CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Checkpoint
  5. 156-836

Free 156-836 Exam Braindumps

Which distribution mode assigns packets to an SGM based solely on the packet destination IP?

  1. User mode
  2. Manual mode
  3. Network mode
  4. Auto-topology mode

Answer(s): C

Explanation:

Network mode is the distribution mode that assigns packets to an SGM based solely on the packet destination IP. In this mode, the Orchestrator uses a hash function to map each destination IP to a specific SGM. This mode ensures that all packets with the same destination IP are processed by the same SGM, regardless of the source IP or port. This mode is suitable for scenarios where the destination IP is the main factor for load balancing, such as NAT or VPN.


Reference:

- Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-19
- Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section:
Traffic Distribution, page 2-7
- Maestro basic setup documentation - Page 2 - Check Point CheckMates



When a VPN tunnel is formed with a Maestro SGM,

  1. The receiving SGM makes an encryption decision. The SGM then syncs the traffic to two backup SGMs: one for clear traffic and one for encrypted traffic.
  2. SGM 1 analyzes the policy and topology. If encryption is required, it calculates the tunnel owner's IP address. SGM 1 sends a clear packet to the tunnel owner. SGM 2 is now the connection and tunnel owner.
  3. The MHO handles the IKE before distributing the traffic to a SGM to handle all encrypted traffic.
    This helps to prevent any issues with the correction layer.
  4. The MHO distributes copies of the packets to two different SGMs because SGM 1 will handle the clear traffic IKE exchange packets, while SGM2 handles encrypted packets.

Answer(s): B



What is the default Distribution mode?

  1. Auto-topology
  2. User
  3. Manual-General
  4. Network

Answer(s): A

Explanation:

Auto-topology is the default distribution mode for Maestro Security Groups. In this mode, the Orchestrator assigns packets to a Security Group Member based on the topology of the port defined in the gateway object. Each port is either in user mode or network mode depending on the topology. User mode means that the port is connected to the internal network and network mode means that the port is connected to the external network. The Orchestrator uses a hash function to map each source IP or destination IP to a specific SGM, depending on the mode of the port. This mode ensures that all packets with the same source IP or destination IP are processed by the same SGM, regardless of the port or protocol.


Reference:

- Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-18
- Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section:

Traffic Distribution, page 2-7
- Lari Luoma | Lead Consultant | Maestro SME | Check Point Evangelist1, slide 16



Layer 4 distribution is enabled by default in Maestro.
Which is not a scenario when you would want to leave this enabled?

  1. When there is a large number of source ports in use by protocols such as HTTP, HTTPS, and DNS.
  2. When dynamic routing protocols, such as BGP or OSPF are used.
  3. When there is a heavy imbalance of traffic between the SGMs that are members of the same SG.
  4. When the SG is NATing a very high percentage of traffic passing through it.

Answer(s): B

Explanation:

This is the correct answer because Layer 4 distribution is not recommended when dynamic routing protocols are used in Maestro. Layer 4 distribution is a feature that adds the source and/or destination ports to the distribution equation, which can improve the load balancing among the SGMs. However, it can also cause issues with the correction layer, which is a mechanism that ensures the packets are processed by the correct SGM. Dynamic routing protocols, such as BGP or OSPF, use specific ports to exchange routing information and establish neighbor relationships. If Layer 4 distribution is enabled, it can interfere with the routing protocol packets and cause routing instability or failures.


Reference:

- Check Point Certified Maestro Expert (CCME) R81.X Courseware, Module 2: Maestro Security Groups, Lesson 2.4: Traffic Flow, page 2-20
- Check Point R81 Maestro Administration Guide, Chapter 2: Maestro Security Groups, Section:
Traffic Distribution, page 2-8
- Layer 4 Distribution - Yes or No? - Check Point CheckMates - Support, Support Requests, Training ... - Check Point Software






Post your Comments and Discuss Checkpoint 156-836 exam with other Community members:

156-836 Exam Discussions & Posts