User Account Shopping Cart
Practice Exams:
View All

156-835 Checkpoint Practice Test Questions and Exam Dumps


Question No 1:

In a VSX configuration, which of the following statements is incorrect?

A. All Virtual Systems exist on the SMO
B. All Virtual Systems exist on all Appliances
C. VSX configuration is the same on all Appliances within the same Security Group
D. Each Appliance owns different Virtual Systems

Correct Answer: D

Explanation:

VSX (Virtual System Extension) is a feature in security appliances like Check Point, where multiple virtual firewalls (Virtual Systems) can be configured on a single physical appliance. This setup allows for the segregation of traffic, security policies, and resources between different virtual systems while still using the same physical hardware.

Let's go over the options to explain why D is incorrect:

  • Option A: "All Virtual Systems exist on the SMO" – This is correct. In a VSX configuration, the SMO (Security Management and Operation) is used to manage the configuration of all the virtual systems. The SMO holds the configuration for the virtual systems, and all virtual systems are configured and managed centrally via the SMO.

  • Option B: "All Virtual Systems exist on all Appliances" – This is correct. In a VSX configuration, the virtual systems are typically replicated across all appliances within the same security group. This allows each appliance to run the same virtual systems for load balancing and redundancy.

  • Option C: "VSX configuration is the same on all Appliances within the same Security Group" – This is correct. The configuration of virtual systems is consistent across all appliances within a security group, ensuring uniformity in how the virtual systems are configured, including policies, virtual network setups, etc.

  • Option D: "Each Appliance owns different Virtual Systems" – This is incorrect. In a VSX configuration, virtual systems are generally shared across all appliances within the security group. Each appliance can run the same virtual systems as others in the group, rather than owning unique virtual systems. The goal of VSX is to manage multiple virtual systems on all appliances in the same group.

In summary, Option D is the incorrect statement because, in a VSX setup, virtual systems are typically shared across appliances within the same security group, not owned by individual appliances.

Question No 2:

There are two 10Gbps dual-port NICs installed on a 6800 appliance. Which interfaces should be connected to Orchestrator 1 for downlinks' intra-orchestrator redundancy when using two Orchestrators?

A. Port 1 in Slot 1 and Port 2 in Slot 1
B. Port 1 in Slot 2 and Port 2 in Slot 1
C. Any pair of available ports
D. Port 1 in Slot 1 and Port 1 in Slot 2

Correct answer: D

Explanation:

In the context of configuring network redundancy with two Orchestrators, you want to ensure that there are two independent paths between the appliance and the Orchestrator to maintain intra-orchestrator redundancy. The key to achieving redundancy is to spread the connections across different physical slots to avoid a single point of failure in case one slot or NIC fails.

By connecting Port 1 in Slot 1 and Port 1 in Slot 2, you are leveraging two separate NICs in different physical locations, which increases the fault tolerance of the connection. If one slot or NIC fails, the other slot and NIC will still maintain the connection to Orchestrator 1, ensuring that redundancy is maintained for the downlinks between the appliance and the Orchestrator.

Here’s why the other options are less ideal:

  • A. Port 1 in Slot 1 and Port 2 in Slot 1: This configuration uses two ports within the same physical slot, which means that if the NIC or slot in that particular slot fails, both connections would be lost. This setup does not provide effective redundancy.

  • B. Port 1 in Slot 2 and Port 2 in Slot 1: While this option places connections in different physical slots, the use of Port 2 in Slot 1 and Port 1 in Slot 2 might not be the most reliable for redundancy. It is better to have both ports connected on Port 1 of both slots (Slot 1 and Slot 2) for more straightforward redundancy.

  • C. Any pair of available ports: While this might work in a general setup, it doesn't explicitly ensure that redundancy is achieved across different physical slots. For optimal redundancy, you must ensure that the ports are spread across multiple physical locations (different slots), rather than potentially being within the same slot.

In conclusion, Port 1 in Slot 1 and Port 1 in Slot 2 provides the best redundancy as it ensures that if one NIC or slot fails, the other NIC in the different slot will still maintain the connection, offering intra-orchestrator redundancy between the appliance and Orchestrator 1.

Question No 3:

What is the purpose of the RJ-45 connectors located at the front panel of the Orchestrator MHO-170?

A. Two Out-of-band interfaces for access to Orchestrator itself
B. Out-of-band interface for access to Orchestrator itself and Serial Console connector
C. 1Gbps connectivity for Security Groups
D. Reserved for internal purposes. Not in use

Correct answer: B

Explanation:

The RJ-45 connectors located at the front panel of the Orchestrator MHO-170 serve specific roles in terms of access and management of the device. The correct purpose is to provide an out-of-band interface for access to Orchestrator itself and a Serial Console connector for administrative and troubleshooting purposes.

  1. Out-of-band interface for access to Orchestrator itself: This interface is used for management access to the Orchestrator system, typically done through a separate network that is isolated from the regular operational network. This ensures that administrators can access the Orchestrator even if there are issues affecting the primary network.

  2. Serial Console connector: The serial console is a critical feature for direct management of the system. It allows technicians or administrators to connect directly to the Orchestrator via a serial cable to troubleshoot, configure, or monitor the system when network access is unavailable.

Let’s examine why the other options are not correct:

  • A. Two Out-of-band interfaces for access to Orchestrator itself: While there is an out-of-band interface, the Serial Console connector is also part of the functionality, so this option is incomplete because it omits the serial console.

  • C. 1Gbps connectivity for Security Groups: This is not correct because RJ-45 connectors on the front panel are used for management access (out-of-band access and serial connection), not for data traffic or connectivity related to Security Groups.

  • D. Reserved for internal purposes. Not in use: This option is incorrect as the connectors are not reserved for internal purposes; they are actively used for access and management of the Orchestrator system.

In conclusion, the purpose of the RJ-45 connectors on the front panel of the Orchestrator MHO-170 is to provide both an out-of-band interface for management access and a Serial Console connector, making B the correct answer.

Question No 4:

Splitter cannot be used __________.

A. To connect a single port on the orchestrator to multiple Appliances
B. To connect a single port on Appliance to multiple ports on the orchestrator
C. To connect a single port on the orchestrator to the same Appliance
D. To connect a single port on the orchestrator to multiple ports on an external switch

Answer: B

Explanation:

A splitter is typically used in network configurations to divide or combine signals, allowing a single port to connect to multiple devices or ports. However, its use in networking is limited by the technical constraints of how data flows and how devices are connected.

Option A (To connect a single port on the orchestrator to multiple Appliances) is a common and valid use for a splitter. By using a splitter, you can direct data from a single orchestrator port to multiple appliances. This configuration is often used in cases where a single output needs to be distributed across several devices.

Option C (To connect a single port on the orchestrator to the same Appliance) is also a reasonable use case for a splitter, as you may want to send the same signal or data stream to different interfaces on the same appliance. This is often done in network environments where redundancy or multiple signal paths are required for an appliance.

Option D (To connect a single port on the orchestrator to multiple ports on an external switch) is another valid use case. The splitter can be used to distribute a single signal from the orchestrator to multiple ports on an external switch, enabling network traffic to be directed to different segments of the network.

Option B (To connect a single port on an Appliance to multiple ports on the orchestrator) is the correct answer because a splitter cannot effectively be used to connect a single port on an appliance to multiple ports on the orchestrator. This configuration would generally require the orchestrator to be equipped with multiple ports to directly communicate with multiple appliances, as opposed to splitting the connection from a single appliance. Splitting the signal in this way could result in signal degradation, reduced performance, or network instability.

Thus, the correct answer is B, as a splitter is not suitable for connecting a single appliance port to multiple orchestrator ports.

Question No 5:

What will happen in case of NAT of the traffic passing through the Management network?

A. This traffic will not pass correction, since it will be dropped
B. This traffic will pass with no inspection
C. Since Management traffic is always going to SMO, it will take a care for Correction Layer and will re-distribute traffic to other Appliances
D. Orchestrator will disable NAT and traffic will pass with no issue

Correct Answer: A

Explanation:

NAT (Network Address Translation) is commonly used in networks to modify the source or destination IP address of packets passing through a router or firewall. In the context of a management network, especially one that involves a centralized system like an orchestrator managing appliances, the handling of NAT is crucial for traffic flow and security.

Option A ("This traffic will not pass correction, since it will be dropped") is the most likely outcome. Management traffic often has specific requirements for routing, inspection, and correction (such as filtering, security, or monitoring tasks) within the management network. If NAT is applied incorrectly or conflicts with the management system’s traffic policies, it can prevent the traffic from being properly inspected or processed by security appliances, resulting in the traffic being dropped. This is especially relevant when management traffic needs to remain intact and unaltered to ensure proper monitoring and control, which NAT can sometimes disrupt.

Option B ("This traffic will pass with no inspection") is incorrect. Most management networks are tightly controlled and involve inspection of traffic for security and operational integrity. Simply passing traffic with no inspection would not be a typical approach in a management network environment where integrity and oversight are key priorities.

Option C ("Since Management traffic is always going to SMO, it will take care of the Correction Layer and will re-distribute traffic to other Appliances") introduces the concept of the SMO (Service Management Orchestrator) and suggests that the system will correct and redistribute the traffic. However, even if the orchestrator is involved, it is unlikely to automatically resolve issues caused by NAT in this context. The use of NAT could still interfere with the proper routing or inspection of management traffic.

Option D ("Orchestrator will disable NAT and traffic will pass with no issue") is unlikely to be correct. In many systems, NAT is used at the network level, and the orchestrator doesn’t always have the ability to disable NAT, particularly if NAT is part of a broader network design. Disabling NAT may not always be feasible or desirable, as NAT serves important roles in traffic management.

In conclusion, Option A is the most accurate because NAT can interfere with the management traffic's ability to pass through correction layers, potentially resulting in the traffic being dropped. This emphasizes the importance of correctly handling management traffic in a network environment where NAT is involved.

Question No 6:

If a single appliance supports 1 million concurrent connections, how many concurrent connections will a security group of 2 appliances support?

A. 2M
B. 500K
C. 4M
D. 1M

Answer: A

Explanation:

When you have multiple appliances in a security group, the total number of concurrent connections supported by the group is simply the sum of the concurrent connections supported by each individual appliance, assuming the appliances work together without any loss of capacity.

In this case, one appliance supports 1 million (1M) concurrent connections. Therefore, if you have a security group of two appliances, the total number of concurrent connections supported by the group would be:

  • 1M connections per appliance × 2 appliances = 2M concurrent connections.

Thus, the security group of 2 appliances would support 2 million concurrent connections, making A. 2M the correct answer.

Let's review why the other options are incorrect:

  • B. 500K: This is incorrect because a security group of 2 appliances would double the number of connections supported by one appliance, not reduce it.

  • C. 4M: This is incorrect because 4 million would imply each appliance supports 2 million concurrent connections, which is not the case.

  • D. 1M: This is incorrect because it represents the capacity of just one appliance, not two.

In conclusion, the correct answer is A. 2M.

Question No 7:

What does the "asg monitor" command do?

A. Monitor health status of entire system
B. This command does not exist
C. Monitor traffic on Appliances in Security Group
D. Show real-time cluster status of Appliances in Security Group

Answer: D

Explanation:

The "asg monitor" command is typically used within the context of security appliances or a security group in networking environments. This command allows administrators to view the real-time cluster status of appliances that are part of a security group. It provides insights into the operational status, health, and performance of appliances within that group, allowing for proactive management and troubleshooting.

  • Option A is incorrect because the "asg monitor" command does not monitor the health status of the entire system. It focuses specifically on the appliances within a security group, not the entire network system.

  • Option B is incorrect because the "asg monitor" command does exist and is used to monitor the status of appliances in a security group, as described in Option D.

  • Option C is also incorrect because "asg monitor" does not monitor traffic directly; it focuses on the cluster status and health of appliances within a security group, not on network traffic per se.

  • Option D is correct because "asg monitor" is indeed used to show the real-time cluster status of appliances within a security group. This command helps administrators track the current performance and health of those appliances to ensure they are functioning optimally.

Thus, the correct answer is D, as it best describes the function of the "asg monitor" command in monitoring the status of appliances within a security group in real-time.

Question No 8:

There are two appliances within the same Security Group. One of them is connected by one downlink only, and the other one by two downlinks. 

Assuming there's no NAT and no VPN, what would be the proportion of traffic distribution done by the Orchestrator?

A. 66%/33%
B. 100%/0%
C. 50%/50%
D. 33%/66%

Answer: D

Explanation:

In this scenario, there are two appliances within the same Security Group. One appliance has one downlink, and the other has two downlinks. The Orchestrator is responsible for distributing the traffic between these appliances, based on the available downlinks.

  • The appliance with one downlink will handle a smaller proportion of the total traffic, as there is only one pathway available for communication.

  • The appliance with two downlinks has more available bandwidth or pathways to handle traffic, meaning it can take a larger share of the total traffic.

Given that there are two downlinks on one appliance and one downlink on the other, the distribution of traffic will be proportional to the number of downlinks. Therefore, the appliance with two downlinks will handle two-thirds (or 66%) of the traffic, and the appliance with one downlink will handle one-third (or 33%) of the traffic.

Thus, the correct answer is D (33%/66%), reflecting the proportional distribution based on the number of downlinks.

Question No 9:

Which licenses should be issued for the Orchestrator?

A. No licenses are required for Orchestrator
B. The Orchestrator is considered a Management server, hence it's licensed the same way
C. The Orchestrator requires NGTX license
D. Depends on Software Blades enabled on connected appliances

Answer: D

Explanation:

In the context of network security, particularly with Check Point’s Orchestrator in their security management suite, the licenses required for the Orchestrator depend on the Software Blades enabled on the connected appliances. A Software Blade is essentially a feature or module in Check Point's architecture that provides specific security services, such as Firewall, VPN, or IPS (Intrusion Prevention System). The licenses needed for the Orchestrator will be directly influenced by which of these blades are activated and utilized on the appliances that the Orchestrator manages. For instance, if a customer enables specific blades like VPN or IPS on their appliances, additional licenses may be required to use those blades in conjunction with the Orchestrator.

Option A is incorrect because it is unlikely that the Orchestrator would not require any licenses, especially when it integrates with Check Point’s suite of security products, which generally necessitate specific licenses for functionality.

Option B suggests that the Orchestrator is simply a "Management server," but this oversimplifies the licensing model. While it might be true that management servers typically require licenses, the Orchestrator is specifically designed to manage more than just the general security infrastructure; it needs licenses that depend on the features (blades) enabled on the managed appliances.

Option C is also incorrect. The NGTX license is related to Check Point's Next Generation Threat Prevention (NGTX) products, which are designed to protect against more advanced threats. While NGTX licenses may be necessary for specific security features, this is not the primary licensing model for the Orchestrator itself.

Thus, the correct answer is D. The licenses required for the Orchestrator will depend on the Software Blades enabled on the connected appliances, as each blade requires its own licensing.

Question No 10:

Which of the following cannot be learned from the output of lldpctl?

A. Distribution mode
B. Orchestrator’s IP
C. Serial number of Appliance
D. Appliance model

Correct Answer: B

Explanation:

The lldpctl command is part of the LLDP (Link Layer Discovery Protocol) utilities, typically used to discover information about the devices directly connected to the network. LLDP allows network devices, such as switches, routers, and other appliances, to advertise information about themselves to neighbors on the same network.

Let's analyze each option to see which cannot be obtained from the lldpctl output:

  1. A. Distribution mode:
    The distribution mode can often be inferred from LLDP data, especially if the device is configured to advertise it as part of its extended system capabilities. The lldpctl output might include information about how a device is configured in terms of its network role, including whether it's in a distribution or access mode, so this can be determined from the LLDP data.

  2. B. Orchestrator’s IP:
    The orchestrator’s IP is typically not something that would be part of the LLDP advertisements. LLDP is focused on physical network discovery (e.g., neighbors, device types, capabilities) but does not provide the IP address of an external orchestrator, which is generally a management system or controller outside the local network discovery scope. Therefore, this information is not available through lldpctl.

  3. C. Serial number of Appliance:
    The serial number of an appliance is a standard piece of information that devices often include in their LLDP advertisements. lldpctl can display detailed system information, including serial numbers, as part of the basic device identity information provided by LLDP.

  4. D. Appliance model:
    The model of the appliance is typically included in LLDP advertisements, as it’s part of the identity information that devices communicate to their neighbors. This information can be found in the output of lldpctl, as the device usually advertises its model name or identifier in the LLDP data.

Thus, the orchestrator's IP (Option B) cannot be obtained from the lldpctl output, making it the correct answer.


Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.