• Home
  • Articles
  • [May-2024] Verified CheckPoint Exam Dumps with 156-836 Exam Study Guide [Q24-Q46]

[May-2024] Verified CheckPoint Exam Dumps with 156-836 Exam Study Guide [Q24-Q46]

Share

[May-2024] Verified CheckPoint Exam Dumps with 156-836 Exam Study Guide

Best Quality CheckPoint 156-836 Exam Questions Real4dumps Realistic Practice Exams [2024]


The Check Point Certified Maestro Expert - R81 (CCME) exam is a hands-on exam that requires candidates to demonstrate their practical knowledge and skills in managing and administering Maestro solutions. 156-836 exam consists of multiple-choice questions and lab exercises that test the candidate's ability to configure and manage Maestro orchestrator and gateways, troubleshoot issues, and implement security policies.

 

NEW QUESTION # 24
What is the purpose of Management ports located on the Rear Panel of the Orchestrator MHO-140?

  • A. Reserved for internal purposes. Not in use.
  • B. Additional ports used as uplinks
  • C. 1Gbps connectivity for Security Groups
  • D. Out-of-band interfaces for access to Orchestrator itself

Answer: D

Explanation:
Explanation
The Management ports located on the Rear Panel of the Orchestrator MHO-140 are out-of-band interfaces that provide access to the Orchestrator itself for configuration and management purposes. They are not used for traffic distribution or connectivity to the Security Groups or the external networks. They are 1Gbps RJ-45 ports that can be connected to a switch or a router.
References
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2
*Quantum Maestro Getting Started Guide - Check Point CheckMates2, page 4


NEW QUESTION # 25
Splitter cannot be used _______

  • A. To connect single port on orchestrator to multiple port on external switch
  • B. To connect single port on orchestrator to the same Appliance
  • C. To connect single port on Appliance to multiple ports on the orchestrator
  • D. To connect single port on orchestrator to multiple Appliances

Answer: B


NEW QUESTION # 26
What command should be used for collecting diagnostic information about the orchestrator?

  • A. asg perf -v
  • B. orch_info
  • C. cpview
  • D. cpinfo

Answer: D

Explanation:
Explanation
The cpinfo command is a tool that collects diagnostic information about the orchestrator, such as hardware, software, network, configuration, and logs. The cpinfo command generates a file that can be sent to Check Point Support for analysis and troubleshooting. The cpinfo command can be run on the orchestrator's CLI or WebUI.
References =
*Check Point Maestro R81.X Administration Guide, page 68, section "cpinfo" 1
*Check Point Maestro R81.X Getting Started Guide, page 30, section "cpinfo" 2
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software 3
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
3: https://www.checkpoint.com/downloads/products/maestro-hyperscale-orchestrator-datasheet.pdf


NEW QUESTION # 27
While looking at your system's correction statistics, you notice you have a correction rate approaching 100 percent. Is this a problem?

  • A. In some scenarios, a correction rate approaching 100 percent of all connections is not unusual. This is not usually a cause for concern as the correction mechanism is fast and efficient.
  • B. If correction rates are higher than 80 percent, latency is expected.
  • C. A correction rate above 90 percent indicates a need to disable Layer 4 Distribution.
  • D. A correction rate approaching 100 percent of all connections is unusual. This is a cause for concern because the SGMs may fail to process traffic.

Answer: D

Explanation:
Explanation
References =
*Check Point Maestro R81.X Administration Guide, page 64, section "Correction Layer" 1
*Check Point Maestro R81.X Getting Started Guide, page 26, section "Correction Layer" 2
*Check Point Maestro Under the Hood presentation by Lari Luoma, slide 23 3
*Check Point Maestro Frequently Asked Questions (FAQ), question 9 4
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
3:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20M
4:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 28
During an upgrade, Is Multi-Version Clustering (MVC) supported?

  • A. No. Maestro does not support MVC because ClusterXL is disabled during an upgrade.
  • B. No, Maestro does not support MVC.
  • C. Maestro supports MVC or full connectivity upgrade as of R80.40.
  • D. Yes, MVC is supported as of R81 for Maestro.

Answer: D

Explanation:
Explanation
Multi-Version Clustering (MVC) is a feature that allows different versions of Security Gateways to operate in the same cluster and provide seamless failover and load balancing. MVC is supported for Maestro environments as of R81, which means that it is possible to upgrade the Security Groups in a Maestro environment as a Multi-Version Cluster with zero downtime. This requires that the Maestro Orchestrators are upgraded to R81.20 first, and then the Security Groups can be upgraded one by one to R81.20 while maintaining full connectivity and synchronization.
References =
*Check Point R81.20 for Scalable Platforms - Check Point Software
*Maestro Dual Site configuration with a direct connection through L2 switches
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 29
There is a Security group of 10 Appliances and all of them are up and running. How many Appliances within a Security Group keep the same connection in its connection table in case of NAT?

  • A. Between 2 and 4
  • B. 0
  • C. All 10
  • D. 1

Answer: A

Explanation:
Explanation
References =
*Check Point Maestro R81.X Administration Guide, page 64, section "Correction Layer" 1
*Check Point Maestro R81.X Getting Started Guide, page 26, section "Correction Layer" 2
*Check Point Maestro Under the Hood presentation by Lari Luoma, slide 23
*Check Point Maestro Frequently Asked Questions (FAQ), question 9
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20M
:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 30
Multiple SGs can exist in a Dual Site environment. Each SG can be configured in one of three ways. Which is not one of those ways?

  • A. Two MHOs connected to two MHOs via load balancers.
  • B. Direct connectivity between Remote Site MHOs.
  • C. Two MHOs at same site connected to remote site MHOs via single switch.
  • D. Two MHOs at same site connected to remote site MHOs via two different switches.

Answer: A

Explanation:
Explanation
This is not one of the ways to configure a Security Group in a Dual Site environment, because load balancers are not required or supported for the inter-site communication between the Maestro Orchestrators (MHOs).
The MHOs use the Site-Sync port and VLANs to synchronize the resources and connections across the sites.
The three valid scenarios for Dual Site configuration are:
*Direct connectivity between remote site Orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.
*Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.
*Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that support QinQ and MTU increment.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*[Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)]
*[Maestro Frequently Asked Questions (FAQ)]


NEW QUESTION # 31
What happens if the SMO Master fails?

  • A. The Backup SMO Master will take over in the event of a failure with the SMO Master.
  • B. The Security Group will no longer pass traffic and the issue must be resolved with the SMO Master.
  • C. A failover will occur on the MHO and traffic will continue to pass.
  • D. The next SGM with the current lowest SGM ID assumes the role of the SMO Master.

Answer: D

Explanation:
Explanation
This aligns with the principle of redundancy in network systems, where the next available device with the lowest ID typically takes over management roles in case of a failure.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 91
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 32
There are two 10Gbps dual-port NIC installed on a 6800 appliance. Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators?

  • A. Port 1 in Slot 2 and Port 2 in Slot 1
  • B. Port 1 in Slot 1 and Port 1 in Slot 2
  • C. Any pair of available ports
  • D. Port 1 in Slot 1 and Port 2 in Slot 1

Answer: B

Explanation:
Explanation
The correct interfaces to connect to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators are Port 1 in Slot 1 and Port 1 in Slot 2. This is because each slot represents a different NIC, and each port represents a different physical link. By connecting two ports from different slots, the appliance can have redundant connections to the same orchestrator, and avoid a single point of failure in case of a NIC or link failure.
References
*Check Point 156-835 Certification Flashcards | Quizlet1
*Maestro Expert (CCME) Course - Check Point Software, page 182
*Maestro Technical Training, Module 2: Maestro Security Groups and the Single Management Object, slide
163


NEW QUESTION # 33
What command can be run to show which SGM is selected to receive traffic?

  • A. dxl calc
  • B. asg monitor
  • C. g_tcpdump
  • D. asg calc

Answer: D

Explanation:
Explanation
The asg calc command is a tool to show which SGM is selected to receive traffic based on the distribution mode and the packet parameters. It takes the port number, the source IP, the destination IP, and optionally the source port and the destination port as arguments and returns the SGM ID and the hash value. For example, asg calc 1 10.0.0.1 20.0.0.2 1234 80 will show which SGM will receive the traffic from 10.0.0.1:1234 to
20.0.0.2:80 on port 1.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using theCommand Line Interface and WebUI, Lesson 4.1: asg calc, page 4-5
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg calc, page 4-5
*asg calc - Check Point Software


NEW QUESTION # 34
What is the difference between Dual-Site and Dual-Room?

  • A. Dual-Room is a kind of Dual-Site deployment within the same building
  • B. Dual-Room is a Single-Site deployment where all Appliances are connected to both orchestrators
  • C. Dual-Room is Active / Standby and Dual-Site is Active / Active
  • D. They are the same

Answer: A

Explanation:
Explanation
References =
*[Maestro Frequently Asked Questions (FAQ)]
*Maestro Dual Site configuration with a direct connection through L2 switches
*Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 35
What is the throughput penalty of Security Group?

  • A. 1% per member
  • B. 10% per Security Group with no relation to the number of members
  • C. Depends on the type of Appliance
  • D. 5% per member

Answer: A

Explanation:
Explanation
Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 36
What cannot be learned from the output of lldpctl?

  • A. Distribution mode
  • B. Appliance model
  • C. Orchestrator's IP
  • D. Serial number of Appliance

Answer: A

Explanation:
Explanation
The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration.
LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator's IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9
*Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security Group Modules, Section:
LLDP, page 3-9
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7
*Maestro basic setup documentation - Page 2 - Check Point CheckMates
*Log and Configuration Files - Check Point Software


NEW QUESTION # 37
What is a security group?

  • A. A set of network interfaces and individual SGMs assigned to a logical group.
  • B. A solution for Security Gateway redundancy and Load Sharing.
  • C. A set of appliances of the same model that are collectively managed by the MHO.
  • D. A set of objects in SmartConsole that are responsible for enforcing an access policy.

Answer: B

Explanation:
Explanation
Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features


NEW QUESTION # 38
Is it possible to define distribution mode per interface?

  • A. No, only for the Security Group
  • B. Yes, only for uplink interfaces
  • C. Yes, for both uplink and downlink interfaces
  • D. Yes, only for downlink interfaces

Answer: C

Explanation:
Explanation
Maestro allows you to define the distribution mode per interface, which determines how traffic is distributed among the Security Group Modules (SGMs) in a Security Group. You can configure the distribution mode for each interface individually, or use the default mode for all interfaces. The distribution mode can be set for both uplink and downlink interfaces.
References =
*Check Point Maestro R81.X Administration Guide, page 62, section "Distribution Mode" 1
*Check Point Maestro R81.X Getting Started Guide, page 25, section "Distribution Mode" 2
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame


NEW QUESTION # 39
What is the Correction Layer mechanism?

  • A. The MHO's distribution algorithm which determines the handling SGM for a given connection.
  • B. Ensures asymmetric traffic is handled properly, especially in the case of NAT or VPNs.
  • C. Enforces the access policy on the SGMs and synchronizes the enforcement verdict to other SGMs in the SG.
  • D. The load-balancing mechanism used by the MHO.

Answer: B

Explanation:
Explanation
The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
*NAT and the Correction Layer on a VSX Gateway - Check Point Software1
*Solved: Maestro queries - Check Point CheckMates


NEW QUESTION # 40
What type of license is required for an MHO?

  • A. The MHO requires a NGTP license.
  • B. The MHO requires a VSX license.
  • C. The MHO does not require a license.
  • D. A license is needed for each attached SGM.

Answer: C

Explanation:
Explanation
The MHO (Maestro Hyperscale Orchestrator) does not require a license by itself, but each SGM (Security Group Module) that is attached to the MHO needs a license. The license type depends on the features and blades that are enabled on the SGM. For example, if the SGM is running VSX, it needs a VSX license.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 71
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 41
What kinds of transceivers are supported on Orchestrator MHO-140?

  • A. SFP, SFP+, SFP28
  • B. SFP+, SFP28, QSFP
  • C. SFP, SFP+, QSFP, QSFP28
  • D. SFP, QSFP, QSFP28

Answer: A

Explanation:
Explanation
According to the Maestro Hyperscale Orchestrator Datasheet1, the Orchestrator MHO-140 supports the following transceiver types: SFP, SFP+, SFP28. These transceivers can be used for the management, uplink, and downlink ports of the Orchestrator. The SFP transceivers support 1 GbE, the SFP+ transceivers support 10 GbE, and the SFP28 transceivers support 25 GbE.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 42
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline3
*Maestro Hyperscale Orchestrator Datasheet - Check Point Software, page 2


NEW QUESTION # 42
When security policy is installed

  • A. All SGMs receive the security policy and one by one performs an independent policy verification. Then, all SGMs simultaneously install the policy.
  • B. The policy is installed on the SMO, the SMO Master broadcasts the available package, other members retrieve the new policy from the SMO Master and perform an independent policy verification, then the non-SMO Master SGMs install the policy.
  • C. The SMO Master receives the policy and performs a policy verification the policy is installed on the SMO Master, the SMO Master broadcasts the available package, other membersretrieve the new policy from the SMO Master, then the non-SMO Master SGMs install the policy.
  • D. All SGMs receive the security policy and simultaneous policy installation occurs.

Answer: C

Explanation:
Explanation
This is the correct answer because it describes the security policy installation flow for a Maestro Security Group. The SMO Master is the Security Group Member that acts as the leader and the single point of contact for the Management Server. The SMO Master verifies the policy and installs it first, then notifies the other SGMs that a new policy is available. The other SGMs fetch the policy from the SMO Master and install it in parallel.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.3: Security Policy Installation, page 2-15
*Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Policy Installation, page 2-13
*Policy installation flow - Check Point Software


NEW QUESTION # 43
There are two appliances within the same Security Group. One of them is connected by One downlink only, another one by Two downlinks. Assuming there's no NAT and no VPN, what would be proportion of traffic distribution done by Orchestrator?

  • A. 50%/50%
  • B. 100%/0%
  • C. 33%/66%
  • D. 66%/33%

Answer: A

Explanation:
Explanation
The proportion of traffic distribution done by Orchestrator depends on the traffic distribution mode that is configured for the Security Group. There are three modes: Round Robin, Load Sharing, andActive/Standby1.
*Round Robin mode distributes the traffic equally among all the appliances in the Security Group, regardless of the number of downlinks they have. This mode is suitable for scenarios where all the appliances have similar performance and capacity. In this mode, the proportion of traffic distribution would be 50%/50% for two appliances with one and two downlinks respectively.
*Load Sharing mode distributes the traffic proportionally to the number of downlinks each appliance has. This mode is suitable for scenarios where the appliances have different performance and capacity. In this mode, the proportion of traffic distribution would be 33%/66% for two appliances with one and two downlinks respectively.
*Active/Standby mode distributes the traffic to only one appliance at a time, while the other appliances are in standby mode. This mode is suitable for scenarios where high availability is required. In this mode, the proportion of traffic distribution would be 100%/0% or 0%/100% for two appliances with one and two downlinks respectively, depending on which appliance is active.
Since the question does not specify the traffic distribution mode, the default mode is Round Robin2.
Therefore, the proportion of traffic distribution would be 50%/50% for two appliances with one and two downlinks respectively.


NEW QUESTION # 44
What is the Correction Layer?

  • A. Correction Layer is a daemon which corrects errors on Backplane interfaces
  • B. Correction Layer is a mechanism which handles asymmetric connections in multi-appliance system. For example, in case of NAT
  • C. Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute
  • D. Correction Layer is a mechanism which activated in case of asymmetric routing

Answer: B

Explanation:
Explanation
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
*NAT and the Correction Layer on a Security Gateway - Check Point Software1
*Solved: Maestro queries - Check Point CheckMates


NEW QUESTION # 45
What happens if you apply a hotfix using gClish?

  • A. Logical groups "A" and "B" are created. Members of group "A" install and reboot first. Then members of group "B" does the same once reboots have finished with group "A."
  • B. If you apply a hotfix using gclish, each SG members installs the hotfix and reboots after waiting it's turn to do so.
  • C. If you apply a hotfix using gclish, the operation will fail because an outage would occur.
  • D. If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at roughly the same time.

Answer: A

Explanation:
Explanation
This is the correct answer because it describes the hotfix installation process using gClish on a Maestro Security Group. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. When a hotfix is applied using gClish, the SG members are divided into two logical groups: "A" and "B". The members of group "A" install the hotfix and reboot first, while the members of group "B" wait for their turn. After all the members of group "A" are back online, the members of group
"B" install the hotfix and reboot.This way, the SG maintains high availability and does not cause an outage.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 46
......

Authentic Best resources for 156-836: https://prep4sure.real4dumps.com/156-836-prep4sure-exam.html

Related Articles

more
CheckPoint 156-836 Certification Practice Exam

We are an official authorized large company offering exam prep, real test dumps and latest dumps which can help you pass exam surely. Your money is guaranteed and will be refunded if you fail the exam.

Latest Exam Questions

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Real4dumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy