156-836 Check Point Certified Maestro Expert (CCME) R81.X Questions and Answers

The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system.This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

A Security Group can be compared to a Load Sharing Active / Active cluster because it consists of multiple Security Group Members that share the traffic load and provide high availability and scalability. Each Security Group Member is an active firewall that processes traffic according to the Security Group policy and synchronizes its state with other members. The Maestro Orchestrator acts as a load balancer that distributes the traffic among the Security Group Members based on their capacity and availability.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.1: Introduction to Security Groups, page 2-4

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Security Group Overview, page 2-3

This command is used to set the number of sites in a Maestro environment, which can be either one or two. The number of sites determines the site-sync configuration and the failover policies for the Security Groups and the Security Group Members. The default value is one, and it can be changed only before the first Security Group is created.

References =

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

•Check Point R81.10 for Scalable Platforms - Check Point Software

•CHECK POINT MAESTRO EXPERT

According to the Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators, page 1, when you apply a hotfix using gclish, the MHO distributes the hotfix to all SGMs in the SecurityGroup. The SGMs install the hotfix and reboot one by one, in ascending order of their SGM IDs. The SGMs wait for the previous SGM to finish rebooting before starting their own reboot. This ensures that there is no outage for the entire Security Group.

References = Installing and Uninstalling a Hotfix on Quantum Maestro Orchestrators, page 1; Maestro R81.10 Jumbo Hotfix install - Check Point CheckMates, page 1.

An uplink interface in a Check Point Maestro environment is specifically used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. These interfaces facilitate the transmission and reception of management and control traffic between the MHOs and the customer’s network. They are critical for integrating the Maestro system with the external network environment.

Exact Extract:

“Uplink interfaces are used to connect Maestro Hyperscale Orchestrators (MHOs) to the customer’s network infrastructure, such as switches, routers, or firewalls. They are also used to send and receive management and control traffic from the customer’s network to the MHOs.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.3: Maestro Interfaces, page 1-10

—Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section: Interfaces, page 1-8

Explanation of Options:

A. To connect in between appliances: Incorrect, as uplink interfaces are not used to connect appliances (Security Group Members) to each other. This is typically handled by downlink interfaces or internal backplane connections.

B. To connect appliances to customer's infrastructure: Incorrect, as appliances (SGMs) connect to the Orchestrators via downlink interfaces, not directly to the customer’s infrastructure.

C. To connect Orchestrators to customer’s infrastructure: Correct, as uplink interfaces are explicitly designed for this purpose, as stated in the courseware and administration guide.

D. To connect in between Orchestrators: Incorrect, as connections between Orchestrators (e.g., in a Dual-Site setup) are typically handled via site-sync ports, not uplink interfaces.

The Correction Layer is a mechanism that handles asymmetric connections in systems with several cluster members. It allows traffic flow to be handled by a single cluster member, even if the flow is asymmetric1

The Correction Layer works as follows:

•When a packet arrives at a cluster member, it checks if it is the owner of the connection. If yes, it processes the packet normally. If not, it checks the Correction table to find the owner of the connection.

•If the owner is found in the Correction table, the packet is forwarded to the owner with a Correction Layer header. The owner then processes the packet and removes the Correction Layer header before sending it to the destination.

•If the owner is not found in the Correction table, the packet is forwarded to the Maestro Orchestrator (MHO) with a Correction Layer header. The MHO then checks its own Correction table to find the owner of the connection. If the owner is found, the MHO forwards the packet to the owner with a Correction Layer header. If the owner is not found, the MHO drops the packet and sends an ICMP error message to the source.

•The Correction tables are updated by the MHO whenever a new connection is established or an existing connection is terminated. The MHO sends Correction Layer messages to all cluster members to inform them about the owner of each connection2

HealthCheck Point (HCP) is a tool designed to perform a comprehensive system health check for the Maestro environment. It is intended to replace both the CPInfo tool and traditional health check scripts by providing a streamlined way to assess the health of Maestro Orchestrators (MHOs) and Security Group Members (SGMs). HCP evaluates system status, configuration, and potential issues, generating detailed reports for troubleshooting and maintenance.

Exact Extract:

“HealthCheck Point (HCP) performs a system health check and is meant to replace both a CPInfo and the health check script. It assesses the health of the Maestro environment, including MHOs and SGMs, by checking system status, configuration settings, and potential issues. HCP provides detailed reports to aid in troubleshooting and maintenance.”

—Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using theCommand Line Interface and WebUI, Lesson 4.4: System Diagnostics, page 4-15

—Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: HealthCheck Point, page 4-12

Explanation of Options:

A. Is a self-updatable suite of tools for MHOs…: Incorrect, as HCP is not limited to MHOs and does not focus on visualizing topology or event timelines. It is a general health check tool for the entire Maestro environment.

B. Performs a system health check and is meant to replace both a CPInfo and the health check script: Correct, as HCP’s primary function is to perform system health checks, replacing CPInfo and health check scripts, as per the documentation.

C. Can be used to let you visualize the Firewall topology…: Incorrect, as HCP does not provide visualization of firewall topology or live statistics like throughput and CPU utilization.

D. Is a self-updatable suite of tools for SGMs…: Incorrect, as HCP is not exclusive to SGMs and does not include topology visualization or event timeline features.

The Scalable Platform software allows you to easily add or remove security gateways from a security group without affecting the existing configuration. You can also use the command line interface or the web UI to reconfigure the security group on demand.

References = Check Point R81.10 for Scalable Platforms - Check Point Software, Scalable Platforms (Maestro and Chassis) comparison between versions - Check Point Software, [Check Point R81.10 AI & ML Driven Threat Prevention and Security Management - Check Point Blog]

Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16

The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 are used for out-of-band management and serial console access. One of them is a 1Gbps RJ-45 port that provides an out-of-band interface for accessing the Orchestrator itself for configuration and management purposes. The other one is a RJ-45 serial console port that provides a command-line interface for initial setup and troubleshooting.

References

•Maestro Hyperscale Orchestrator Datasheet - Check Point Software1, page 2

•Quantum Maestro Getting Started Guide - Check Point CheckMates, page 4

The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.

The lldpctl command is a tool to display information about the devices discovered by the Link Layer Discovery Protocol (LLDP) on all ports of the Maestro Orchestrator and the Security Group Members. LLDP is a protocol that enables devices to exchange information about their identity, capabilities, and configuration. LLDP can help to discover the topology and connectivity of the Maestro environment. The output of lldpctl can show the serial number, appliance model, and orchestrator’s IP of the connected devices, but it cannot show the distribution mode of the Security Group. The distribution mode is the algorithm that determines how the Maestro Orchestrator distributes the traffic among the Security Group Members. To view the distribution mode, other commands such as asg monitor or asg stat can be used.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.2: LLDP, page 4-9

•Check Point R81 Maestro Administration Guide, Chapter 3: Working with Security GroupModules, Section: LLDP, page 3-9

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-7

•Maestro basic setup documentation - Page 2 - Check Point CheckMates

•Log and Configuration Files - Check Point Software

The asg_perf_hogs command is a script that displays the processes that are consuming excessive system resources, such as CPU, memory, disk, and network, on the orchestrator and the appliances. It can help identify performance issues and bottlenecks in the Maestro environment.

References

•Software Provision and Performance hogs failed - Check Point CheckMates1

•CHECK POINT MAESTRO EXPERT, page 33

Page 313 from the training manual:

- Restart the service:

orchd restart

- Restart the service without confirmation

service orchd restart

In a Maestro Dual Site environment, there are two sites that can host Security Group Members (SGMs) for each Security Group (SG). The Active Site is the one that is currently processing the traffic for a specific SG, while the Standby Site is the one that is ready to take over in case of a failover. The Active Site and the Standby Site can be different for different SGs, depending on the load balancing and failover policies. The Active Site and the Standby Site are synchronized by the Maestro Orchestrators (MHOs) using the Site-Sync port and VLANs.

References =

•Solved: Maestro dual site failover - Check Point CheckMates

•Maestro Dual Site configuration with a direct connection through L2 switches

This is not one of the ways to configure a Security Group in a Dual Site environment, because load balancers are not required or supported for the inter-site communication between the Maestro Orchestrators (MHOs). The MHOs use the Site-Sync port and VLANs to synchronize the resources and connections across the sites. The three valid scenarios for Dual Site configuration are:

•Direct connectivity between remote site Orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.

•Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.

•Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that support QinQ and MTU increment.

References =

•Maestro Dual Site configuration with a direct connection through L2 switches

•[Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)]

•[Maestro Frequently Asked Questions (FAQ)]

The drop_monitor command is a tool that monitors and displays the packets that are dropped by the Check Point code or the Gaia OS on the orchestrator and the appliances. It can help troubleshoot network issues and optimize performance. The command shows the drop reason, source, destination, protocol, and port of the dropped packets, as well as the interface and the module that dropped them.

References

•R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates1

•Support, Support Requests, Training … - Check Point Software2

•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge

According to the Port Mapping for the Check Point Maestro HyperScale Orchestrator MHO-175 document1, ports 1 - 4 are Management ports that are used to connect the MHO to the customer’s management infrastructure, such as SmartConsole or SmartDomain Manager. Ports 5 - 26 are Uplink ports that are used to connect the MHO to the customer’s network infrastructure, such as switches, routers, or firewalls. Ports 27 - 47 are Downlink ports that are used to connect the MHO to the Security Group Modules (SGMs) in the Security Group. Ports 49 - 55 are Backplane ports that are used to connect the MHO to another MHO in a Dual Orchestrator environment.

The g_update_conf_file command is a global command that allows users to update the specified file on all Security Group Members of the current Security Group. The command takes the file name and the parameter-value pair as arguments and updates the file accordingly. For example, g_update_conf_file fwkern.conf fwha_enable_arp=1 will add or modify the fwha_enable_arp parameter in the fwkern.conf file on all SGMs.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-12

•Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-10

•Maestro Commands for Security Groups - Check Point CheckMates

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.

References

•Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20

•Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section: Traffic Distribution, page 2-8

•Layer 4 Distribution - Yes or No? - Check Point CheckMates

•Support, Support Requests, Training … - Check Point Software