156-835: Check Point Certified Maestro Expert Part 1
Question #: 1
Topic #: 1
For a VSX configuration – Which statement is wrong?
A. All Virtual Systems exist on the SMO
B. All Virtual Systems exist on all Appliances
C. VSX configuration is the same on all Appliances within the same Security Group
D. Each Appliance owns different Virtual Systems
Selected Answer: D
———————————————————————-
Question #: 2
Topic #: 1
There are two 10Gbps dual-port NIC installed on a 6800 appliance. Which interfaces should be connected to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators?
A. Port 1 in Slot 1 and Port 2 in Slot 1
B. Port 1 in Slot 2 and Port 2 in Slot 1
C. Any pair of available ports
D. Port 1 in Slot 1 and Port 1 in Slot 2
Selected Answer: D
———————————————————————-
Question #: 3
Topic #: 1
What is the purpose of RJ-45 connectors located at the front panel of the Orchestrator MHO-170?
A. Two Out-of-band interfaces for access to Orchestrator itself
B. Out-of-band interface for access to Orchestrator itself and Serial Console connector
C. 1Gbps connectivity for Security Groups
D. Reserved for internal purposes. Not in use
Selected Answer: B
———————————————————————-
Question #: 4
Topic #: 1
Splitter cannot be used __________.
A. To connect single port on orchestrator to multiple Appliances
B. To connect single port on Appliance to multiple ports on the orchestrator
C. To connect single port on orchestrator to the same Appliance
D. To connect single port on orchestrator to multiple port on external switch
Selected Answer: C
———————————————————————-
Question #: 5
Topic #: 1
What will happen in case of NAT of the traffic passing through Management network?
A. This traffic will not pass correction, since it will be dropped
B. This traffic will pass with no inspection
C. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances
D. Orchestrator will disable NAT and traffic will pass with no issue
Selected Answer: A
———————————————————————-
Question #: 6
Topic #: 1
One single Appliance supports 1M concurrent connections. How many concurrent connections will support Security Group of 2 Appliances?
A. 2M
B. 500K
C. 4M
D. 1M
Selected Answer: D
———————————————————————-
Question #: 7
Topic #: 1
What does asg monitor command do?
A. Monitor health status of entire system
B. This command does not exist
C. Monitor traffic on Appliances in Security Group
D. Show real-time cluster status of Appliances in Security Group
Selected Answer: D
———————————————————————-
Question #: 8
Topic #: 1
There are two appliances within the same Security Group. One of them is connected by One downlink only, another one by Two downlinks. Assuming there’s no NAT and no VPN, what would be proportion of traffic distribution done by Orchestrator?
A. 66%/33%
B. 100%/0%
C. 50%/50%
D. 33%/66%
Selected Answer: C
———————————————————————-
Question #: 9
Topic #: 1
Which licenses should be issued for the Orchestrator?
A. No licenses are required for Orchestrator
B. The Orchestrator is considered a Management server, hence it’s licensed the same way
C. The Orchestrator requires NGTX license
D. Depends on Software Blades enabled on connected appliances
Selected Answer: A
———————————————————————-
Question #: 10
Topic #: 1
What cannot be learned from the output of lldpctl?
A. Distribution mode
B. Orchestrator’s IP
C. Serial number of Appliance
D. Appliance model
Selected Answer: A
———————————————————————-
Question #: 11
Topic #: 1
What is the default Distribution mode?
A. User
B. Auto-topology
C. Manual-General
D. Network
Selected Answer: B
———————————————————————-
Question #: 12
Topic #: 1
What is the purpose of Management ports located on the Rear Panel of the Orchestrator MHO-140?
A. Reserved for internal purposes. Not in use.
B. Out-of-band interfaces for access to Orchestrator itself.
C. 1Gbps connectivity for Security Groups.
D. Additional ports used as uplinks.
Selected Answer: B
———————————————————————-
Question #: 13
Topic #: 1
What kind of cluster Dual-Site can be compared to?
A. Active-Standby or VSLS
B. VSLS only
C. Active-Active
D. Active-Standby only
Selected Answer: A
———————————————————————-
Question #: 14
Topic #: 1
There’s a 23800 appliance with quad NIC in slot 5. What would be the name of port 3 on this NIC?
A. ethBP3-05
B. ethsBP5-03
C. ethsBP3-05
D. ethsBP-05
Selected Answer: B
———————————————————————-
Question #: 15
Topic #: 1
What is the basic installation sequence of the Orchestrator in case of single Orchestrator?
1. Create a Security Group
2. Configure Default Gateway
3. Connect with Serial Console cable to the Orchestrator
4. Configure IP for one of its Management interfaces
5. Connect an appliance to a downlink port
6. Change Orchestrator amount to 1
7. Browse to the Orchestrator’s WebUI
A. 3-4-2-6-5-7-1
B. 3-1-7-2-4-6-5
C. 1-4-2-5-7-3-6
D. 7-4-2-5-3-1-6
Selected Answer: A
———————————————————————-
Question #: 16
Topic #: 1
Which command will be used in order to restart Orchestrator service only?
A. orchd restart
B. cpstop; cpstart
C. reboot
D. service orchestrator restart
Selected Answer: A
———————————————————————-
Question #: 17
Topic #: 1
Orchestrator should be defined in SmartConsole as:
A. Orchestrator is not defined in SmartConsole
B. Check Point host
C. Security Gateway
D. Host
Selected Answer: A
———————————————————————-
Question #: 18
Topic #: 1
How many power supplies are presented on MHO-140?
A. 2
B. 4
C. 1
D. 1 with option for 2
Selected Answer: A
———————————————————————-
Question #: 19
Topic #: 1
What is the maximum amount of Appliances within Security group in Dual-Site configuration?
A. 16
B. 15
C. 28
D. 31
Selected Answer: C
———————————————————————-
Question #: 20
Topic #: 1
What is the default range of physical ports for downlinks on Orchestrator MHO-140?
A. 25 – 47
B. 27 – 47
C. 1 – 48
D. 1 – 25
Selected Answer: B
———————————————————————-
Question #: 21
Topic #: 1
What kinds of transceivers are supported on Orchestrator MHO-140?
A. SFP, QSFP, QSFP28
B. SFP, SFP+, QSFP, QSFP28
C. SFP, SFP+, SFP28
D. SFP+, SFP28, QSFP
Selected Answer: A
———————————————————————-
Question #: 22
Topic #: 1
What is the Orchestrator?
A. Load balancer
B. Network Switch
C. Manager of compute and network resources, load balancer and network switch
D. None of above
Selected Answer: C
———————————————————————-
Question #: 23
Topic #: 1
What is the Iterator process?
A. Iterator is the process that simulates distribution in case of Appliance failure
B. Iterator is the process that follow Appliance recovery and simulates what was a distribution if recovered Appliance was alive
C. Iterator is the process that runs on the Orchestrator and calculates a distribution in case of Appliance failure
D. Iterator is the process that runs on the Orchestrator and calculates a distribution in case of Appliance recovery
Selected Answer: B
———————————————————————-
Question #: 24
Topic #: 1
What is the throughput penalty of Security Group?
A. 5% per member
B. Depends on the type of Appliance
C. 10% per Security Group with no relation to amount of members
D. 1% per member
Selected Answer: D
———————————————————————-
Question #: 25
Topic #: 1
Which is a valid requirement for a supported Maestro appliance?
A. 10GBps and 40Gbps or 100Gbps card with double-VLAN and LLDP support
B. At least one 10GBps line card
C. Nothing special as Maestro supports any Check Point appliance
D. Line card with double-VLAN and LLDP support
Selected Answer: D
———————————————————————-
Question #: 26
Topic #: 1
Which setting is required in order to connect an appliance with 40Gbps downlink interface and DAC to the Orchestrator MHO-140?
A. On Orchestrator: Change QSFP mode from 100Gbps to 40Gbps
B. On Orchestrator: Change port type from uplink to downlink
C. On Appliance: Change a port speed to 10Gbps
D. No change required
Selected Answer: C
———————————————————————-
Question #: 27
Topic #: 1
In case of VSX: What is the right command to see overall performance details of all Appliances within the Security Group and all Virtual Systems?
A. asg pert -v -p
B. asg pert -vs all -v -vv
C. asg pert -v
D. asg pert -vs enabled -p
Selected Answer: B
———————————————————————-
Question #: 28
Topic #: 1
When running asg perf -v in a Dual-Site environment, we can see only Appliances from one of the sites. That means we’re working in:
A. VSLS mode
B. Active /Active
C. Active / Standby HA mode
D. This is not Dual-Site, in Dual-Site we always see Appliances from both sites
Selected Answer: C
———————————————————————-
Question #: 29
Topic #: 1
On MHO-170 – In default configuration, what are GAIA names of Security Group Management ports?
A. eth1-Mgmt1 and eth1-Mgmt2
B. eth1-Mgmt1 and eth2-Mgmt1
C. eth1-Mgmt1 and eth1-Mgmt3
D. eth1-Mgmt3 and eth1-Mgmt4
Selected Answer: C
———————————————————————-
Question #: 30
Topic #: 1
What is a Security Group?
A. Logical group of computer and network resources
B. Group of security administrators
C. Group of security gateways
D. Group of appliances with enabled NGTX software blades
Selected Answer: A
———————————————————————-
Question #: 31
Topic #: 1
What command will be used for updating fwkern.conf file on all Appliances within Security Group?
A. g_update_conf_file
B. g_update_kernel
C. vi
D. g_all update_conf_file
Selected Answer: A
———————————————————————-
Question #: 32
Topic #: 1
What is the default range of physical ports for downlinks on Orchestrator MHO-170?
A. 3 – 16
B. 17 – 31
C. 25 – 32
D. 1 – 16
Selected Answer: B
———————————————————————-
Question #: 33
Topic #: 1
What is the default IP range of Sync network (with no increment)?
A. The same as Management network
B. 198.51.100.0
C. 192.0.2.0
D. 192.168.1.0
Selected Answer: C
———————————————————————-
Question #: 34
Topic #: 1
What is the maximum amount of Appliances within the same Security Group?
A. 16
B. 31
C. 52
D. 8
Selected Answer: B
———————————————————————-
Question #: 35
Topic #: 1
What cannot be learned from the output of asg perf -v -p command?
A. Average CPU usage on Appliances
B. Real-time throughput
C. Average CPU usage on Orchestrators
D. Per-path distribution
Selected Answer: C
———————————————————————-
Question #: 36
Topic #: 1
What type of cluster can a Security Group can be compared to?
A. VSLS
B. Load Sharing Active /Active
C. Active / Backup
D. Active / Standby
Selected Answer: B
———————————————————————-
Question #: 37
Topic #: 1
What is the distribution mode?
A. Distribution mode is the same as QSFP mode
B. Distribution mode is how the Orchestrator distributes traffic in between Security Groups
C. Distribution mode means selected algorithm for traffic distribution in between Orchestrators
D. Distribution mode means selected algorithm for traffic distribution in between Appliances
Selected Answer: D
———————————————————————-
Question #: 38
Topic #: 1
How many orchestrators may Dual-Site include?
A. 2 or 4
B. 2
C. Only 4
D. 1
Selected Answer: A
———————————————————————-
Question #: 39
Topic #: 1
What does the command’g_all’ do?
A. It’s followed by other command and execute it on all active Appliances within Security Group
B. It’s followed by other command and execute it on all Appliances connected to Orchestrator
C. Switches all Appliances to Global mode
D. Bring up all Appliances
Selected Answer: A
———————————————————————-
Question #: 40
Topic #: 1
Which file on Appliance includes information about Security Group?
A. /etc/chassisdb.json
B. /etc/sgdb.json
C. /etc/smodb.json
D. /etc/distutil.json
Selected Answer: B
———————————————————————-
Question #: 41
Topic #: 1
Complete the sentence: Orchestrators works as…
A. Active-Active cluster
B. Hot-Swap RAID
C. Active-Standby cluster
D. Load Sharing cluster
Selected Answer: A
———————————————————————-
Question #: 42
Topic #: 1
What is the default IP range of CIN network (with no increment)?
A. 192.168.1.0
B. 198.51.100.0
C. The same as Management network
D. 192.0.2.0
Selected Answer: B
———————————————————————-
Question #: 43
Topic #: 1
There is a Security group of 10 Appliances and all of them are up and running. How many Appliances within a Security Group keep the same connection in its connection table in case of NAT?
A. Between 2 and 4
B. 3
C. All 10
D. 2
Selected Answer: D
———————————————————————-
Question #: 44
Topic #: 1
In order to set Site (chassis) priority per VS, following command should be used:
A. From given VS context: set chassis high-availability vs chassis_priority
B. From given VS0 context: set chassis high-availability vs chassis_priority
C. From any VS context: set chassis high-availability vs chassis_priority
D. From VS0 context: set chassis high-availability vs chassis_priority
Selected Answer: A
———————————————————————-
Question #: 45
Topic #: 1
What kinds of transceivers are supported on Orchestrator MHO-170?
A. QSFP, QSFP28
B. SFP, SFP+, SFP28
C. SFP+, SFP28, QSFP
D. SFP, QSFP, QSFP28
Selected Answer: A
———————————————————————-
Question #: 46
Topic #: 1
Complete the sentence: When using a Break-out cable…
A. All tails of the break-out cable must represent the same type of ports
B. All tails of the break-out cable must represent uplinks
C. Each tail of the break-out cable represent an independent port
D. All tails of the break-out cable must represent downlinks
Selected Answer: B
———————————————————————-
Question #: 47
Topic #: 1
What cannot be a reason for “Failed to get remote orchestrator interfaces” error message, when clicking on “Orchestrator” in WebUI?
A. Remote orchestrator has no empty interfaces
B. One orchestrator only, but Orchestrator amount is 2 or no Sync in between orchestrators
C. No Sync between orchestrators
D. Single orchestrator environment, but configured Orchestrator amount is 2
Selected Answer: D
———————————————————————-
Question #: 48
Topic #: 1
What is an uplink interface used for?
A. To connect in between Orchestrators
B. To connect appliances to customer’s infrastructure
C. To connect Orchestrators to customer’s infrastructure
D. To connect in between appliances
Selected Answer: C
———————————————————————-
Question #: 49
Topic #: 1
What cannot be learned from the output of asg monitor command?
A. Appliances cluster status
B. Port status
C. Uptime
D. Security Policy status
Selected Answer: D
———————————————————————-
Question #: 50
Topic #: 1
There are two 10Gbps dual-port NICs and one 40Gbps NIC installed on a 23800 Appliance in slots 1, 2 and 3 accordingly. Which interfaces should be connected to Orchestrator 1 for downlinks’ intra-orchestrator redundancy when using two Orchestrators?
A. Any pair of available ports
B. Port 1 in Slot 2 and Port 2 in Slot 1
C. Port 1 in Slot 1 and Port 2 in Slot 1
D. This configuration is not supported
Selected Answer: D
———————————————————————-
Question #: 51
Topic #: 1
What cannot be a reason for DETACHED status of Appliance when running asg monitor command?
A. Appliance reboots
B. Appliance is a member of Security Group, but currently disconnected
C. Appliance installed with R80.20
D. There’s an issue with Downlink cable
Selected Answer: D
———————————————————————-
Question #: 52
Topic #: 1
What is the difference between Dual-Site and Multi-Room?
A. Multi-Room is a Single-Site deployment where all Appliances are connected to both orchestrators
B. Multi-Room is a kind of Dual-Site deployment within the same building
C. Multi-Room is Active / Standby and Dual-Site is Active / Active
D. This is the same
Selected Answer: A
———————————————————————-
Question #: 53
Topic #: 1
What is the minimal requirement for a Security Group?
A. 1 Appliance and 1 management port
B. 2 Appliances and 2 ports
C. 1 Appliance and 1 administrator with Multi-Domain admin permissions
D. None, it may be empty.
Selected Answer: A
———————————————————————-
Question #: 54
Topic #: 1
What happens if you apply a hotfix using gClish?
A. If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at roughly the same time.
B. If you apply a hotfix using gclish, each SG member installs the hotfix and reboots after waiting its turn to do so.
C. Logical groups “A” and “B” are created. Members of group “A” install and reboot first. Then members of group “B” do the same once reboots have finished with group “A.”
D. If you apply a hotfix using gclish, the operation will fail because an outage would occur.
Selected Answer: A
———————————————————————-
Question #: 55
Topic #: 1
When security policy is installed:
A. All SGMs receive the security policy and one by one performs an independent policy verification. Then, all SGMs simultaneously install the policy.
B. The SMO Master receives the policy and performs a policy verification, the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.
C. All SGMs receive the security policy and simultaneous policy installation occurs.
D. The policy is installed on the SMO. the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
Selected Answer: D
———————————————————————-
Question #: 56
Topic #: 1
What happens when you make changes from Clish on the SMO Master?
A. The changes are synchronized to the SMS/MDS as a backup.
B. The changes are synchronized to the MHO as a backup.
C. Changes are only applied on the SMO Master.
D. Changes are applied to all members in the SG.
Selected Answer: C
———————————————————————-
Question #: 57
Topic #: 1
While looking at your system’s correction statistics, you notice you have a correction rate approaching 100 percent. Is this a problem?
A. A correction rate above 90 percent indicates a need to disable Layer 4 Distribution.
B. A correction rate approaching 100 percent of all connections is unusual. This is a cause for concern because the SGMs may fail to process traffic.
C. If correction rates are higher than 80 percent, latency is expected.
D. In some scenarios, a correction rate approaching 100 percent of all connections is not unusual. This is not usually a cause for concern as the correction mechanism is fast and efficient.
Selected Answer: D
———————————————————————-
Question #: 58
Topic #: 1
What command can be run to show which SGM is selected to receive traffic?
A. g_tcpdump
B. asg monitor
C. dxl calc
D. asg calc
Selected Answer: C
———————————————————————-
Question #: 59
Topic #: 1
When a VPN tunnel is formed with a Maestro SGM,
A. The receiving SGM makes an encryption decision. The SGM then syncs the traffic to two backup SGMs: one for clear traffic and one for encrypted traffic.
B. SGM 1 analyzes the policy and topology. If encryption is required, it calculates the tunnel owner’s IP address. SGM 1 sends a clear packet to the tunnel owner. SGM 2 is now the connection and tunnel owner.
C. The MHO handles the IKE before distributing the traffic to a SGM to handle all encrypted traffic. This helps to prevent any issues with the correction layer.
D. The MHO distributes copies of the packets to two different SGMs because SGM 1 will handle the clear traffic IKE exchange packets, while SGM 2 handles encrypted packets.
Selected Answer: A
———————————————————————-
Question #: 60
Topic #: 1
Which distribution mode assigns packets to an SGM based solely on the packet destination IP?
A. User mode
B. Manual mode
C. Network mode
D. Auto-topology mode
Selected Answer: A
———————————————————————-
Question #: 61
Topic #: 1
HealthCheck Point ____________.
B. performs a system health check and is meant to replace both a CPInfo and the health check script.
C. can be used to let you visualize the Firewall topology for the SG and view live statistics, which includes throughput, problem notes, and CPU utilization.
D. is a self-updatable suite of tools for SGMs with the capability to assess the health of the system, visualize the Firewall topology, provide a timeline of critical and informative events that might have occurred in a production system.
Selected Answer: D
———————————————————————-
Question #: 62
Topic #: 1
Is it possible to define distribution mode per interface?
A. Yes, only for downlink interfaces
B. No, only for the Security Group
C. Yes, only for uplink interfaces
D. Yes, for both uplink and downlink interfaces
Selected Answer: A
