156-836 Check Point Certified Maestro Expert (CCME) R81.X Question and Answers

The Correction Layer is a mechanism that handles asymmetric connections in systems with several cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is asymmetric1

The Correction Layer works as follows:

•When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it processes the packet normally. If not, it checks the Correction table to find the owner of the connection.

•If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction Layer header. The owner then processes the packet and removes the Correction Layer header before sending it to the destination.

•If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator (MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to the source.

•The Correction tables are updated by the MHO whenever a new connection is established or an existing connection is terminated. The MHO sends Correction Layer messages to all cluster members to inform them about the owner of each connection2

According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.

References

•Check Point MAESTRO R80.20SP Administration Manual, page 291

_tcpdump" probably collects traffic dumps from all active appliances within a security group, aligning with the naming convention and function of similar commands in scalable platforms.

References

•Maestro Expert (CCME) Course - Check Point Software, page 331

•What is ‘IN’ and ‘OUT’ of g_tcpdump? - Check Point CheckMates2

•CHECK POINT MAESTRO EXPERT, page 23

Page 313 from the training manual:

- Restart the service:

orchd restart

- Restart the service without confirmation

service orchd restart

This is the correct answer because it follows the upgrade order and procedure specified in the R81.10 and R81.20 Administration Guides for Maestro environments. The MHOs are responsible for managing and synchronizing the SGMs, so they must be upgraded to the target version before the SGMs. However, the SGMs can be upgraded one by one or in batches, as long as they arecompatible with the MHOs. The upgrade process also supports Multi-Version Clustering, which allows different versions of SGMs to operate in the same Security Group with zero downtime.

References =

•Check Point R81.10 for Scalable Platforms - Check Point Software

•Check Point R81.20 for Scalable Platforms - Check Point Software

•CHECK POINT MAESTRO EXPERT

SecureXL is typically used to accelerate trusted traffic, including non-F2F (face-to-face) traffic, through a secure, fast path.

References =

•SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above 1

•SecureXL Fast Accelerator - Need to clarify packet flow 2

1: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk156672 2: https://community.checkpoint.com/t5/Security-Gateways/SecureXL-Fast-Accelerator-Need-to-clarify-packet-flow/td-p/114651

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

•Layer 4 Distribution - Yes or No? - Check Point CheckMates

•Support, Support Requests, Training … - Check Point Software

This configuration likely provides balanced and redundant connectivity for orchestrator redundancy.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 3: Dual Orchestrator Environment, Lesson 3.1: Introduction to Dual Orchestrator Environment, page 3-7

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: Downlinks, page 3-8

•Check Point 23800 Appliance Datasheet - Check Point Software, page 2

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section: LLDP, page 3-9

The Scalable Platform software allows you to easily add or remove security gateways from a security group without affecting the existing configuration. You can also use the command line interface or the web UI to reconfigure the security group on demand.

References = Check Point R81.10 for Scalable Platforms - Check Point Software, Scalable Platforms (Maestro and Chassis) comparison between versions - Check Point Software, [Check Point R81.10 AI & ML Driven Threat Prevention and Security Management - Check Point Blog]

HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of afailover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•Maestro Frequently Asked Questions (FAQ)

•CHECK POINT MAESTRO EXPERT

The sx_api_ports_dump.py command is used to display port mapping and traffic distribution details for Security Groups and Orchestrator ports. This command must be run on the Maestro Hyperscale Orchestrator (MHO), as it is the device responsible for managing communication and configuration of Security Groups and Security Group Members (SGMs). It does not function on the Management server, Security Group, or SMO Appliance, as these components do not have the same role or access to Orchestrator-specific port data.

Exact Extract:

“The sx_api_ports_dump.py command should be run on the Orchestrator, which is the device that manages the communication and the configuration of the Security Groups and the SGMs. The command shows the port mapping and the traffic distribution for each Security Group, as well as the backplane bonds and the Orchestrator ports. The command does not work on the Management server, the Security Group, or the SMO Appliance, as they do not have the same role and functionality as the Orchestrator.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

—Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

Explanation of Options:

A. Management server: Incorrect, as the Management server does not manage Orchestrator port configurations or traffic distribution.

B. Security Group: Incorrect, as Security Groups (SGMs) do not have direct access to Orchestrator port data.

C. Orchestrator: Correct, as the Orchestrator is the device where this command is executed to retrieve port and traffic distribution information.

D. SMO Appliance: Incorrect, as the Single Management Object (SMO) Appliance does not handle Orchestrator-specific port management.

The g_all prefix is used to run commands globally in Expert mode on all Security Group Members of the current Security Group. For example, g_all cpstop will stop the Check Point services on all SGMs. The other prefixes are not valid for global commands in Expert mode.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9

•Global Expert Mode Commands - Check Point CheckMates

The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security GroupModules, Section: LLDP, page 3-9

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

•Log and Configuration Files - Check Point Software

The correct way to connect MHO1 and MHO2 to the SGM line cards in a dual MHO environment is to use the even-numbered ports for MHO1 and the odd-numbered ports for MHO2. This is to ensure that each SGM has two downlinks to each MHO, and that the downlinks are balanced across the different NICs and links. This provides redundancy and high availability for the traffic flow between the SGMs and the MHOs.

References

•R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2

•Maestro Expert (CCME) Course - Check Point Software, page 18

•Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide 16

According to the Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-175 document1, ports 1 - 4 are Management ports that are used to connect the MHO to the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. Ports 5 - 26 are Uplink ports that are used to connect the MHO to the customer’s network infrastructure, such as switches, routers, or firewalls. Ports 27 - 47 are Downlink ports that are used to connect the MHO to the Security Group Modules (SGMs) in the Security Group. Ports 49 - 55 are Backplane ports that are used to connect the MHO to another MHO in a Dual Orchestrator environment.

MHOs process traffic in Active-Active mode, which means that both MHOs are active and share theload of the traffic that is sent to and from the SGMs. Active-Active mode provides better performance and scalability than Active-Standby mode, which only uses one MHO at a time and keeps the other as a backup. Active-Active mode also allows for faster failover and recovery in case of an MHO failure, as the surviving MHO can take over the traffic without interruption.

References

•Maestro Expert (CCME) Course - Check Point Software, page 25

•CheckPoint Certified Maestro Expert (CCME) - Skillzcafe, page 2

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 2

References

•Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes

•Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations

•Check Point SNMP MIB files, Section: Revision History

The asg perf -v command is used to find bottlenecks in the system that are affecting performance, even functionality in some cases. The asg perf -v command displays the performance statistics of the Security Group Modules (SGMs) in the Security Group, such as throughput, packet rate, CPU utilization, memory usage, and more. The asg perf -v command also shows the distribution mode and the correction rate of each SGM, which can indicate potential issues with asymmetric routing or load balancing. The asg perf -v command can help identify which SGMs are overloaded, underutilized, or misconfigured, and provide insights for troubleshooting and optimization.

References =

•Check Point Maestro R81.X Administration Guide, page 67, section “asg perf” 1

•Check Point Maestro R81.X Getting Started Guide, page 29, section “asg perf” 2

•Check Point Maestro Under the Hood presentation by Lari Luoma, slide 26

1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frameset.htm : https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20Maestro%20under%20the%20hood%202022.pptx