Checkpoint 156-836 Practice Test - Questions Answers, Page 6

Reference

* R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

* [Maestro Expert (CCME) Course - Check Point Software], page 31

* [Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge], page 3

The correct way to connect MHO1 and MHO2 to the SGM line cards in a dual MHO environment is to use the even-numbered ports for MHO1 and the odd-numbered ports for MHO2. This is to ensure that each SGM has two downlinks to each MHO, and that the downlinks are balanced across the different NICs and links. This provides redundancy and high availability for the traffic flow between the SGMs and the MHOs.

Reference

* R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

* Maestro Expert (CCME) Course - Check Point Software, page 18

* Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 16

MHOs process traffic in Active-Active mode, which means that both MHOs are active and share the load of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup. Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.

Reference

* Maestro Expert (CCME) Course - Check Point Software, page 25

* CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2

* Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2

Page 313 from the training manual:

- Restart the service:

orchd restart

- Restart the service without confirmation

service orchd restart

The sx_api_ports_dump.py command should be run on the Orchestrator, which is the device that manages the communication and the configuration of the Security Groups and the SGMs. The command shows the port mapping and the traffic distribution for each Security Group, as well as the backplane bonds and the Orchestrator ports. The command does not work on the Management server, the Security Group, or the SMO Appliance, as they do not have the same role and functionality as the Orchestrator.

Reference

* R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

* Maestro Expert (CCME) Course - Check Point Software, page 31

* Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 3

Dual Orchestrators work as an Active-Active cluster, which means that both Orchestrators are active and share the load of the traffic that is sent to and from the Security Group Members (SGMs). Active-Active cluster provides better performance and scalability than Active-Standby cluster, which only uses one Orchestrator at a time and keeps the other as a backup. Active-Active cluster also allows for faster failover and recovery in case of an Orchestrator failure, as the surviving Orchestrator can take over the traffic without interruption.

Reference

* Maestro Expert (CCME) Course - Check Point Software, page 25

* CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2

* Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2

In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.

Reference =

* Solved: Maestro dual site failover - Check Point CheckMates

* Maestro Dual Site configuration with a direct connection through L2 switches

A Dual Site environment can include either two or four orchestrators, depending on the scenario. There are three primary scenarios for Dual Site configuration:

* Direct connectivity between remote site orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

* Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

* Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that supports QinQ and MTU increment.

Reference =

* Maestro Dual Site configuration with a direct connection through L2 switches

* Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)

* Maestro Frequently Asked Questions (FAQ)

This is not one of the ways to configure a Security Group in a Dual Site environment, because load balancers are not required or supported for the inter-site communication between the Maestro Orchestrators (MHOs). The MHOs use the Site-Sync port and VLANs to synchronize the resources and connections across the sites. The three valid scenarios for Dual Site configuration are:

* Direct connectivity between remote site Orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

* Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

* Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that support QinQ and MTU increment.

Reference =

* Maestro Dual Site configuration with a direct connection through L2 switches

* [Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)]

* [Maestro Frequently Asked Questions (FAQ)]