A Dual Site setup can have either two or four orchestrators, depending on the scenario. However, the maximum number of orchestrators per Security Group is four, regardless of the number of sites. This is because each Security Group can have up to two orchestrators on each site, and each site can have up to two orchestrators. Therefore, the maximum number of orchestrators in a Dual Site setup is four per Security Group.
References =
•Maestro Frequently Asked Questions (FAQ)
•Maestro Dual Site configuration with a direct connection through L2 switches
•Dual Site Single Maestro Hyperscale Orchestrator Cluster (Dual Site Single MHO Redundancy)
Question # 10
Which command should be used to restart Orchestrator service only?
The Correction Layer mechanism is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT or VPNs are involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
•NAT and the Correction Layer on a VSX Gateway - Check Point Software1
•Solved: Maestro queries - Check Point CheckMates
Question # 12
What is a security group?
A.
A solution for Security Gateway redundancy and Load Sharing.
B.
A set of appliances of the same model that are collectively managed by the MHO.
C.
A set of network interfaces and individual SGMs assigned to a logical group.
D.
A set of objects in SmartConsole that are responsible for enforcing an access policy.
Security groups are used to simplify management and policy enforcement across multiple devices or network segments, often offering redundancy and load balancing features
The sx_api_ports_dump.py command should be run on the Orchestrator, which is the device that manages the communication and the configuration of the Security Groups and the SGMs. The command shows the port mapping and the traffic distribution for each Security Group, as well as the backplane bonds and the Orchestrator ports. The command does not work on the Management server, the Security Group, or the SMO Appliance, as they do not have the same role and functionality as the Orchestrator.
References
•R81.20 Maestro Cheat Sheet version 7 - Check Point CheckMates, page 2
•Maestro Expert (CCME) Course - Check Point Software, page 31
•Check Point Certified Maestro Expert (CCME) R81.X - Global Knowledge, page 3
Question # 14
What is the Correction Layer?
A.
Correction Layer is a daemon which corrects errors on Backplane interfaces
B.
Correction Layer is a mechanism which handles asymmetric connections in multi-appliance system. For example, in case of NAT
C.
Correction Layer is a mechanism which activated in case of asymmetric routing
D.
Correction Layer is a Layer of GAIA OS which corrects misspelled commands and allows them to execute
The Correction Layer is a Maestro component that ensures that packets from the same connection are handled by the same Security Group Module (SGM) in a multi-appliance system. This is especially important when NAT is involved, as packets sent from the client to the server can be distributed to a different SGM than packets from the same session sent from the server to the client. The Correction Layer must then forward the packet to the correct SGM.
References:
•NAT and the Correction Layer on a Security Gateway - Check Point Software1
•Solved: Maestro queries - Check Point CheckMates
Question # 15
What Maestro component acts as a load balancer and network switch?
The SMO Master is the SGM that is responsible for synchronizing the configuration and policy with the other SGMs in the security group. The SMO Master is automatically designated as the SGM with the lowest member ID, which is usually the first one added to the security group. The SMO Master can be changed manually if needed.
References:
•Maestro Frequently Asked Questions (FAQ), under “What is a Single Management Object (SMO)?â€
•Check Point Jump Start Course: Maestro, under “Maestro Security Groupsâ€
