ExamGecko
Search Search Login
Home Home / Checkpoint / 156-836

Checkpoint 156-836 Practice Test - Questions Answers, Page 5

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What happens if you apply a hotfix using gClish?
What does the lldpctl command do?
What is the command 'asg diag' used for?
What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?
For the MHO-175, which ports are Management ports?
The __________ command can be used during an upgrade to verify that the upgraded SGMs have returned to UP status before upgrading other SGMs.
In a dual MHO environment, MHO1 and MHO2 are connected to the SGM line cards in which way?
What is one benefit of a Dual MHO environment?
What command will be used for updating fwkern.conf file on all Appliances within Security Group?
What type of license is required for an MHO?

Question 41

Report
Export
Collapse

What is the default Distribution mode?

A.
Auto-topology
A.
Auto-topology
Answers
B.
User
B.
User
Answers
C.
Manual-General
C.
Manual-General
Answers
D.
Network
D.
Network
Answers
Suggested answer: A

Explanation:

Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.

Reference

* Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18

* Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

* Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16

Question 42

Report
Export
Collapse

Layer 4 distribution is enabled by default in Maestro. Which is not a scenario when you would want to leave this enabled?

A.
When there is a large number of source ports in use by protocols such as HTTP, HTTPS, and DNS.
A.
When there is a large number of source ports in use by protocols such as HTTP, HTTPS, and DNS.
Answers
B.
When dynamic routing protocols, such as BGP or OSPF are used.
B.
When dynamic routing protocols, such as BGP or OSPF are used.
Answers
C.
When there is a heavy imbalance of traffic between the SGMs that are members of the same SG.
C.
When there is a heavy imbalance of traffic between the SGMs that are members of the same SG.
Answers
D.
When the SG is NATing a very high percentage of traffic passing through it.
D.
When the SG is NATing a very high percentage of traffic passing through it.
Answers
Suggested answer: B

Explanation:

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.

Reference

* Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

* Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

* Layer 4 Distribution - Yes or No? - Check Point CheckMates

* Support, Support Requests, Training ... - Check Point Software

Question 43

Report
Export
Collapse

What command can be run to show which SGM is selected to receive traffic?

A.
g_tcpdump
A.
g_tcpdump
Answers
B.
asg monitor
B.
asg monitor
Answers
C.
dxl calc
C.
dxl calc
Answers
D.
asg calc
D.
asg calc
Answers
Suggested answer: D

Explanation:

The asg calc command is a tool to show which SGM is selected to receive traffic based on the distribution mode and the packet parameters. It takes the port number, the source IP, the destination IP, and optionally the source port and the destination port as arguments and returns the SGM ID and the hash value. For example, asg calc 1 10.0.0.1 20.0.0.2 1234 80 will show which SGM will receive the traffic from 10.0.0.1:1234 to 20.0.0.2:80 on port 1.

Reference

* Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.1: asg calc, page 4-5

* Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg calc, page 4-5

* asg calc - Check Point Software

Question 44

Report
Export
Collapse

Is it possible to define distribution mode per interface?

A.
Yes, only for downlink interfaces
A.
Yes, only for downlink interfaces
Answers
B.
No, only for the Security Group
B.
No, only for the Security Group
Answers
C.
Yes, only for uplink interfaces
C.
Yes, only for uplink interfaces
Answers
D.
Yes, for both uplink and downlink interfaces
D.
Yes, for both uplink and downlink interfaces
Answers
Suggested answer: D

Explanation:

Maestro allows you to define the distribution mode per interface, which determines how traffic is distributed among the Security Group Modules (SGMs) in a Security Group. You can configure the distribution mode for each interface individually, or use the default mode for all interfaces. The distribution mode can be set for both uplink and downlink interfaces.

Reference =

* Check Point Maestro R81.X Administration Guide, page 62, section ''Distribution Mode'' 1

* Check Point Maestro R81.X Getting Started Guide, page 25, section ''Distribution Mode'' 2

1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm

Question 45

Report
Export
Collapse

There are two appliances within the same Security Group. One of them is connected by One downlink only, another one by Two downlinks. Assuming there's no NAT and no VPN, what would be proportion of traffic distribution done by Orchestrator?

A.
100%/0%
A.
100%/0%
Answers
B.
33%/66%
B.
33%/66%
Answers
C.
50%/50%
C.
50%/50%
Answers
D.
66%/33%
D.
66%/33%
Answers
Suggested answer: B

Question 46

Report
Export
Collapse

The core four manual diagnostic tools include:

asg diag verify, asg perf -v, orch_stat -all, and

A.
asg diag verify
A.
asg diag verify
Answers
B.
cpinfo
B.
cpinfo
Answers
C.
hcp -r all
C.
hcp -r all
Answers
D.
asg stat -v
D.
asg stat -v
Answers
Suggested answer: D

Explanation:

'Asg stat -v' could be a part of the core diagnostic tools, providing valuable statistics and information for manual diagnostics.

Reference =

* Maestro Expert (CCME) Course - Check Point Software 3

* Check Point Maestro R81.X Administration Guide 1

* Check Point Maestro R81.X Getting Started Guide 2

3: https://www.checkpoint.com/downloads/training/ccme-maestro-expert-r81.10-course.pdf 1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm

Question 47

Report
Export
Collapse

Which feature is used to force trusted non-F2F traffic into the fully accelerated path for handling by SecureXL.

A.
Fast Accelerator
A.
Fast Accelerator
Answers
B.
hypersync
B.
hypersync
Answers
C.
rate limiting
C.
rate limiting
Answers
D.
SecureXL
D.
SecureXL
Answers
Suggested answer: D

Explanation:

SecureXL is typically used to accelerate trusted traffic, including non-F2F (face-to-face) traffic, through a secure, fast path.

Reference =

* SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above 1

* SecureXL Fast Accelerator - Need to clarify packet flow 2

1: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156672 2: https://community.checkpoint.com/t5/Security-Gateways/SecureXL-Fast-Accelerator-Need-to-clarify-packet-flow/td-p/114651

Question 48

Report
Export
Collapse

Splitter cannot be used _______

A.
To connect single port on orchestrator to the same Appliance
A.
To connect single port on orchestrator to the same Appliance
Answers
B.
To connect single port on orchestrator to multiple port on external switch
B.
To connect single port on orchestrator to multiple port on external switch
Answers
C.
To connect single port on Appliance to multiple ports on the orchestrator
C.
To connect single port on Appliance to multiple ports on the orchestrator
Answers
D.
To connect single port on orchestrator to multiple Appliances
D.
To connect single port on orchestrator to multiple Appliances
Answers
Suggested answer: A

Question 49

Report
Export
Collapse

What is the purpose of g_tcpdump command?

A.
Collects traffic dump from all Active Appliances within Security Group
A.
Collects traffic dump from all Active Appliances within Security Group
Answers
B.
Collects traffic dump from CIN network
B.
Collects traffic dump from CIN network
Answers
C.
Collects traffic dump from Sync network
C.
Collects traffic dump from Sync network
Answers
D.
The same as tcpdump, just on Scalable Platform
D.
The same as tcpdump, just on Scalable Platform
Answers
Suggested answer: A

Explanation:

_tcpdump' probably collects traffic dumps from all active appliances within a security group, aligning with the naming convention and function of similar commands in scalable platforms.

Reference

* Maestro Expert (CCME) Course - Check Point Software, page 331

* What is 'IN' and 'OUT' of g_tcpdump? - Check Point CheckMates2

* CHECK POINT MAESTRO EXPERT, page 23

Question 50

Report
Export
Collapse

What is the throughput penalty of Security Group?

A.
Depends on the type of Appliance
A.
Depends on the type of Appliance
Answers
B.
1% per member
B.
1% per member
Answers
C.
10% per Security Group with no relation to the number of members
C.
10% per Security Group with no relation to the number of members
Answers
D.
5% per member
D.
5% per member
Answers
Suggested answer: B

Explanation:

Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147853

Total 94 questions
Go to page: of 10
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms