic dump from CIN network</p><p>C. Collects traffic dump from Sync network</p><p>D. The same as tcpdump, just on Scalable Platform</p><p>Answer: A</p><p>Explanation:</p><p>_tcpdump" probably collects traffic dumps from all active appliances within a security group, aligning with</p><p>the naming convention and function of similar commands in scalable platforms.</p><p>Reference</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 331</p><p>• What is ‘IN’ and ‘OUT’ of g_tcpdump? - Check Point CheckMates2</p><p>• CHECK POINT MAESTRO EXPERT, page 23</p><p>51.What is the throughput penalty of Security Group?</p><p>A. Depends on the type of Appliance</p><p>B. 1% per member</p><p>C. 10% per Security Group with no relation to the number of members</p><p>D. 5% per member</p><p>Answer: C</p><p>The safer , easier way to help you pass any IT exams.</p><p>20 / 33</p><p>Explanation:</p><p>This represents a general penalty for utilizing a Security Group in a network configuration, impacting</p><p>throughput by a fixed percentage irrespective of how many members or appliances are part of the group.</p><p>This penalty is typically due to the overhead required for managing and coordinating the multiple devices</p><p>within the group, which can affect overall performance.</p><p>52.To display processes that are consuming excessive system resources, users should use the_____</p><p>command.</p><p>A. asg perf -v</p><p>B. asg stat -v</p><p>C. top</p><p>D. asg_perf_hogs</p><p>Answer: C</p><p>Explanation:</p><p>This command is widely used in Unix-like operating systems to provide a dynamic real-time view of a</p><p>running system. It can display system summary information and a list of tasks currently being managed</p><p>by the Linux kernel. The other commands listed are specific to Check Point's architecture and do not</p><p>specifically perform the function of showing resource-consuming processes as directly as the top</p><p>command does.</p><p>53.Logs without a dedicated log file can be found in</p><p>A. /var/log/junk.log.dbg</p><p>B. /var/log/messages</p><p>C. $RTDIR/log/junk.log</p><p>D. $FWDIR/log/fw.log</p><p>Answer: B</p><p>Explanation:</p><p>The /var/log/messages file is a general system log file that contains information about various system</p><p>events, such as booting, shutdown, cron jobs, kernel messages, and other system services. Logs</p><p>without a dedicated log file can be found in this file, as well as some Maestro Gaia Clish commands that</p><p>are not saved in the /var/log/command_logger.log file.</p><p>Reference</p><p>• Maestro Audit Logs - Where are they? - Check Point CheckMates1</p><p>• sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 33</p><p>54.The drop_monitor command is useful for</p><p>A. Monitoring Check Point code drops</p><p>B. Viewing all interface drops such as RX-ERR, RX-DRP, and RX-OVR</p><p>C. Viewing all drops by Check Point code or the Gaia OS, such as RX-DRP, RX-ERR, and Gaia OS</p><p>drops.</p><p>D. Showing the system temperature in real-time for multiple components, such as CPU, fan, and SSDs.</p><p>Answer: C</p><p>Explanation:</p><p>The safer , easier way to help you pass any IT exams.</p><p>21 / 33</p><p>The drop_monitor command is a tool that monitors and displays the packets that are dropped by the</p><p>Check Point code or the Gaia OS on the orchestrator and the appliances. It can help troubleshoot</p><p>network issues and optimize performance. The command shows the drop reason, source, destination,</p><p>protocol, and port of the dropped packets, as well as the interface and the module that dropped them.</p><p>Reference</p><p>• R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates1</p><p>• Support, Support Requests, Training … - Check Point Software2</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge</p><p>55.Possibilities for a failure in a single SGM of a Security Group include.</p><p>A. A change was made with clish instead of gClish, causing the SGM to handle traffic differently than the</p><p>other SGMs.</p><p>B. SecureXL is not enabled on the SGM.</p><p>C. An administrator imported a hotfix into the CPUSE repository of a single SGM.</p><p>D. There are too many active SGMs in the SG.</p><p>Answer: C</p><p>Explanation:</p><p>One of the possible causes of a failure in a single SGM of a Security Group is that an administrator</p><p>imported a hotfix into the CPUSE repository of a single SGM, instead of using the orchestrator to</p><p>distribute the hotfix to all the SGMs in the Security Group. This can create a mismatch in the software</p><p>versions and configurations of the SGMs, and lead to unexpected behavior and errors.</p><p>Reference</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 251</p><p>• sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2</p><p>• sk180418: Security Gateway Member (SGM) is stuck after it is added to a Security Group with image</p><p>auto cloning enabled on the Single Management Object (SMO)</p><p>56.There are two 10Gbps dual-port NIC installed on a 6800 appliance.</p><p>Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy</p><p>when using two Orchestrators?</p><p>A. Any pair of available ports</p><p>B. Port 1 in Slot 1 and Port 1 in Slot 2</p><p>C. Port 1 in Slot 1 and Port 2 in Slot 1</p><p>D. Port 1 in Slot 2 and Port 2 in Slot 1</p><p>Answer: B</p><p>Explanation:</p><p>The correct interfaces to connect to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when</p><p>using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a</p><p>different NIC, and each port represents a different physical link. By connecting two ports from different</p><p>slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point</p><p>of failure in case of a NIC or link failure.</p><p>Reference</p><p>• Check Point 156-835 Certification Flashcards | Quizlet1</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 182</p><p>The safer , easier way to help you pass any IT exams.</p><p>22 / 33</p><p>• Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object,</p><p>slide 163</p><p>57.What is one benefit of a Dual MHO environment?</p><p>A. Dual MHOs provide redundancy to the Maestro environment by increasing throughput by at least 50</p><p>percent.</p><p>B. Dual MHOs allow better synchronization to occur between SGMs.</p><p>C. Dual MHOs allow additional SGMs to be added to the SG.</p><p>D. Dual MHOs can be used to achieve increased scalability and redundancy.</p><p>Answer: D</p><p>Explanation:</p><p>One of the benefits of a Dual MHO environment is that it can provide both scalability and redundancy to</p><p>the Maestro system. Scalability means that the system can handle more traffic and SGMs as the</p><p>demand grows, and redundancy means that the system can survive the failure of one or more</p><p>components without losing functionality or performance. Dual MHOs can achieve these benefits by</p><p>distributing the load and the management tasks among two orchestrators, and by providing backup and</p><p>failover mechanisms for each other.</p><p>Reference</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 251</p><p>• CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 22</p><p>• Check Point Certified Maestro Expert (CCME) R81.X, page 23</p><p>58.What cannot be a reason for "Failed to get remote orchestrator interfaces" error message, when</p><p>clicking on "Orchestrator" in WebUI</p><p>A. Remote orchestrator has no empty interfaces</p><p>B. Single orchestrator environment, but configured Orchestrator amount is 2</p><p>C. One orchestrator only, but Orchestrator amount is 2 or no Sync in between orchestrators</p><p>D. No Sync between orchestrators</p><p>Answer: A</p><p>Explanation:</p><p>One of the possible reasons for the “Failed to get remote orchestrator interfaces” error message, when</p><p>clicking on “Orchestrator” in WebUI, is that the remote orchestrator has no empty interfaces that can be</p><p>assigned to a security group. This can happen if all the interfaces on the remote orchestrator are already</p><p>part of configured security groups, or if the remote orchestrator has no physical interfaces at all. In this</p><p>case, the WebUI cannot display the unassigned interfaces of the remote orchestrator, and shows the</p><p>error message.</p><p>Reference</p><p>• Not able to see unassigned interfaces on checkpoint Orchestrator</p><p>• Maestro 140 not detecting Interfaces</p><p>• Maestro Expert (CCME) Course - Check Point Software, page</p><p>59.What can be learned from the output of sx_api_ports_dump.py command?</p><p>A. Information about backplane bonds</p><p>B. Information about Security Groups</p><p>The safer , easier way to help you pass any IT exams.</p><p>23 / 33</p><p>C. Orchestrator port status</p><p>D. Information about downlink ports only</p><p>Answer: A</p><p>Explanation:</p><p>Reference</p><p>• R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2</p><p>• [Maestro Expert (CCME) Course - Check Point Software], page 31</p><p>• [Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge], page 3</p><p>60.In a dual MHO environment, MHO1 and MHO2 are connected to the SGM line cards in which way?</p><p>A. MHO1 and MHO2 are connected to the SGMs using the Sync cable.</p><p>B. MHO1 and MHO2 are connected to the line cards in any order administrators see fit.</p><p>C. MHO 1 is connected to the even-numbered ports, while MHO2 is connected to odd-numbered ports.</p><p>D. MHO 1 is connected to the odd-numbered ports, while MHO2 is connected to even-numbered ports.</p><p>Answer: D</p><p>Explanation:</p><p>In a dual Maestro Hyperscale Orchestrator (MHO) environment, this configuration is typically used to</p><p>ensure balanced and redundant connections across the security infrastructure. This structured</p><p>connectivity helps in maintaining operational efficiency and reliability, providing fail-safe mechanisms by</p><p>evenly distributing the connectivity load between the two MHOs across the various Security Gateway</p><p>Modules (SGMs).</p><p>61.In what mode do MHOs process traffic?</p><p>A. MHOs process traffic in load sharing mode</p><p>B. MHOs process traffic in Active-Standby mode</p><p>C. MHOs process traffic in Active-Active mode</p><p>D. MHOs process traffic in VSLS mode</p><p>Answer: C</p><p>Explanation:</p><p>MHOs process traffic in Active-Active mode, which means that both MHOs are active and share the load</p><p>of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and</p><p>scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a</p><p>backup. Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the</p><p>surviving MHO can take over the traffic without interruption.</p><p>Reference</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 25</p><p>• CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2</p><p>62.Which command should be used to restart Orchestrator service only?</p><p>A. orchd restart</p><p>B. reboot</p><p>C. service orchestrator restart</p><p>D. cpstop; cpstart</p><p>The safer , easier way to help you pass any IT exams.</p><p>24 / 33</p><p>Answer: A</p><p>Explanation:</p><p>Page 313 from the training manual:</p><p>- Restart the service: orchd restart</p><p>- Restart the service without confirmation service orchd restart</p><p>63.Where should sx_api_ports_dump.py command be ran?</p><p>A. Management server</p><p>B. Security Group</p><p>C. Orchestrator</p><p>D. SMO Appliance</p><p>Answer: C</p><p>Explanation:</p><p>The sx_api_ports_dump.py command should be run on the Orchestrator, which is the device that</p><p>manages the communication and the configuration of the Security Groups and the SGMs. The command</p><p>shows the port mapping and the traffic distribution for each Security Group, as well as the backplane</p><p>bonds and the Orchestrator ports. The command does not work on the Management server, the Security</p><p>Group, or the SMO Appliance, as they do not have the same role and functionality as the Orchestrator.</p><p>Reference</p><p>• R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2</p><p>• Maestro Expert (CCME) Course - Check Point Software, page 31</p><p>• Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 3</p><p>64.Complete the sentence: Dual Orchestrators work as.______</p><p>A. Load Sharing cluster</p><p>B. Active-Active cluster</p><p>C. Active - Standby cluster</p><p>D. Hot-Swap RAID</p><p>Answer: B</p><p>Explanation:</p><p>Dual Orchestrators work as an Active-Active cluster, which means that both Orchestrators are active and</p><p>share the load of the traffic that is sent to and from the Security Group Members (SGMs). Active-Active</p><p>cluster provides better performance and scalability than Active-Standby cluster, which only uses one</p><p>Orchestrator at a time and keeps the other as a backup. Active-Active cluster also allows for faster</p><p>failover and recovery in case of an Orchestrator failure,</p><p>aims to maximize availability and</p><p>load balancing by having multiple orchestrators active in separate geographical sites.</p><p>72.After you import the R81.10 software package, what do you use to verify that it is possible to upgrade</p><p>an MHO or SG?</p><p>A. Run HCP. One of the tests will list upgrade eligibility status for the MHO or SG.</p><p>B. Run the Pre-Upgrade Verifier to make sure it is possible to upgrade</p><p>C. Nothing. CPUSE will run a verification during the upgrade process to ensure the package is</p><p>compatible.</p><p>The safer , easier way to help you pass any IT exams.</p><p>28 / 33</p><p>D. The package is verified during the import process and a warning or error will be displayed at that time.</p><p>Answer: B</p><p>Explanation:</p><p>The Pre-Upgrade Verifier is a tool that checks the compatibility and readiness of the Maestro</p><p>environment for the upgrade process. It verifies the current version, the target version, the hardware</p><p>requirements, the configuration settings, and the license validity of the Maestro Orchestrators and the</p><p>Security Groups. It also identifies any potential issues or risks that might affect the upgrade and provides</p><p>recommendations on how to resolve them. The Pre-Upgrade Verifier should be run before importing the</p><p>R81.10 software package and before performing the actual upgrade.</p><p>Reference =</p><p>• Check Point R81.10 for Scalable Platforms - Check Point Software</p><p>• CHECK POINT MAESTRO EXPERT</p><p>73.During an upgrade, Is Multi-Version Clustering (MVC) supported?</p><p>A. No. Maestro does not support MVC because ClusterXL is disabled during an upgrade.</p><p>B. No, Maestro does not support MVC.</p><p>C. Maestro supports MVC or full connectivity upgrade as of R80.40.</p><p>D. Yes, MVC is supported as of R81 for Maestro.</p><p>Answer: C</p><p>74.Do all MHOs need to be upgraded before starting the SGM upgrades?</p><p>A. During the upgrade process all SGMs should be upgraded before upgrading all of the MHOs.</p><p>B. A minimum of one of the MHOs should be upgraded before starting the SGM upgrades. However,</p><p>there is no requirement to upgrade all the SGMs during the same maintenance window as the MHO</p><p>C. All MHOs must first be upgraded before starting the SGM upgrades However, there is no requirement</p><p>to upgrade all the SGMs during the same maintenance window as the MHOs.</p><p>D. MHOs do not need to be upgraded at all because Maestro supports the use of different versions</p><p>between the MHOs and SGMs.</p><p>Answer: C</p><p>Explanation:</p><p>This is the correct answer because it follows the upgrade order and procedure specified in the R81.10</p><p>and R81.20 Administration Guides for Maestro environments. The MHOs are responsible for managing</p><p>and synchronizing the SGMs, so they must be upgraded to the target version before the SGMs.</p><p>However, the SGMs can be upgraded one by one or in batches, as long as they are compatible with the</p><p>MHOs. The upgrade process also supports Multi-Version Clustering, which allows different versions of</p><p>SGMs to operate in the same Security Group with zero downtime.</p><p>Reference =</p><p>• Check Point R81.10 for Scalable Platforms - Check Point Software</p><p>• Check Point R81.20 for Scalable Platforms - Check Point Software</p><p>• CHECK POINT MAESTRO EXPERT</p><p>75.Which blade configuration files should be backed up on the SG if upgrading from R80.30SP or</p><p>earlier?</p><p>A. IPS configuration files</p><p>The safer , easier way to help you pass any IT exams.</p><p>29 / 33</p><p>B. fwkern.conf files.</p><p>C. VPN configuration files</p><p>D. Mobile Access configuration files.</p><p>Answer: B</p><p>Explanation:</p><p>Reference</p><p>• Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes</p><p>• Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations</p><p>• Check Point SNMP MIB files, Section: Revision History</p><p>76.What is the Correction Layer?</p><p>A. Correction Layer is a daemon which corrects errors on Backplane interfaces</p><p>B. Correction Layer is a mechanism which handles asymmetric connections in multi-appliance system.</p><p>For example, in case of NAT</p><p>C. Correction Layer is a mechanism which activated in case of asymmetric routing</p><p>D. Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to</p><p>execute</p><p>Answer: B</p><p>Explanation:</p><p>The Correction Layer keeps track of all connections which it knows will have return packets that will not</p><p>hit the same gateway in the security group. It adds metadata to the packets to ensure that they are</p><p>routed correctly and the connection is maintained.</p><p>Reference = correction layer statistics - Check Point CheckMates, Check Point MAESTRO R80.20SP</p><p>Administration Manual, Maestro Frequently Asked Questions (FAQ) - Check Point Software</p><p>77.Which is a key driver for Scalable Platform?</p><p>A. On-demand flexibility in reconfiguration.</p><p>B. HyperSync provides scalability by reducing overhead.</p><p>C. Resiliency is achieved through the use of redundant hardware.</p><p>D. Cloud-level security by maximizing capabilities of existing hardware.</p><p>Answer: A</p><p>Explanation:</p><p>The Scalable Platform software allows you to easily add or remove security gateways from a security</p><p>group without affecting the existing configuration. You can also use the command line interface or the</p><p>web UI to reconfigure the security group on demand.</p><p>Reference = Check Point R81.10 for Scalable Platforms - Check Point Software, Scalable Platforms</p><p>(Maestro and Chassis) comparison between versions - Check Point Software, [Check Point R81.10 AI &</p><p>ML Driven Threat Prevention and Security Management - Check Point Blog]</p><p>78.What is a downlink interface used for?</p><p>A. To connect appliances to Orchestrators</p><p>B. To connect appliances to customer's infrastructure</p><p>C. To connect in between Orchestrators</p><p>D. To connect Orchestrators to customer's infrastructure</p><p>The safer , easier way to help you pass any IT exams.</p><p>30 / 33</p><p>Answer: B</p><p>Explanation:</p><p>A downlink interface in network architecture, particularly within the context of security appliances like</p><p>those used in Check Point's security infrastructure, is used to connect these appliances to the customer's</p><p>internal network infrastructure. This connection is crucial for ensuring that the traffic flowing from the</p><p>secure network to the customer’s network is handled appropriately, allowing for proper network</p><p>management, security enforcement, and data transmission between the security appliances and the</p><p>customer's network components.</p><p>79.The SGM with the lowest member ID (the first one added to the security group.)</p><p>A. The MDS that pushes policy to the SMO is considered the SMO Master.</p><p>B. The first MHO configured is considered the SMO Master.</p><p>C. The SGM with the highest member ID (the last one added to the security group.)</p><p>D. What Maestro component is automatically designated the SMO Master?</p><p>Answer: B</p><p>Explanation:</p><p>In Check Point's Maestro architecture, the first Maestro Hyperscale Orchestrator (MHO) configured in a</p><p>security group automatically takes on the role of the SMO Master. This setup ensures centralized control</p><p>and management over the security functions and traffic handling within the group, providing consistency</p><p>and reliability in network security operations.</p><p>80.What type of license is required for an MHO?</p><p>A. The MHO requires a NGTP license.</p><p>B. The MHO requires a VSX license.</p><p>C. The MHO does not require a license.</p><p>D. A license is needed for each attached SGM.</p><p>Answer: C</p><p>Explanation:</p><p>In Check Point's Maestro configuration, the Maestro Hyperscale Orchestrator (MHO) operates without</p><p>the need for a dedicated license. The licensing requirements are typically focused on the Security</p><p>Gateway Modules (SGMs) and specific software features rather than the orchestrator itself. This</p><p>approach allows for the orchestration and management functionalities provided by the MHO to be</p><p>utilized without additional licensing costs, streamlining the setup and maintenance of the security</p><p>infrastructure.</p><p>81.What is a security group?</p><p>A. A solution for Security Gateway redundancy and Load Sharing.</p><p>B. A set of appliances of the same model that are collectively managed by the MHO.</p><p>C. A set of network interfaces and individual</p>SGMs assigned to a logical group. 
D. A set of objects in SmartConsole that are responsible for enforcing an access policy. 
Answer: A 
Explanation: 
In Check Point's Maestro environment, a Security Group is a configuration that groups multiple Security 
Gateway Modules (SGMs) to operate together for enhanced redundancy and load sharing. This setup 
The safer , easier way to help you pass any IT exams. 
31 / 33 
allows for high availability and scalability by distributing network traffic among several gateways, 
ensuring that the network can handle large volumes of traffic and providing continuity in the event of a 
gateway failure. 
 
82.What is the Correction Layer mechanism? 
A. Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs. 
B. The load-balancing mechanism used by the MHO. 
C. The MHO's distribution algorithm which determines the handling SGM for a given connection. 
D. Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in 
the SG. 
Answer: A 
Explanation: 
The Correction Layer is a mechanism that handles asymmetric connections in systems with several 
cluster members. It adds metadata to the packets to ensure that they are routed correctly and the 
connection is maintained. 
Reference = correction layer statistics - Check Point CheckMates, Lari Luoma | Lead Consultant | 
Maestro SME | Check Point Evangelist, Maestro Frequently Asked Questions (FAQ) - Check Point 
Software. 
 
83.What is an uplink interface used for? 
A. To connect in between appliances 
B. To connect appliances to customer's infrastructure 
C. To connect Orchestrators to customer's infrastructure 
D. To connect in between Orchestrators 
Answer: C 
Explanation: 
An uplink interface is used primarily for linking the orchestrators within a network environment to the 
customer's broader infrastructure. This setup enables the orchestrators to manage traffic effectively, 
providing a pathway for communication between the internal security mechanisms and the external 
network, thereby ensuring seamless integration and data flow across different network segments. This 
connection is critical for the overall functionality and management of network operations, facilitating 
reliable and secure communication between the orchestrated environment and the customer's 
operational network. 
 
84.What is the Orchestrator? 
A. Network Switch 
B. Manager of compute and network resources, load balancer and network switch 
C. Load balancer 
D. None of above 
Answer: B 
Explanation: 
The Orchestrator is a device that connects multiple security gateways into a unified system, called a 
security group. It manages the configuration, policy, software, and routing of the security group, and 
distributes the network traffic among the security gateways using a load-balancing algorithm. It also acts 
The safer , easier way to help you pass any IT exams. 
32 / 33 
as a network switch for the internal and external networks. 
Reference = Maestro Hyperscale Orchestrator Datasheet - Check Point Software, Check Point Maestro 
Hyperscale Network Security, 7 Reasons to Use Check Point Maestro and … - Check Point Software 
 
85.What kinds of transceivers are supported on Orchestrator MHO-170? 
A. SFP, QSFP, QSFP28 
B. SFP+, SFP28, QSFP 
C. SFP, SFP+, SFP28 
D. QSFP, QSFP28 
Answer: D 
 
86.There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1, 
2 and 3 accordingly. 
Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy 
when using two Orchestrators? 
A. Port 1 in Slot 2 and Port 2 in Slot 1 
B. This configuration is not supported 
C. Any pair of available ports 
D. Port 1 in Slot 1 and Port 2 in Slot 1 
Answer: A 
 
87.What is the purpose of interface bonding? 
A. A bond interface can be configured for high availability redundancy. 
B. A bond interface is used for passing synchronization traffic between the SGMs. 
C. For load sharing which increases connection throughput above that which is possible using one 
physical interface. 
D. A bond interface can be configured for high availability redundancy or for load sharing which 
increases connection throughput above that which is possible using one physical interface. 
Answer: D 
 
88.What is the maximum number of Appliances within the same Security Group? 
A. 31 
B. 8 
C. 52 
D. 16 
Answer: C 
 
89.What type of cluster can a Security Group can be compared to? 
A. Load Sharing Active / Active 
B. VSLS 
C. Active / Backup 
D. Active / Standby 
Answer: A 
 
The safer , easier way to help you pass any IT exams. 
33 / 33 
90.On the MHO, to view connected ports and their functions, use the following command: 
A. asg_ifconfig 
B. show ports 
C. orch_stat -c 
D. orch_stat -p 
Answer: D 
 
91.What command will be used for updating fwkern.conf file on all Appliances within Security Group? 
A. vi 
B. g_all update_conf_file 
C. g_update_kernel 
D. g_update_conf_file 
Answer: D 
 
92.Each morning at 1:00 am, a series of automatic diagnostics on all the SGMs runs by automatic 
execution of which command? 
A. hcp -r all 
B. asg diag list 
C. asg diag verify 
D. asg perf -v 
Answer: C 
 
93.Common Layer 1 issues include 
A. Routing 
B. Distribution 
C. MAC addresses 
D. Loose or bad cables 
Answer: D 
 
94.The __________command can be used during an upgrade to verify that the upgraded SGMs have 
returned to UP status before upgrading other SGMs. 
A. asg monitor 
B. cpview 
C. asg perf -v 
D. watch asg stat -v 
Answer: D