• Home
  • Articles
  • [May-2024] CheckPoint 156-836 Actual Questions and Braindumps [Q32-Q53]

[May-2024] CheckPoint 156-836 Actual Questions and Braindumps [Q32-Q53]

Share

[May-2024] CheckPoint 156-836 Actual Questions and Braindumps

Pass 156-836 Exam with Updated 156-836 Exam Dumps PDF 2024


The Check Point Certified Maestro Expert - R81 (CCME) certification exam is a vendor-specific certification exam that measures the candidate's knowledge and skills in deploying and managing Check Point Maestro. 156-836 exam covers a wide range of topics such as Maestro deployment, network virtualization, security management, troubleshooting, and more.

 

NEW QUESTION # 32
Which feature is used to force trusted non-F2F traffic into the fully accelerated path for handling by SecureXL.

  • A. hypersync
  • B. SecureXL
  • C. Fast Accelerator
  • D. rate limiting

Answer: B

Explanation:
Explanation
SecureXL is typically used to accelerate trusted traffic, including non-F2F (face-to-face) traffic, through a secure, fast path.
References =
*SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above 1
*SecureXL Fast Accelerator - Need to clarify packet flow 2
1:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=
2:
https://community.checkpoint.com/t5/Security-Gateways/SecureXL-Fast-Accelerator-Need-to-clarify-packet-flo


NEW QUESTION # 33
Which licenses should be issued for the Orchestrator?

  • A. Depends on Software Blades enabled on connected appliances
  • B. The Orchestrator is considered a Management server, hence it's licensed the same way
  • C. The Orchestrator requires NGTX license
  • D. No licenses are required for Orchestrator

Answer: D

Explanation:
Explanation
Orchestrators in many network environments do not require separate licenses, as they primarily function to manage and distribute network traffic.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 1: Introduction to Check Point Maestro, Lesson 1.2: Maestro Licensing, page 1-8
*Check Point R81 Maestro Administration Guide, Chapter 1: Introduction to Check Point Maestro, Section:
Maestro Licensing, page 1-6
*Activation of a Quantum Maestro Orchestrator - Check Point Software


NEW QUESTION # 34
What is the Orchestrator?

  • A. Network Switch
  • B. Manager of compute and network resources, load balancer and network switch
  • C. Load balancer
  • D. None of above

Answer: B

Explanation:
Explanation
The Orchestrator is a Maestro component that manages the compute and network resources of the Security Group Modules (SGMs) in a Security Group. It also acts as a load balancer and a network switch, distributing traffic among the SGMs and connecting them to the customer's network infrastructure.
References:
*Maestro Expert (CCME) Course - Check Point Software, page 41
*Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, course outline


NEW QUESTION # 35
Which command should be used to restart Orchestrator service only?

  • A. cpstop; cpstart
  • B. service orchestrator restart
  • C. orchd restart
  • D. reboot

Answer: C

Explanation:
Explanation
Page 313 from the training manual:
- Restart the service:
orchd restart
- Restart the service without confirmation
service orchd restart


NEW QUESTION # 36
What happens if you apply a hotfix using gClish?

  • A. If you apply a hotfix using gclish, each SG members installs the hotfix and reboots after waiting it's turn to do so.
  • B. If you apply a hotfix using gclish, it causes an outage for the entire SG as all members reboot at roughly the same time.
  • C. Logical groups "A" and "B" are created. Members of group "A" install and reboot first. Then members of group "B" does the same once reboots have finished with group "A."
  • D. If you apply a hotfix using gclish, the operation will fail because an outage would occur.

Answer: C

Explanation:
Explanation
This is the correct answer because it describes the hotfix installation process using gClish on a Maestro Security Group. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. When a hotfix is applied using gClish, the SG members are divided into two logical groups: "A" and "B". The members of group "A" install the hotfix and reboot first, while the members of group "B" wait for their turn. After all the members of group "A" are back online, the members of group
"B" install the hotfix and reboot.This way, the SG maintains high availability and does not cause an outage.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 37
What is the purpose of g_tcpdump command?

  • A. Collects traffic dump from all Active Appliances within Security Group
  • B. The same as tcpdump, just on Scalable Platform
  • C. Collects traffic dump from Sync network
  • D. Collects traffic dump from CIN network

Answer: A

Explanation:
Explanation
_tcpdump" probably collects traffic dumps from all active appliances within a security group, aligning with the naming convention and function of similar commands in scalable platforms.
References
*Maestro Expert (CCME) Course - Check Point Software, page 331
*What is 'IN' and 'OUT' of g_tcpdump? - Check Point CheckMates2
*CHECK POINT MAESTRO EXPERT, page 23


NEW QUESTION # 38
What will happen in case of NAT of the traffic passing through Management network?

  • A. This traffic will not pass correction, since it will be dropped
  • B. Orchestrator will disable NAT and traffic will pass with no issue
  • C. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances
  • D. This traffic will pass with no inspection

Answer: B

Explanation:
Explanation
According to the Check Point MAESTRO R80.20SP Administration Manual1, NAT is not supported on the management network. If you configure NAT on the management network, the Orchestrator will disable NAT and allow the traffic to pass without translation. This is to ensure that the management traffic can reach the Security Group members and the SmartConsole without any issues.
References
*Check Point MAESTRO R80.20SP Administration Manual, page 291


NEW QUESTION # 39
What command can be run to show which SGM is selected to receive traffic?

  • A. asg monitor
  • B. dxl calc
  • C. asg calc
  • D. g_tcpdump

Answer: C

Explanation:
Explanation
The asg calc command is a tool to show which SGM is selected to receive traffic based on the distribution mode and the packet parameters. It takes the port number, the source IP, the destination IP, and optionally the source port and the destination port as arguments and returns the SGM ID and the hash value. For example, asg calc 1 10.0.0.1 20.0.0.2 1234 80 will show which SGM will receive the traffic from 10.0.0.1:1234 to
20.0.0.2:80 on port 1.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using theCommand Line Interface and WebUI, Lesson 4.1: asg calc, page 4-5
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: asg calc, page 4-5
*asg calc - Check Point Software


NEW QUESTION # 40
What Maestro component is automatically designated the SMO Master?

  • A. The first MHO configured is considered the SMO Master.
  • B. The MDS that pushes policy to the SMO is considered the SMO Master.
  • C. The SGM with the highest member ID (the last one added to the security group.)
  • D. The SGM with the lowest member ID (the first one added to the security group.)

Answer: D

Explanation:
Explanation
The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.
References:
*Maestro Frequently Asked Questions (FAQ), under "What is a Single Management Object (SMO)?"
*Check Point Jump Start Course: Maestro, under "Maestro Security Groups"


NEW QUESTION # 41
What is the throughput penalty of Security Group?

  • A. 1% per member
  • B. 5% per member
  • C. Depends on the type of Appliance
  • D. 10% per Security Group with no relation to the number of members

Answer: A

Explanation:
Explanation
Check Point reduced throughput degradation to 1% per added SGMs. For example, the overall throughput degradation is 10% for 10 SGMs in a Security Group. Check Point aims to reduce this even further in the future.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 42
How does HyperSync work in a Dual Site environment?

  • A. Each active connection has a local backup (on the local site) and a second backup connection on the second site (remote site.)
  • B. Each active connection has a local backup (on the local site) and a second backup connection on each of the MHOs.
  • C. Each active connection has two local backups (on the local site) and a third backup connection on the second site (remote site.)
  • D. Each active connection has a backup connection on the second site (remote site.)

Answer: A


NEW QUESTION # 43
Which command is used to set the number of sites in a Maestro environment?

  • A. set maestro orchestrator-site-amount
  • B. set maestro configuration orchestrator-site-amount
  • C. set maestro configuration orchestrator-site-id
  • D. set maestro configuration orchestrator-site-number

Answer: B

Explanation:
Explanation
This command is used to set the number of sites in a Maestro environment, which can be either one or two.
The number of sites determines the site-sync configuration and the failover policies for the Security Groups and the Security Group Members. The default value is one, and it can be changed only before the first Security Group is created.
References =
*Maestro basic setup documentation - Page 2 - Check Point CheckMates
*Check Point R81.10 for Scalable Platforms - Check Point Software
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 44
Which command do you use to find bottlenecks in the system that are affecting performance, even functionality in some cases?

  • A. asg monitor
  • B. asg diag verify
  • C. asg stat -v
  • D. asg perf -v

Answer: D

Explanation:
Explanation
The asg perf -v command is used to find bottlenecks in the system that are affecting performance, even functionality in some cases. The asg perf -v command displays the performance statistics of the Security Group Modules (SGMs) in the Security Group, such as throughput, packet rate, CPU utilization, memory usage, and more. The asg perf -v command also shows the distribution mode and the correction rate of each SGM, which can indicate potential issues with asymmetric routing or load balancing. The asg perf -v command can help identify which SGMs are overloaded, underutilized, or misconfigured, and provide insights for troubleshooting and optimization.
References =
*Check Point Maestro R81.X Administration Guide, page 67, section "asg perf" 1
*Check Point Maestro R81.X Getting Started Guide, page 29, section "asg perf" 2
*Check Point Maestro Under the Hood presentation by Lari Luoma, slide 26
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20M


NEW QUESTION # 45
Which blade configuration files should be backed up on the SG if upgrading from R80.30SP or earlier?

  • A. Mobile Access configuration files.
  • B. VPN configuration files
  • C. fwkern.conf files.
  • D. IPS configuration files

Answer: D

Explanation:
Explanation
References
*Maestro R80.30SP Jumbo Hotfix Accumulator, Section: Important Notes
*Check Point Maestro R80.30SP with Gaia 3.10, Section: Known Limitations
*Check Point SNMP MIB files, Section: Revision History


NEW QUESTION # 46
What Maestro component acts as a load balancer and network switch?

  • A. Security Switching Module (SSM)
  • B. Security Gateway Module (SGM)
  • C. Security Group (SG)
  • D. Maestro Hyperscale Orchestrator (MHO)

Answer: D

Explanation:
Explanation
*The Quantum Maestro Orchestrator uses the Distribution Mode to assign incoming traffic to Security Group Members.
*Reference: Working with the Distribution Mode


NEW QUESTION # 47
How does HyperSync work in a Dual Site environment?

  • A. Each active connection has a local backup (on the local site) and a second backup connection on the second site (remote site.)
  • B. Each active connection has a local backup (on the local site) and a second backup connection on each of the MHOs.
  • C. Each active connection has two local backups (on the local site) and a third backup connection on the second site (remote site.)
  • D. Each active connection has a backup connection on the second site (remote site.)

Answer: A

Explanation:
Explanation
HyperSync is a feature of Maestro that enables stateful synchronization of connections and resources across different sites in a Dual Site environment. HyperSync works by creating two backup connections for each active connection: one on the same site as the active connection, and another on the remote site. This ensures that the connection can be seamlessly resumed in case of a failover event, either within the same site or across the sites. HyperSync uses the Site-Sync port and VLANs to transmit the synchronization packets between the Security Group Members and the Maestro Orchestrators.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*Maestro Frequently Asked Questions (FAQ)
*CHECK POINT MAESTRO EXPERT


NEW QUESTION # 48
While looking at your system's correction statistics, you notice you have a correction rate approaching 100 percent. Is this a problem?

  • A. In some scenarios, a correction rate approaching 100 percent of all connections is not unusual. This is not usually a cause for concern as the correction mechanism is fast and efficient.
  • B. A correction rate approaching 100 percent of all connections is unusual. This is a cause for concern because the SGMs may fail to process traffic.
  • C. A correction rate above 90 percent indicates a need to disable Layer 4 Distribution.
  • D. If correction rates are higher than 80 percent, latency is expected.

Answer: B

Explanation:
Explanation
References =
*Check Point Maestro R81.X Administration Guide, page 64, section "Correction Layer" 1
*Check Point Maestro R81.X Getting Started Guide, page 26, section "Correction Layer" 2
*Check Point Maestro Under the Hood presentation by Lari Luoma, slide 23 3
*Check Point Maestro Frequently Asked Questions (FAQ), question 9 4
1: https://www.manualslib.com/manual/2031661/Check-Point-Maestro-R80-20sp.html 2:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Maestro_GettingStarted/html_frame
3:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/maestro/1191/1/Check%20Mates%20M
4:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=


NEW QUESTION # 49
When working with Maestro, what is the difference between using Clish and gClish?

  • A. Clish commands are run on the SG members. gClish commands are run on the MHO and applied to all connected SG members in a specified group.
  • B. Clish commands apply only to a specific SG member. gClish commands apply to all UP SG members, by default.
  • C. Clish commands are for testing purposes only and cannot be saved, gClish commands apply to all SG members, by default.
  • D. Clish commands apply to all UP SG members, by default. gClish commands apply to all SG members, by default.

Answer: B

Explanation:
Explanation
This is the correct answer because it describes the difference between using Clish and gClish when working with Maestro. Clish is the Check Point command line shell that allows users to configure and manage the SG members individually. gClish is the global Clish that allows users to run commands on all UP SG members of the current Security Group at once. UP SG members are theones that are in the UP state and have the same policy installed as the SMO Master.
References
*Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 4: Using the Command Line Interface and WebUI, Lesson 4.3: Global Commands, page 4-11
*Check Point R81 Maestro Administration Guide, Chapter 4: Using the Command Line Interface and WebUI, Section: Global Commands, page 4-9
*Global Expert Mode Commands - Check Point CheckMates


NEW QUESTION # 50
HealthCheck Point _____

  • A. is a self-updatable suite of tools for SGMs with the capability to assess the health of the system, visualize the Firewall topology, provide a timeline of critical and informative events that might have occurred in a production system.
  • B. can be used to let you visualize the Firewall topology for the SG and view live statistics, which includes throughput, problem notes, and CPU utilization.
  • C. performs a system health check and is meant to replace both a CPInfo and the health check script.
  • D. is a self-updatable suite of tools for MHOs with the capability to assess the health of the system and provide a timeline of critical and informative events that might have occurred in a production system.

Answer: A

Explanation:
Explanation
HealthCheck Point (HCP) is a tool that can perform various tests and checks on the system components of the Security Group Modules (SGMs), such as hardware, software, network, clock,ARP, and more. It can also display the performance statistics of the SGMs, such as throughput, packet rate, CPU utilization, memory usage, and more. Additionally, HCP can provide a graphical representation of the Firewall topology for the Security Group, showing the connections and statuses of the SGMs and the Orchestrators. Furthermore, HCP can generate a report of the critical and informative events that occurred on the system, such as configuration changes, errors, warnings, and alerts. HCP can help identify and troubleshoot any issues or errors that may affect the system functionality or performance.
References =
*HealthCheck Point (HCP) Release Updates - Check Point Software 1
*Professional Services Healthcheck - Check Point Software 2
*HealthCheck Point - Check Point CheckMates 3


NEW QUESTION # 51
Possibilities for a failure in a single SGM of a Security Group include.

  • A. There are too many active SGMs in the SG.
  • B. A change was made with clish instead of gClish, causing the SGM to handle traffic differently than the other SGMs.
  • C. An administrator imported a hotfix into the CPUSE repository of a single SGM.
  • D. SecureXL is not enabled on the SGM.

Answer: C

Explanation:
Explanation
One of the possible causes of a failure in a single SGM of a Security Group is that an administrator imported a hotfix into the CPUSE repository of a single SGM, instead of using the orchestrator to distribute the hotfix to all the SGMs in the Security Group. This can create a mismatch in the software versions and configurations of the SGMs, and lead to unexpected behavior and errors.
References
*Maestro Expert (CCME) Course - Check Point Software, page 251
*sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands2
*sk180418: Security Gateway Member (SGM) is stuck after it is added to a Security Group with image auto cloning enabled on the Single Management Object (SMO)


NEW QUESTION # 52
Multiple SGs can exist in a Dual Site environment. Each SG can be configured in one of three ways. Which is not one of those ways?

  • A. Two MHOs at same site connected to remote site MHOs via single switch.
  • B. Two MHOs at same site connected to remote site MHOs via two different switches.
  • C. Direct connectivity between Remote Site MHOs.
  • D. Two MHOs connected to two MHOs via load balancers.

Answer: D

Explanation:
Explanation
This is not one of the ways to configure a Security Group in a Dual Site environment, because load balancers are not required or supported for the inter-site communication between the Maestro Orchestrators (MHOs).
The MHOs use the Site-Sync port and VLANs to synchronize the resources and connections across the sites.
The three valid scenarios for Dual Site configuration are:
*Direct connectivity between remote site Orchestrators: This scenario requires two orchestrators, one for each site, and a direct connection between them using the site-sync port.
*Two orchestrators on the same site are connected to the remote site orchestrators through two different switches: This scenario requires four orchestrators, two for each site, and a connection between them using the site-sync port and two external switches that support QinQ and MTU increment.
*Two orchestrators on the same site are connected to the remote site orchestrators through one switch: This scenario also requires four orchestrators, two for each site, and a connection between them using the site-sync port and one external switch that support QinQ and MTU increment.
References =
*Maestro Dual Site configuration with a direct connection through L2 switches
*[Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)]
*[Maestro Frequently Asked Questions (FAQ)]


NEW QUESTION # 53
......


To prepare for the exam, Check Point offers several training options, including an online self-study course, instructor-led courses, and hands-on lab sessions. Additionally, candidates can access a wealth of study materials, including practice exams, study guides, and documentation on the Check Point website. It is recommended that candidates have at least six months of experience working with Check Point Maestro before taking the exam.

 

Latest 156-836 Pass Guaranteed Exam Dumps with Accurate & Updated Questions: https://www.actual4dumps.com/156-836-study-material.html

156-836 Exam Brain Dumps - Study Notes and Theory: https://drive.google.com/open?id=1aFFsp8nwPvaFvJaAQudxgoajDhBxXsx-

Related Articles

more
CheckPoint 156-836 Certification Practice Exam

Copyright © 2026 Actual4Dumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
Actual4Dumps doesn't offer Real SAP Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4Dumps material do not contain actual actual Oracle Exam Questions or material.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4Dumps Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Actual4Dumps does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4Dumps does not own or claim any ownership on any of the brands.