156-315.81 Practice Exam Questions with Answers Check Point Certified Security Expert R81.20 Certification

The kind of information that you would expect to see using the sim affinity command is network interfaces and core distribution used for CoreXL. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The sim affinity command can show which network interfaces and SecureXL instances are bound to which CPU cores, and allow administrators to change the affinity settings.

 The most ideal Synchronization Status for Security Management Server High Availability deployment is Synchronized. Security Management Server High Availability deployment is a feature that allows two or more Security Management Servers to provide redundancy and load balancing for managing security policies and logs. Synchronization Status is a parameter that indicates how up-to-date the databases of the Security Management Servers are with each other. Synchronization Status can have one of the following values: Synchronized, Lagging, Never been synchronized, or Collision. Synchronized means that the databases of all Security Management Servers are identical and have no conflicts. This is the most ideal status as it ensures consistency and reliability of security management. Lagging means that one or more Security Management Servers have not received all the updates from other Security Management Servers, and their databases are outdated. Never been synchronized means that one or more Security Management Servers have never synchronized their databases with other Security Management Servers, and their databases are independent. Collision means that one or more Security Management Servers have received conflicting updates from other Security Management Servers, and their databases have discrepancies. 

The command to show SecureXL status is fwaccel stat. This command displays information about SecureXL acceleration, such as the number of accelerated and non-accelerated connections, the reason for non-acceleration, and the SecureXL device name and mode. The other commands are either invalid or show different statistics.

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. The option that can be added to each Log, Detailed Log and Extended Log is Accounting/Suppression. Accounting/Suppression is a feature that allows administrators to control how often logs are generated for certain rules or connections. Accounting means that logs are generated periodically based on a specified interval or volume. Suppression means that logs are generated only for the first and last packet of a connection or session. Accounting/Suppression can be added to any tracking option to reduce the number of logs and save disk space.

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is three. One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members. This configuration provides optimal performance and security for Mobile Access traffic. 

 In ClusterXL Load Sharing Multicast Mode, every member of the cluster receives all of the packets sent to the cluster IP address. This mode uses multicast MAC addresses to distribute packets to all cluster members. Each member decides whether to accept or reject the packet based on a load balancing algorithm. This mode provides better performance and scalability than Unicast mode, but requires a switch that supports multicast MAC addresses. 

 According to the Check Point R81 training course, the medium path is available only when CoreXL is enabled. CoreXL is a performance-enhancing technology that allows multiple CPU cores to process traffic simultaneously. The medium path handles packets that require deeper inspection or content awareness, such as IPS, Anti-Virus, or URL Filtering. The other paths are either available regardless of CoreXL or not valid terms. References: Certified Security Expert (CCSE) R81.20 Course Overview

 Identity Awareness AD-Query is using the Microsoft WMI API to learn users from AD. WMI stands for Windows Management Instrumentation, and it is an API that allows remote management and monitoring of Windows systems. Identity Awareness AD-Query is a feature that enables the Security Gateway to query Active Directory servers for user and computer information, such as login events, group membership, and IP addresses. By using the WMI API, Identity Awareness AD-Query can receive real-time notifications from Active Directory servers without installing any agents or scripts on them. 

 The cpinfo command is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The cpinfo output can be used for troubleshooting or sent to Check Point support for analysis. The -x parameter is used to get information about the specified Virtual System on a VSX gateway. A Virtual System is a virtualized firewall instance that runs on a VSX gateway and has its own security policy and objects. References: Check Point Security Expert R81 Course, cpinfo Utility, VSX Administration Guide

The correct command to verify the CPUSE (Check Point Update Service Engine) version is:

Option B is incorrect because it uses the "[Expert@HostName:0]#" prompt, which is typically used for expert mode commands, but the CPUSE version can be checked using the "show installer status build" command in standard mode.

Option C is incorrect because it uses the "[Expert@HostName:0]#" prompt, and while it includes the "build" parameter, it's not the standard command to check the CPUSE version.

Option D is incorrect because it uses the "HostName:0>" prompt, but it lacks the "show" command and uses "build" instead of "status build."

References: Check Point Certified Security Expert R81 documentation

 The statement that is most correct regarding about “CoreXL Dynamic Dispatcher” is: The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores. CoreXL Dynamic Dispatcher is a feature that allows the Security Gateway to dynamically assign connections to the most available CoreXL FW instance, based on the CPU core utilization. This improves the performance and load balancing of the Security Gateway, especially when handling connections with different processing requirements. The other statements are either incorrect or describe the CoreXL Static Dispatcher mechanism, which assigns connections based on a hash function of the Source IP, Destination IP, and IP Protocol type.

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

 The TCP/IP model is a four-layer model that describes how data is transmitted over a network. The four layers are: Application, Transport, Internet, and Network Access. The Application layer provides services and protocols for applications to communicate with each other. The Transport layer provides reliable or unreliable data delivery between hosts. The Internet layer provides routing and addressing of packets across networks. The Network Access layer provides physical and logical access to the network media. References: Training & Certification | Check Point Software, Check Point Resource Library

CoreXL is a performance-enhancing technology that enables the processing CPU cores to concurrently perform multiple tasks on Security Gateways with multiple CPU cores. CoreXL replicates the Firewall kernel multiple times, creating multiple Firewall instances that run on different CPU cores. These Firewall instances handle traffic concurrently, and each Firewall instance is a complete and independent Firewall inspection kernel. To show the current connections distributed by CoreXL FW instances, you can use the command fw ctl multik stat on the Security Gateway. This command will display information such as the number of connections, packets, bytes, drops, and errors handled by each CoreXL FW instance, as well as the CPU utilization and affinity of each instance. The other options are not correct because:

• B. fw ctl affinity -l: This command will show the CPU affinity of all processes and IRQs on the Security Gateway. It will not show the current connections distributed by CoreXL FW instances.
• C. fw ctl instances -v: This command will show the details of all CoreXL FW instances on the Security Gateway, such as their ID, type, state, priority, and interfaces. It will not show the current connections distributed by CoreXL FW instances.
• D. fw ctl iflist: This command will show the list of all interfaces on the Security Gateway, along with their names

References: Part 3 - SecureXL, What is CoreXL & SecureXL, SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above

The purpose of a SmartEvent Correlation Unit is to evaluate logs from the log server component to identify patterns/threats and convert them to events. The SmartEvent Correlation Unit is a software module that runs on the SmartEvent server or on a dedicated server. It applies correlation rules and logic to the logs received from various sources, such as security gateways, endpoints, or third-party devices. It then generates events that represent security incidents or trends that require attention or action. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

The port that the CPM process runs on is TCP 19009. CPM stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. CPM is responsible for managing policies, objects, logs, tasks, and other management functions. CPM listens on TCP port 19009 for incoming connections from SmartConsole clients. The other ports are either used by other processes or not related to CPM. 

According to the Check Point website, you can use the pre_upgrade_verifier tool to verify if your management server is ready to upgrade to R81.20. This tool checks the compatibility of your current configuration and database with the target version, and provides a detailed report of any issues or warnings. The other tools are either used for exporting or importing databases, or not valid tools. References: Upgrade Verification Service

 For Stateful Mode configuration, chain modules marked with 2 will not apply. Stateful Mode configuration is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. Chain modules are firewall kernel modules that perform various security functions, such as VPN, IPS, QoS, etc. Each chain module is associated with a key, which specifies the type of traffic applicable to the chain module. The key can be one of the following values: 0 for all packets, 1 for stateful packets, 2 for stateless packets, and 3 for no match packets. For Stateful Mode configuration, only chain modules with key 0 or 1 will apply, as they handle all packets or stateful packets. Chain modules with key 2 will not apply, as they handle stateless packets, which are not relevant for Stateful Mode configuration.

 According to the Check Point website, Whitelist Files is the tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed. Whitelist Files can be configured in SmartConsole under Threat Prevention > Policy > Whitelist Files. The other tools are either not related or not valid tools. References: Whitelist Files

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

• 1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”
• 2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1
• 3, Check Point Certified Security Expert R81, page 5
• 5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”

The true statement about the API server on R81.20 is: By default, the API server is active on management servers with 4 GB of RAM (or more) and on stand-alone servers with 8GB of RAM (or more). The API server is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The API server is enabled by default on R81.20 management servers that have at least 4 GB of RAM, and on stand-alone servers that have at least 8 GB of RAM. The API server can also be manually enabled or disabled from the WebUI or the CLI. 

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction. 

One of the major features in R81 SmartConsole is concurrent administration. This feature allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent administration improves the efficiency and productivity of security management operations1.

However, not all of the options given are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. The correct answer is B. AdminA and AdminB are editing the same rule at the same time. This is not possible because concurrent administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Therefore, the other options are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. Option A is possible because a lock icon shows that a rule or an object is locked and will be available when the administrator who locked it finishes working on it or logs out of SmartConsole12. Option C is possible because a lock icon next to a rule informs that any administrator is working on this particular rule, and hovering over the lock icon will show the name of that administrator12. Option D is possible because AdminA, AdminB and AdminC are editing three different rules at the same time, which does not create any conflicts or blockages12.

In a Cpinfo (Checkpoint information) command, various information is collected from a Security Gateway. However, firewall logs are NOT collected from a Security Gateway in a Cpinfo.

A. Firewall logs

The Cpinfo command typically collects information such as configuration and database files, system message logs, OS and network statistics, but it does not include firewall logs. Firewall logs are usually obtained separately using other methods or tools.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on Cpinfo.

After trust has been established between the Check Point components, the Security Gateway IP address cannot be changed without re-establishing the trust. This is because the trust is based on the Secure Internal Communication (SIC) mechanism, which uses certificates to authenticate and encrypt the communication. The certificates are issued by the Internal Certificate Authority (ICA) of the Security Management Server / Domain Management Server, and contain the name and IP address of the component. Therefore, if the IP address of a component is changed, the certificate will become invalid and the trust will be lost. To restore the trust, the certificate must be renewed or reissued by the ICA12.

However, there are some exceptions to this rule. The Security Gateway name can be changed in command line without re-establishing trust, as long as the IP address remains the same. This is because the SIC mechanism does not rely on the hostname, but on the IP address and the SIC name (which is usually derived from the hostname, but can be manually changed). The Security Management Server name can be changed in SmartConsole without re-establishing trust, as long as the IP address remains the same. This is because SmartConsole uses a different mechanism to connect to the Security Management Server, which does not depend on the SIC certificate. The Security Management Server IP address can be changed without re-establishing trust, as long as some steps are followed to update the Check Point Registry file on the managed Security Gateways / Cluster Members / VSX Virtual Devices. This is because the Registry file contains the IP address of the ICA, which is used for certificate renewal. If the Registry file is not updated, then the certificate renewal will fail and the trust will be lost3.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 162 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162 3: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk103356

The error “no proposal chosen” indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error “no proposal chosen” 1.

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

• The same pre-shared secret or certificate
• The same encryption algorithm (e.g., AES-256)
• The same hash algorithm (e.g., SHA-256)
• The same Diffie-Hellman group (e.g., Group 14)
• The same lifetime (e.g., 86400 seconds)

One can use the command vpn tu on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer. Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings 2.

References: 1: Troubleshooting the “no proposal chosen” error - Check Point Software 2: Support, Support Requests, Training … - Check Point Software

The command that lists all interfaces using Multi-Queue is cpmq get. Multi-Queue is a feature that allows network interfaces to use multiple transmit and receive queues, which improves the performance and scalability of the Security Gateway by distributing the network load among several CPU cores. Cpmq is a command that allows administrators to configure and manage Multi-Queue settings on network interfaces. Cpmq get lists all interfaces using Multi-Queue and shows their queue count and core distribution. 

 The number of cores that can be used in a Cluster for Firewall-kernel on the new device with 4 cores is 4. Cluster is a feature that allows two or more Security Gateways to provide high availability and load balancing for network traffic. Firewall-kernel is a component of the Security Gateway that performs packet inspection according to security policies. The number of cores that can be used for Firewall-kernel in a Cluster depends on the number of cores available on each device in the Cluster. The Cluster will use the lowest common denominator of cores among all devices in the Cluster for Firewall-kernel. Therefore, if one device has 2 cores and another device has 4 cores, the Cluster will use 2 cores for Firewall-kernel on each device. However, if both devices have 4 cores, the Cluster will use 4 cores for Firewall-kernel on each device.

 To set the IP address and default gateway of the Management interface on a Check Point appliance, you can use the following commands:

• set interface Mgmt ipv4-address 192.168.80.200 mask-length 24 - This command sets the IPv4 address of the Management interface to 192.168.80.200 and the subnet mask to 255.255.255.0 (24 bits).
• set static-route default nexthop gateway address 192.168.80.1 on - This command sets the default gateway to 192.168.80.1 and enables the static route.
• save config - This command saves the configuration changes to the appliance.

These commands are documented in the Check Point appliance initial installation guide, which you can find in the web search results.

The other options are incorrect because they use invalid syntax or parameters for the commands. For example, option B uses add static-route instead of set static-route, option C uses 0.0.0.0. instead of 0.0.0.0, and option D uses add static-route default instead of set static-route default.

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

The command used to display status information for various components is show sysenv all. This command provides comprehensive status information about the system's environment and various components, including hardware and software components. It can be useful for troubleshooting and monitoring the system's health.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.:

 For ClusterXL to work properly, one of the mandatory requirements is that the Magic MAC number must be unique per cluster node. The Magic MAC number is a MAC address that is used by ClusterXL to hide the physical MAC addresses of the cluster members from the network. This way, the cluster can present a single virtual MAC address to the network, and avoid ARP issues when a failover occurs. The Magic MAC number is derived from the Cluster Virtual IP address, which must also be unique per cluster. 

 The correct command to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI is mgmt: add host name emailserver1 ip-address 10.50.23.90. This command will create a new host object in the Security Management Server database, with the specified name and IP address. The mgmt: prefix indicates that the command is executed on the Security Management Server, and not on the local GAiA machine. The other commands are either missing the mgmt: prefix, or have incorrect syntax or parameters. 

The most recommended way to install patches and hotfixes is CPUSE (Check Point Update Service Engine). CPUSE is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the target device using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: https:// /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

 Security Checkup Summary can be easily conducted within Views. Views is a feature in SmartConsole that allows you to create customized dashboards and reports based on various security data sources, such as logs, events, audit trails, and more. You can use Views to perform a Security Checkup Summary, which is a comprehensive analysis of your network security posture and potential risks. You can use predefined templates or create your own views to generate the summary. References: Check Point Security Expert R81 Course, Views Administration Guide

 The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them. It runs on the Log Server machine or on a dedicated machine1. To check the status of the SmartEvent Correlation Unit, you can use the command cpstat cpsead on the machine where it is installed. This command will show you information such as the number of logs processed, the number of events generated, the CPU and memory usage, and the status of the connection to the SmartEvent Server23.

References: SmartEvent Administration Guide R76, SmartEvent Administration Guide R75, SmartEvent Performance Tuning Guide

The secure application for Mail/Calendar for mobile devices in Check Point is called "Capsule Workspace." Capsule Workspace provides secure access to email and calendar data on mobile devices while maintaining security policies and controls.

References: Check Point Certified Security Expert R81 documentation and learning resources.

 The Check Point R81 Identity Awareness Web API uses the REST web services protocol to communicate with external identity sources. REST stands for Representational State Transfer, and it is an architectural style for designing web services that use HTTP methods to access and manipulate resources. The Identity Awareness Web API allows external identity sources to send identity and session information to the Security Gateway, which can then use this information for policy enforcement. 

SmartEvent does not use matching a log against local exclusions to identify events. Local exclusions are filters that are applied to logs before they are sent to the SmartEvent server. They are used to reduce the amount of logs that are forwarded by the Security Gateways or Log Servers, and to avoid sending irrelevant or sensitive logs. Local exclusions do not affect the event detection process, which is performed by the SmartEvent Correlation Unit on the SmartEvent server. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide, SK120193 - How to configure Local Log Filtering on Security Gateway / Cluster / VSX

Check Point Capsule is a suite of solutions designed to provide comprehensive mobile security and secure access. The components of Check Point Capsule include:

Capsule Docs (Option A): A component that secures document sharing and protects sensitive data.

Capsule Cloud (Option B): A component that provides cloud-based security services.

Capsule Workspace (Option D): A component that provides secure workspace on mobile devices.

Option C, "Capsule Enterprise," is not a recognized component of Check Point Capsule based on the available information. Therefore, it is the correct answer as the component that is NOT part of Check Point Capsule.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

Threat Extraction (Answer B): Threat Extraction always delivers a file, but it removes potentially malicious content from the file before delivering it to the user. It is designed to provide a safe version of the file quickly, taking less than a second to complete.

Threat Emulation (Option A): Threat Emulation does not deliver the original file to the user until it has been thoroughly analyzed for threats. It may take more than 3 minutes to complete the analysis. The emphasis here is on safety and thorough inspection, which may result in a longer processing time.

Therefore, Option B correctly describes the main difference between Threat Extraction and Threat Emulation.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

ClusterXL supports Dynamic Routing for both Unicast and Multicast traffic. Dynamic Routing protocols, such as OSPF, BGP, or PIM, can be configured on cluster members to exchange routing information with other routers. ClusterXL supports two modes of operation for Dynamic Routing: New Mode and Legacy Mode. References: ClusterXL Administration Guide, SK98226 - ClusterXL New Mode Overview

To determine the cause of a cluster gateway showing "Down" despite running "clusterXL_admin up" on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

References: Check Point documentation or training materials related to High Availability and ClusterXL.

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

The Sticky Decision Function in ClusterXL is primarily used in Load Sharing implementations. In Load Sharing, the pivot member is responsible for determining the destination of new connections and ensures that traffic from the same source IP address is directed to the same cluster member. This ensures session stickiness for the same source IP, improving load sharing efficiency.

References: Check Point Certified Security Expert R81 documentation and learning resources.

The command cphaprob all show stat is not related to redundancy and functions. This command does not exist in ClusterXL or VRRP. The other commands are valid commands for checking the status of cluster members, interfaces, and synchronization. ClusterXL and VRRP are both high availability solutions that provide redundancy and load balancing for Check Point gateways. References: Check Point Security Expert R81 Course, ClusterXL Administration Guide, VRRP Administration Guide

 SecureXL templates are a mechanism to accelerate the rate of connection establishment by grouping connections that match a particular service and whose sole differentiating element is the source port. SecureXL templates enable even the very first packets of a TCP handshake to be accelerated, without waiting for the Firewall kernel to create a connection entry. The first packets of the first connection on the same service will be forwarded to the Firewall kernel, which will then create a template of the connection. The template will contain all the relevant information for the connection, such as source and destination IP addresses, destination port, NAT information, policy decision, etc. The template will be used by SecureXL to handle subsequent connections on the same service, without involving the Firewall kernel. This reduces the CPU load and increases the throughput.

There are three types of SecureXL templates: Accept, Drop, and NAT. Accept templates are used for connections that are allowed by the Firewall policy. Drop templates are used for connections that are blocked by the Firewall policy. NAT templates are used for connections that require NAT translation. Deny templates are not a valid type of SecureXL template.

References: SecureXL NAT Templates in R80.20 and lower, Part 3 - SecureXL, Security Gateway Performance Optimization - Part 5 - SecureXL

Automation and Orchestration differ in that automation relates to codifying tasks, whereas orchestration relates to codifying processes. Automation is the process of converting manual tasks into executable scripts or programs that can be run by machines or software agents. Orchestration is the process of coordinating multiple automated tasks into a coherent workflow that achieves a desired outcome or goal. Orchestration can also involve integrating different systems, tools, and services through web service interactions such as XML and JSON. References: Check Point Security Expert R81 Course, Automation & Orchestration Administration Guide

To enable VMAC mode on a cluster member, you need to set the value of the global kernel parameter fwha_vmac_global_param_enabled to 1. This can be done on-the-fly using the command fw ctl set int fwha_vmac_global_param_enabled 1 on all cluster members. This command does not require a reboot or a policy installation. VMAC mode allows the cluster to use a virtual MAC address for its virtual IP addresses, which reduces the number of gratuitous ARP packets sent upon failover and avoids ARP cache issues on some routers and switches. References: How to enable ClusterXL Virtual MAC (VMAC) mode

 The best way to block .exe and .bat file types using Threat Emulation technologies is to enable DLP and select .exe and .bat file type. DLP stands for Data Loss Prevention, and it is a feature that allows administrators to define rules and actions to protect sensitive data from unauthorized access or transfer. One of the DLP rule conditions is File Type, which can be used to block or alert on specific file types, such as .exe and .bat, that may contain malicious code or scripts. The other options are either not related to Threat Emulation technologies, or not effective in blocking .exe and .bat file types. 

The blades of Threat Prevention in Check Point include:

Intrusion Prevention System (IPS)

AntiVirus

AntiBot

SandBlast Threat Emulation/Extraction

So, the correct answer is D, which includes all the mentioned blades.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

In SmartEvent, the administrator can configure different types of automatic reactions, which include:

• Mail notifications
• Blocking the source of the event
• Blocking the event activity
• Running an external script
• Sending an SNMP trap

So, the correct answer is "Mail, Block Source, Block Event Activity, External Script, SNMP Trap."

References: Check Point documentation or training materials related to SmartEvent configuration and automatic reactions.

 The port used for SmartConsole to connect to the Security Management Server is CPMI port 18191/TCP. CPMI stands for Check Point Management Interface, which is a proprietary protocol that enables secure communication between the SmartConsole and the Security Management Server. CPMI uses SSL encryption and authentication to protect the data exchange. References: Check Point Security Expert R81 Course, SK52421 - Ports used by Check Point software

Capsule Connect and Capsule Workspace are both components of Check Point's remote access solution, but they serve different purposes and have distinct features:

A. Capsule Connect provides a Layer 3 VPN, which allows remote users to connect securely to their corporate network. It typically provides network-level access, allowing users to access resources on the corporate network. On the other hand, Capsule Workspace provides a secure workspace environment, including a virtual desktop with usable applications. It is more focused on providing application-level access to users in a secure manner.

B. This statement is partially true. Capsule Workspace is designed to provide secure access to a wide range of applications and resources, not limited to specific applications.

C. Capsule Connect does provide business data isolation by creating a secure VPN tunnel for remote users, ensuring that their network traffic is isolated from the public internet.

D. Capsule Connect usually requires an installed application or VPN client on the client device to establish a secure connection to the corporate network. This statement is not entirely accurate because an installed application or client is typically required.

Therefore, option A is the correct answer as it accurately distinguishes between Capsule Connect and Capsule Workspace based on their primary functionalities.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

To use SmartConsole R81 for managing SmartEvent R81, you need to have the following ports open:

• Port 19009 for communication over HTTPS (443)
• Port 19009 for communication over HTTP (80)

These ports are necessary for the SmartConsole to communicate with SmartEvent for management and monitoring purposes.

References: Check Point Certified Security Expert R81 documentation and learning resources.

NAT (Network Address Translation) is one item that will not be configured on the R81 Security Management Server when setting up an externally managed log server. NAT is a technique that allows devices with private IP addresses to communicate with devices with public IP addresses by translating the private addresses to public ones. NAT is not relevant for configuring an externally managed log server, which requires only the IP address, SIC (Secure Internal Communication), and FQDN (Fully Qualified Domain Name) of the log server. References: Check Point Security Expert R81 Course, Logging and Monitoring Administration Guide

When John detects a high load on the sync interface, the recommended solution is to implement a delay in the sync process for short-lived connections like HTTP. Here's an explanation of each option:

A. Delaying the sync for 2 seconds for short connections like HTTP services is a common practice to reduce the load on the sync interface. This allows the interface to handle the incoming connections more effectively.

B. Adding a second interface to handle sync traffic might be a viable solution, but it can be more complex and costly compared to implementing a delay for short connections.

C. Not syncing short connections like HTTP services is not a recommended approach because it may lead to synchronization issues and potential data inconsistencies between cluster members.

D. Delaying the sync for ICMP (ping) services is not a common practice and may not effectively address the high load issue on the sync interface.

Therefore, option A is the most recommended solution as it addresses the issue by introducing a delay for short-lived connections, optimizing the sync process without causing synchronization problems.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

• A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.
• B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.
• D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

References: ClusterXL R81.20 Administration Guide, ClusterXL Administration Guide R80.40, sk25977 - Ports used by Check Point software

When an encrypted packet is received by a Check Point Security Gateway, it is decrypted according to the security policy. The security policy defines the rules and settings for encryption and decryption of traffic, such as the encryption algorithm, the encryption domain, the pre-shared secret or certificate, etc. The security policy is enforced by the Firewall kernel, which is responsible for decrypting the packets before passing them to the inbound chain for further inspection. The inbound chain consists of various inspection modules that apply security checks and actions on the decrypted packets. The outbound chain is the reverse process, where the packets are inspected and then encrypted according to the security policy before being sent out.

References: Check Point Firewall Security Solution, Check Point R81 Cyber Security Platform, Check Point VPN Administration Guide R81

The directory /opt/CPsuite-R81/fw1/log contains the log files for the Security Gateway, such as firewall, VPN, IPS, and anti-virus logs1. These log files can be viewed and analyzed using SmartConsole or SmartView2. The other directories are not correct because:

• A. The directory /opt/CPSmartlog-R81/log contains the log files for the SmartLog server, which is a separate component that indexes and searches the logs from multiple Security Gateways3.
• B. The directory /opt/CPshrd-R81/log contains the log files for the shared components of the Check Point suite, such as cpwd, cpca, cpd, and cpwatchdog4.
• D. The directory /opt/CPsuite-R81/log does not exist by default and is not used for logging purposes.

References: Logging and Monitoring R81 Administration Guide, SmartConsole R81 Help, SmartLog R81 Help, Check Point Processes and Daemons

 Mobile Access is not part of the SandBlast component. Mobile Access is a software blade that provides secure remote access to corporate resources from various devices, such as smartphones, tablets, and laptops. Mobile Access supports different connectivity methods, such as SSL VPN, IPsec VPN, and Mobile Enterprise Application Store (MEAS). Mobile Access also integrates with Mobile Threat Prevention (MTP) to protect mobile devices from malware and network attacks. References: Check Point Security Expert R81 Course, Mobile Access Administration Guide, SandBlast Mobile Datasheet

To deploy a TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway, you can utilize Check Point Cloud Services. In this scenario, you can leverage cloud-based email security services provided by Check Point without the need for an on-premises Security Gateway.

Option C correctly states that you can use only Check Point Cloud Services for this scenario, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 User-mode processes are processes that run in the user space of the operating system, as opposed to kernel-mode processes that run in the kernel space. User-mode processes are usually less privileged and have less access to system resources than kernel-mode processes. Check Point products use both user-mode and kernel-mode processes to provide various functionalities and services.

The following are some of the user-mode processes that can be seen on the management server and gateway:

• fwd: This process is responsible for policy installation, logging, and communication with other Check Point components. It runs on both the management server and gateway.
• cpd: This process is responsible for licensing, certificate management, and communication with SmartConsole. It runs on both the management server and gateway.
• cpwd: This process is responsible for monitoring and restarting other processes. It runs on both the management server and gateway.

The following is a user-mode process that can only be seen on the management server:

• fwm: This process is responsible for managing the security policy database, compiling the security policy, and generating reports. It runs only on the management server.

Therefore, the correct answer is B.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

In R81, the Mobile Access policy is created and modified in SmartConsole. SmartConsole is the management interface for configuring and managing various security policies, including Mobile Access policies.

References: Check Point Certified Security Expert R81 documentation and learning resources.

Capsule Connect is a full layer 3 VPN client that provides secure and seamless remote access to corporate networks from iOS and Android devices. It supports all VPN authentication methods, such as certificates, passwords, tokens, and challenge-response. It also supports split tunneling and seamless roaming. References: Capsule Connect Datasheet, Capsule Connect Administration Guide

When traffic from source 192.168.1.1 is going to www.google.com, and the Application Control Blade on the gateway is inspecting the traffic with acceleration enabled, it is handled by the Slow Path.

A. Slow Path

The Slow Path is responsible for handling traffic that requires full inspection by various security blades, including the Application Control Blade. Acceleration may offload some processing to the Medium Path or Fast Path, but the Slow Path is still involved in deeper inspection.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on traffic acceleration and processing paths.

 In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources. 

The command vpn tu tlist shows detailed information about VPN tunnels, such as the peer IP address, encryption domain, IKE phase 1 and phase 2 status, encryption algorithm, and tunnel uptime. The command vpn tu is an interactive tool that allows users to list, delete, or reconnect VPN tunnels. The command cpview is a real-time performance monitoring tool that shows various statistics about the system and network. References: VPN Administration Guide, SK97638 - What is cpview Utility and How to Use it

To see the cluster status in CLI expert mode, you can use the command cphaprob stat. This command displays the status of the Check Point High Availability cluster. It provides information about the state of the cluster members, such as "Active," "Standby," or "Collision."

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Multiple administrators can connect to a Security Management Server at the same time. Each administrator has their own username and works in a session that is independent of other administrators. This allows for collaboration and simultaneous management tasks by different administrators.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

SecureXL is a performance-enhancing technology used in Check Point firewalls. It improves the throughput of both non-encrypted firewall traffic and encrypted VPN traffic. The statement in option C is true because SecureXL does improve both types of traffic by offloading processing to dedicated hardware acceleration, optimizing firewall and VPN operations.

Option C correctly states that SecureXL improves this traffic, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address. Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

The cloud-based SandBlast Mobile application that is used to register new devices and users is Check Point Gateway. Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions. Security Gateway is the device that inspects and filters network traffic according to the security policies. 

 According to the Check Point website, SmartEvent Maps is a feature that was supported in previous versions of SmartEvent, but is not supported in R81. SmartEvent Maps displayed a graphical representation of security events on a world map. The other options are either supported or not valid features in R81. References: SmartEvent Maps

The essential means by which state synchronization works to provide failover in the event an active member goes down, ccp is used specifically for clustered environments to allow gateways to report their own state and learn about the states of other members in the cluster. Ccp stands for Cluster Control Protocol, and it is a proprietary protocol that runs on UDP port 8116. Ccp is responsible for exchanging state information, health checks, load balancing decisions, and synchronization network configuration between cluster members. The other options are either commands or daemons that are related to cluster operations, but not the protocol itself. 

 For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work.

This is because SmartConsole has a feature called Concurrent Administration, which allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent Administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Concurrent Administration also has a feature called Session Persistence, which preserves the changes made by an administrator in case of a network failure or a SmartConsole crash. When an administrator reconnects to the Management Server after a network failure or a SmartConsole crash, they can resume their work from where they left off, without losing any changes. The changes are stored locally on the administrator’s machine until they are published to the Management Server13.

Therefore, if Tom has connected to the R81 Management Server remotely using SmartConsole and is in the process of making some Rule Base changes, when he suddenly loses connectivity, his changes will not be lost. They will be stored locally on his machine and he can resume his work when he reconnects to the Management Server.

 According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.20 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References: Check Point R81

 Application Control is the software blade that provides Application Security and identity control. It allows administrators to define granular policies based on users or groups to identify, block or limit the usage of web applications and widgets. Application Control also integrates with Identity Awareness to provide user-level visibility and control. References: Training & Certification | Check Point Software, Check Point Resource Library

According to the Check Point website, Capsule Connect and Capsule Workspace both offer secured connection for remote users who are using their mobile devices. However, there are differences between the two. For credential protection, Connect uses One-time Password login support and has no SSO support, whereas Workspace offers both One-Time Password and certain SSO login support. The other statements are either false or partially true. References: Capsule Connect and Capsule Workspace

Once a certificate is revoked from the Security Gateway by the Security Management Server, the certificate information is stored on the Certificate Revocation List (CRL). The CRL is a list of certificates that have been revoked by the Internal Certificate Authority (ICA) and are no longer valid for Secure Internal Communication (SIC). The CRL is signed by the ICA and issued to all the managed Security Gateways the next time a SIC connection is made12. The CRL helps to prevent unauthorized access to the Security Management Server by revoked Security Gateways.

References: 1: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk43784 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162

A star community is a VPN topology where one or more satellites connect to a center gateway. The center gateway can be a Security Gateway or a Security Management Server. The VPN routing option determines how the traffic is routed between the satellites and the center, and between the satellites themselves. There are three VPN routing options available in a star community12:

• To center only: The satellites can only communicate with the center gateway, and not with each other or with any other VPN targets. This option is useful for remote access clients that only need to access resources on the center gateway.
• To center, or through the center to other satellites, to Internet and other VPN targets: The satellites can communicate with the center gateway, and also with other satellites, Internet hosts, and other VPN targets through the center gateway. This option is useful for branch offices that need to access resources on the center gateway, as well as on other branch offices, Internet hosts, and other VPN targets.
• To center and to other satellites through center: The satellites can communicate with the center gateway, and also with other satellites through the center gateway. However, they cannot communicate with Internet hosts or other VPN targets. This option is useful for branch offices that need to access resources on the center gateway and on other branch offices, but not on Internet hosts or other VPN targets.

Therefore, the options A (To satellites through center only) and D (To center only) are not valid VPN routing options in a star community.

References: 1: Remote Access VPN R81.20 Administration Guide - Check Point Software, page 13 2: Gaia R81.20 Administration Guide - Check Point Software, page 1030

The R81 SmartConsole, SmartEvent GUI client, and SmartView Web Application consolidate billions of logs and show them as prioritized security events. The SmartView Web Application is a web-based interface that allows you to access the SmartEvent Server from any browser. You can use the SmartView Web Application to view and analyze security events, generate reports, and configure SmartEvent settings12.

References: 1: Check Point R81 SmartConsole User Guide - Check Point Software, page 10 2: Check Point R81 SmartEvent Administration Guide - Check Point Software, page 9

The command that would show the API server status is api status. API stands for Application Programming Interface, and it is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. API status is a command that shows the current status of the API server, such as whether it is enabled or disabled, running or stopped, listening on which port, using which certificate, etc. The other commands are either invalid or perform different functions. 

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

The path to monitor the compliance status of the Check Point R81.20 based management is Logs & Monitor > New Tab > Open compliance View. Compliance View is a feature that allows administrators to monitor and assess the compliance level of their Check Point products and security policies based on best practices and industry standards. Compliance View provides a dashboard that shows the overall compliance status, compliance score, compliance trends, compliance issues, compliance reports, and compliance blades for different security aspects, such as data protection, threat prevention, identity awareness, etc. To access Compliance View in R81.20 SmartConsole, administrators need to go to Logs & Monitor > New Tab > Open compliance View. The other options are either incorrect or not available in R81.20.

PDP is not a valid CPVIEW view. CPVIEW is a command-line tool that shows the status of different system parameters, such as CPU, memory, disk, network, and firewall. The valid views are IDA, RAD, VPN, FW, QoS, and others. PDP is a process that handles identity awareness and authentication. References: Check Point R81 Gaia Administration Guide, Check Point Identity Awareness Administration Guide R81

 The cphaprob -a if command displays the interface status of all cluster members, including the interface name, IP address, state, monitor mode, and sync status. References: cphaprob - Check Point Support Center

The features that are only supported with R81.20 Gateways and not with R77.x are described in option C:

"C. The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence."

This feature, known as Rule Base Layers, allows for greater flexibility and control in organizing and prioritizing security rules within the rule base.

Options A, B, and D do not specifically pertain to features introduced in R81.20 and are available in earlier versions as well.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The fw ctl affinity -l -a -r -v command is the most accurate CLI command to get info about assignment (FW, SND) of all CPUs in your SGW. This command displays the affinity settings of all interfaces and processes in a verbose mode, including the Firewall (FW) and Secure Network Distributor (SND) instances. References: CoreXL Administration Guide

 The inspection point Big l is the first point immediately following the tables and rule base check of a packet coming from outside of the network. It is also the last point before the packet leaves the Security Gateway to the internal network1. The other inspection points are either before or after the rule base check, or in a different direction of traffic flow2. References: Check Point R81 Security Gateway Architecture and Packet Flow, 156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

References:

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, "SecurID."

Options A, C, and D are not standard authentication methods for mobile devices in this context.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via the cpm process. The cpm process is the main management process that handles database operations, policy installation, and communication with GUI clients via TCP port 190093. The other options are either incorrect or irrelevant to the log flow. References: Certified Security Expert (CCSE) R81.20 Course Overview, Check Point Ports Used for Communication by Various Check Point Modules

The Check Point TE appliance in Recommended Mode includes 2(OS) images. One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version. References: [Check Point R81 Threat Emulation Administration Guide]

The statement that is correct about the Sticky Decision Function is It is not supported with either the Performance pack of a hardware based accelerator card. The Sticky Decision Function (SDF) is a feature that ensures that packets from the same connection are handled by the same cluster member in a Load Sharing configuration. However, SDF is not compatible with SecureXL acceleration, which is enabled by default or by using a Performance pack or a hardware based accelerator card4. The other statements are either incorrect or outdated about SDF. References: Check Point R81 ClusterXL Administration Guide, Sticky Decision Function - Check Point CheckMates

 The attributes that SecureXL will check after the connection is allowed by Security Policy are Source address, Destination address, Source port, Destination port, Protocol. These are the five tuple parameters that define a connection and are used by SecureXL to accelerate the traffic. The other options are either missing some of the parameters or include irrelevant ones, such as MAC addresses1. References: Check Point R81 SecureXL Administration Guide

SecureXL Templating is a feature that accelerates the processing of packets that belong to the same connection or session by creating a template for the first packet and applying it to the subsequent packets. SecureXL Templating is precluded by factors that prevent the creation of a template, such as source port ranges, encrypted connections, NAT, QoS, etc. References: SecureXL Mechanism

 Detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature associated with the Check Point URL Filtering and Application Control Blade. This feature is part of the Check Point SandBlast Network solution, which uses Threat Emulation and Threat Extraction technologies to prevent zero-day attacks. The other features are part of the URL Filtering and Application Control Blade, which allows you to control access to web applications and sites based on various criteria. References: URL Filtering and Application Control Administration Guide

 Session Rate Acceleration is a SecureXL feature that accelerates the establishment of new connections by bypassing the inspection of the first packet of each session. Session Rate Acceleration ignores the source port information of the packet, as well as the destination port ranges, protocol type, and VPN information. The other packet info is used by Packet Acceleration, which is another SecureXL feature that accelerates the forwarding of subsequent packets of an established connection. References: SecureXL Mechanism

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

 A management plug-in is a software component that interacts with a Security Management Server to provide new features and support for new products. A management plug-in can extend the functionality of SmartConsole, SmartDashboard, SmartView Monitor, SmartView Tracker, SmartEvent, SmartReporter, SmartProvisioning, SmartUpdate, and other management tools. A management plug-in can also add new objects, policies, rules, actions, reports, views, and wizards to the management system. Some examples of management plug-ins are CloudGuard Controller, SandBlast Agent, Endpoint Security Server, Threat Extraction for Web, etc. 

 The host having a Critical event found by Anti-Bot should be remediated first, as it indicates that the host is infected by a botnet malware that is communicating with a Command and Control server. This poses a serious threat to the network security and data integrity. The other events may indicate potential malware infection or attack attempts, but not necessarily successful ones. References: Threat Prevention Administration Guide

The API server is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. You can verify that the API server is responding by using the following command in Expert mode:

This command will display the current status of the API server, such as running, stopped, or initializing. It will also show the API version, port number, and SSL certificate information. References: Check Point R81 REST API Reference Guide

 When doing a Stand-Alone Installation, you would install the Security Management Server with the Security Gateway as the other Check Point architecture component. A Stand-Alone Installation is where the Security Management Server and the Security Gateway are installed on the same machine2. The other options are either not Check Point architecture components, or not suitable for a Stand-Alone Installation. References: Check Point R81 Installation and Upgrade Guide

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts. References: Anti-Bot Software Blade

 Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default. References: CPM process

The least ideal Synchronization Status for Security Management Server High Availability deployment is Collision. This status indicates that both members have modified the same object independently, resulting in a conflict that needs to be resolved manually. The other statuses are either normal or indicate a temporary delay in synchronization. References: High Availability Administration Guide

 Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances. References: SecureXL Mechanism

 The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345. 

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

 R81.20 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81. 

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

The Check Point ThreatCloud is a worldwide collaborative security network that collects and analyzes threat data from millions of sensors, security gateways, and other sources, and delivers real-time threat intelligence and protection to Check Point products. References: Check Point ThreatCloud

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution. References: SandBlast Mobile Architecture

To help SmartEvent determine whether events originated internally or externally, you must define the traffic direction using the Initial Settings under General Settings in the Policy Tab. There are four options available to calculate the traffic direction: Incoming, Outgoing, Internal, and Other. Incoming means the source is external and the destination is internal. Outgoing means the source is internal and the destination is external. Internal means both the source and the destination are internal. Other means both the source and the destination are external. References: SmartEvent R81 Administration Guide

 Sticky Decision Function (SDF) is required to prevent asymmetric routing in an Active-Active cluster. Asymmetric routing occurs when packets from a source to a destination follow a different path than packets from the destination to the source. This can cause problems with stateful inspection and NAT. SDF ensures that packets from the same connection are handled by the same cluster member1. References: Check Point R81 ClusterXL Administration Guide

The fw tab -s command lists all tables in Gaia. The fw tab command displays information about the firewall tables, such as connections, NAT translations, SAM rules, etc. The -s option shows a summary of all tables. References: fw tab - Check Point Support Center

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network. References: Security Gateway R81 Administration Guide:

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud. Capsule Workspace is a secure container app that allows users to access corporate data and applications from their mobile devices. Capsule Docs is a solution that protects documents with encryption and granular access control. Capsule Cloud is a cloud-based security service that enforces security policies on devices that are outside the corporate network. References: Check Point Capsule

 In R81, IPS is managed by the Threat Prevention Policy. The Threat Prevention Policy is a unified policy that allows you to configure and enforce IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction settings in one place. References: Threat Prevention Administration Guide

The command cphaprob igmp can be used to display the Multicast MAC address of a cluster. This command shows the IGMP (Internet Group Management Protocol) information for each cluster interface, including the VRID (Virtual Router ID), the Multicast IP address, and the Multicast MAC address3. The other commands do not show the Multicast MAC address information. References: Check Point R81 ClusterXL Administration Guide

The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2. References: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet – LazyAdmins

When configuring Management HA, you have to take into consideration that the Database revisions will not be synchronized between the management servers. Database revisions are snapshots of the database that are created manually or automatically when installing a policy or saving changes. They are stored locally on each management server and are not replicated by Management HA. The other options are either not true or not relevant to Management HA. References: Check Point R81 Installation and Upgrade Guide

 Connections to the Check Point R81 Web API use the HTTPS protocol. The Web API is a RESTful web service that allows you to perform management tasks on the Security Management Server using HTTP requests. References: Check Point Management APIs

The fwaccel stat command displays the status of SecureXL, and its enabled templates and features. The other commands are either incorrect or incomplete. References: [SecureXL Commands]

The clusterXL_admin down -p command disables a Cluster Member permanently, meaning that it will not rejoin the cluster even after a reboot. The other commands either disable a Cluster Member temporarily or are invalid. References: [ClusterXL Administration Guide]

 fwssd is a child process of fwd, which is the firewall daemon that handles policy installation, logging, and state synchronization. cpwd is the watchdog process that monitors and restarts other processes. fwm is the management server process that handles communication with GUI clients. cpd is the infrastructure daemon that handles SIC, licensing, and policy code generation. References: Check Point Processes Cheat Sheet – LazyAdmins, Check Point R81 Gaia Administration Guide, Certified Security Expert (CCSE) R81.20 Course Overview

To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. You can enable them by using the command fw ctl multik set_mode 9. This command sets the SecureXL mode to 9, which means that Priority Queues are enabled and Dynamic Dispatcher is fully enabled. References: SecureXL Mechanism

The correct command to observe the Sync traffic in a VRRP environment is fw monitor –e “accept dst=224.0.0.18;”. This command captures the packets that have the destination IP address of 224.0.0.18, which is the multicast address used by VRRP for synchronization. The other commands are either not valid or not specific to VRRP Sync traffic. References: [Check Point R81 ClusterXL Administration Guide], Check Point R81 Performance Tuning Administration Guide

 CPM process stores objects, policies, users, administrators, licenses and management data in a Postgres SQL database. This database is located in $FWDIR/conf and can be accessed using the pg_client command2. The other options are not the correct database type for CPM. References: Check Point R81 Security Management Administration Guide

 The correct command for checking the Deployment Agent status over the GAIA CLISH is “show installer status”. This command displays information about the Deployment Agent such as its version, status, last update time, and last operation result. The other commands are either invalid or irrelevant for this purpose. References: [Check Point Security Expert R81 Installation and Upgrade Guide], page 23.

You can locate the file via SmartConsole > Command Line. According to the CLISH documentation1, when you save the configuration with the “save configuration config.txt” command, the file is stored in a temporary location on the management server. To access the file, you need to use SmartConsole and go to Command Line > View File > config.txt2. Alternatively, you can also use the “show configuration” command in CLISH to view the current configuration2.

References: : CLISH - SourceForge : Summary of Gaia Clish Commands - Check Point Software

 SmartEvent Security Checkups can be run from the Reports activity in Logs and Monitor. A Security Checkup is a report that analyzes network traffic and security events and provides recommendations for improving security posture. To run a Security Checkup, go to Logs & Monitor > Reports > New Report > Security Checkup. The other activities in Logs and Monitor do not have the option to run a Security Checkup. References: : Check Point Software, Getting Started, Running a Security Checkup Report.

 Harmony Endpoint is a solution that provides comprehensive protection for endpoint devices against cyber threats. Harmony Endpoint includes a personal firewall that controls the network traffic to and from the endpoint device, based on predefined rules and policies. Harmony Endpoint also integrates with Check Point’s VPN solutions to provide secure remote access to corporate resources1. Therefore, the customer will need Harmony Endpoint because of the personal firewall requirement.

References: 1: Harmony Endpoint Administration Guide

The three types of tracking available for Threat Prevention Policy are Alert, SNMP trap, and Mail. These tracking options can be configured in the Threat Prevention tab of the SmartConsole, under the Policy section. The tracking options determine how the system notifies the administrator of events that match the policy rules. References: Configuring Threat Prevention Policy

 Gaia has two default user accounts that cannot be deleted: Admin and Monitor. Admin is a superuser account that has full access to all Gaia features and commands. Monitor is a read-only account that can view Gaia configuration and status but cannot make any changes. Both accounts have predefined passwords that can be changed by the Admin user. References: [Check Point R81 Gaia Administration Guide], page 29

SRC: GAIA R81.20 Administration Guide User Management -> Users These users are created by default and cannot be deleted: admin and monitor

The recommended way to have a redundant Sync connection between the cluster nodes is to use a group of bonded interfaces connected to different switches. In the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management, you should define a dedicated sync interface, only one interface per node.

Captive Portal is a feature of Identity Awareness Software Blade that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Captive Portal redirects users to a web page where they can enter their credentials and be authenticated by an external server, such as LDAP or RADIUS. After authentication, users can access the Internet and corporate resources according to the security policy rules that apply to their identity.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 9
• Configuring Browser-Based Authentication in SmartConsole

 The two high availability modes are New and Legacy. High availability (HA) is a feature that allows you to create a cluster of two or more Security Gateways that act as a single entity to provide redundancy and reliability for your network traffic. HA ensures that if one Security Gateway fails or becomes unavailable, another Security Gateway in the cluster takes over its role seamlessly and continues to process the traffic. HA also provides load balancing and synchronization of the cluster members. The New mode is the recommended mode for HA clusters, as it provides better performance, scalability, and stability than the Legacy mode. The New mode uses the ClusterXL mechanism to manage the cluster members and the state synchronization. The Legacy mode uses the High Availability Security Extension (HASE) mechanism to manage the cluster members and the state synchronization. The Legacy mode is supported for backward compatibility with older versions of Check Point products, but it has some limitations and disadvantages compared to the New mode. 

 The multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for VRRP is 224.0.0.18. This is a reserved multicast address that is used by VRRP routers to communicate with each other and announce their priority and state. Firewall policies must be configured to accept VRRP packets on the Gaia platform if it runs Firewall software. Otherwise, VRRP packets will be dropped by default. References: [Configuring VRRP on Gaia]

 It is false that it is not necessary to establish SIC between the primary and secondary management server, since the latter gets the exact same copy of the management database from the prior. In fact, SIC is required between the primary and secondary management server for Management HA to work properly. SIC ensures secure communication between the management servers and allows the standby server to receive updates from the active server. Without SIC, the standby server will not be able to synchronize with the active server and will not be ready to take over in case of a failover.

References:

• Solved: Management HA - Check Point CheckMates, section “Synchronizing Active and Standby Servers”
• CheckPoint Management Server R81 HA Configuration | Udemy, section “How to set it up in the PNET lab environment”
• Check Point R81, section “Management High Availability”

What two ordered layers make up the Access Control Policy Layer? Network and Application Control are the two ordered layers that make up the Access Control Policy Layer. The Network layer controls network access based on source, destination, service, time, etc. The Application Control layer controls application access based on users, groups, applications, content categories, etc. The Network layer is always processed before the Application Control layer. References: R81 Security Management Administration Guide, page 29.

 When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom, and enforces the first rule that matches the packet. The order of rule enforcement depends on the action of the matching rule. If the action is Accept, the gateway allows the packet to pass through the gateway, but also continues to check rules in the next Policy Layer down. If the action is Drop, Reject, or Encrypt, the gateway applies that action to the packet and stops checking rules in that Policy Layer and any subsequent Policy Layers. If there is no matching rule in a Policy Layer, the gateway applies the Implicit Clean-up Rule for that Policy Layer, which is usually Drop. 

 You can use the cphaprob -a if command to check the status of the virtual cluster interface1. This command displays the state, virtual IP address, and physical IP address of each cluster interface2. It also shows the load balancing method, the load on each interface, and the active member for each interface2. This command can help you verify that Alice configured the virtual cluster interface correctly and that it is working properly. To run this command, you need to access the cluster member in Clish and run cphaprob -a if1.

References: How to configure ClusterXL in Load Sharing Unicast mode - Check Point Software, cphaprob -a if - Check Point Software

 The base level encryption key used by Capsule Docs is RSA 2048. This means that Capsule Docs uses a 2048-bit RSA public key encryption algorithm to encrypt and decrypt documents. RSA is an asymmetric encryption algorithm that uses two keys: a public key that can be shared with anyone, and a private key that must be kept secret. AES, SHA-256, and RSA 1024 are not the base level encryption keys used by Capsule Docs. References: : Check Point Software, Getting Started, Capsule Docs Encryption.

 SecureXL does not use the TCP acknowledgment number as an attribute for identifying connections. SecureXL is a technology that accelerates the performance of the firewall by offloading some of the traffic processing from the firewall kernel to a more efficient path. SecureXL identifies connections by five attributes: source address, destination address, source port, destination port, and protocol1. These attributes are also known as the 5-tuple or the connection key. SecureXL uses these attributes to match packets to existing connections and apply the appropriate security policy and actions. SecureXL does not need to inspect the TCP sequence or acknowledgment numbers, as they are irrelevant for the connection identification and security enforcement2. The TCP sequence and acknowledgment numbers are used by the TCP protocol to ensure reliable and ordered delivery of data between endpoints

VLAN Tag is not an attribute of packet acceleration. Packet acceleration is a feature of SecureXL that allows certain packets to bypass the Firewall kernel and be processed by a more efficient mechanism. Packet acceleration is based on templates that match packets based on four attributes: Source IP address, Destination IP address, Protocol, and Destination port. If a packet matches an existing template, it is accelerated; otherwise, it is sent to the Firewall path for inspection. References: [SecureXL Mechanism]

The most recommended solution for high load on sync interface is to exclude FTP connections from synchronization. This is because FTP connections are usually long-lived and consume a lot of bandwidth and resources on the sync interface. By excluding FTP connections from synchronization, the load on the sync interface can be reduced and the performance of the cluster can be improved. References: Synchronization Optimization

 The statement that is not true about site-to-site VPN domain-based is that a VPN domain is a service or user that can send or receive VPN traffic through a VPN gateway. A VPN domain is a host or network that can send or receive VPN traffic through a VPN gateway, not a service or user. A service or user can be part of a VPN community, which defines the encryption and authentication methods for the VPN traffic. References: [Check Point Security Expert R81 Administration Guide], page 146.

The valid authentication methods for mutual authenticating the VPN gateways are Pre-shared Secret and PKI Certificates. Pre-shared Secret is a method that uses a secret key that is known only to the two VPN gateways. PKI Certificates is a method that uses digital certificates that are issued by a trusted Certificate Authority (CA) and contain the public key of each VPN gateway. Both methods ensure that the VPN gateways can verify each other’s identity before establishing a secure VPN tunnel. References: [Check Point R81 VPN Administration Guide]

 SecureXL uses templates to accelerate the connection rate by creating a connection entry in the SecureXL Connections Table without notifying the Firewall kernel for a predefined period of time1. This reduces the load on the Firewall kernel and improves the performance of new connections1. SecureXL uses five attributes to identify a connection and create a template: source address, destination address, source port, destination port, and protocol2. These attributes form a unique 5-tuple that defines a connection2.

References: : ATRG: SecureXL for R80.20 and higher : Performance Tuning Administration Guide R80

 The purpose of the CPCA process is to generate and modify certificates for Check Point products and features. CPCA stands for Check Point Certificate Authority and it is responsible for creating and managing certificates for internal communication between Check Point components, such as Security Gateways, Security Management Servers, SmartConsole clients, and OPSEC applications. CPCA also supports external certificate authorities and can import and export certificates from other sources. 

Based on the image provided by the user, we can infer that rule 1 and object webserver are locked by another administrator. This is because they have red lock icons next to them, which indicate that they are being edited by another administrator in another session. The lock icons prevent other administrators from modifying these objects until the changes are published or discarded by the original administrator. The lock icons also show the name of the administrator who locked the objects when hovered over with the mouse cursor.

The other options are incorrect because:

• Rule 7 was not created by the ‘admin’ administrator in the current session, but by another administrator in another session. This is because it has a blue lock icon next to it, which indicates that it was added by another administrator in another session. The blue lock icon prevents other administrators from deleting this rule until the changes are published or discarded by the original administrator.
• 8 changes have not been made by administrators since the last policy installation, but in the current session by the ‘admin’ administrator. This is because there is a yellow number 8 next to the Install Policy button, which indicates that there are 8 unpublished changes in the current session by the ‘admin’ administrator. These changes will be published or discarded when the ‘admin’ administrator clicks on Publish or Discard buttons.
• The rules 1, 5 and 6 can be edited by the ‘admin’ administrator, but only after unlocking them from another administrator who locked them in another session. This is because they have red lock icons next to them, which indicate that they are being edited by another administrator in another session. The ‘admin’ administrator can unlock these rules by right-clicking on them and selecting Unlock from the menu. However, this will discard the changes made by the original administrator who locked them.

The command fw tab is used to display the contents of the kernel tables1. The command has several options that can modify the output. The option -s shows only the table names and the number of entries in each table1. For example:

The option -t shows the contents of a specific table, given by its name or ID1. For example:

The option -n shows the numeric values of the fields in the tables, instead of resolving them to names1. For example:

The option -k shows the kernel references for each entry in the table1. For example:

Therefore, the correct answer is B, as it shows only the table names of all kernel tables.

References: 1: CLI R81.20 Reference Guide - Check Point Software

High Availability (HA) is a deployment scenario where two or more Security Management Servers are configured to work together as a cluster. One server acts as the Primary server and handles all management operations, while another server acts as the Secondary server and serves as a backup. If the Primary server fails, the Secondary server takes over and becomes active. The cluster members communicate using a Virtual IP (VIP) address, which is used by SmartConsole to connect to the active server. If the Primary server is temporarily down, the administrator does not need to do anything, as SmartConsole will automatically connect to the VIP address and reach the Secondary server that has become active. Therefore, the correct answer is A.

References: 6: High Availability Administration Guide

The back end database for Check Point R81 Management uses PostgreSQL, which is an open source relational database management system2. MongoDB, MySQL, and DBMS are not used by Check Point R81 Management. References: 2: Check Point Software, Getting Started, Database.

 If the action of the matching rule is Drop, the gateway stops matching against later rules in the Policy Rule Base and drops the packet. This is because the Drop action is a final action that terminates the rule matching process and discards the packet. The gateway does not continue to check rules in the next Policy Layer down or in other enabled policies. References: [Policy Layers and Sub-Policies]

https://s c1.checkpoint.com/documents/R81/CP_R81_SecMGMT/html_frameset.htm?topic=documents/R81/CP_R81_SecMGMT/126197

 The main objective when using Application Control is to ensure security and privacy of information. Application Control is a blade that enables administrators to control access to web applications and web sites based on categories, users, groups, machines, and time. Application Control can also block or limit usage of applications that pose security risks or consume excessive bandwidth2. References: Check Point R81 Application Control Administration Guide

The best way to test if the policy from two weeks ago have the same issue is to install the specific version of the policy from the installation history view of the gateway. This way, you can keep the changes from the last weeks in the management server and revert back to them later if needed. You do not need to take a backup or a snapshot of the gateway or the management server for this purpose. References: [Check Point Security Expert R81 Administration Guide], page 34.

The statement that only cluster members running on the same OS platform can be synchronized is false. Cluster members can be synchronized even if they run on different OS platforms, as long as they have the same Check Point version and hotfixes installed. The other statements are true. The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized. In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization. Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails. References: R81 ClusterXL Administration Guide, page 9-10; [R81 Security Gateway Architecture], page 23

 What is the default shell for the command line interface? The default shell for the command line interface is Clish. Clish is a shell that provides a menu-based interface for configuring various system settings, such as network interfaces, routing, DNS, NTP, SNMP, SSH, etc. Clish also provides help and completion features for easier navigation. To switch from Clish to Expert mode, which allows running Linux commands, use the command expert. References: Gaia Administration Guide R81, page 29.

 A certificate-based VPN tunnel between two gateways with separate management systems requires mutually trusted certificate authorities. This means that each gateway must have a certificate issued by a certificate authority (CA) that the other gateway trusts. The CA can be either an internal CA or an external CA. The CA issues certificates that contain the public key and identity information of the gateway. The gateway uses its private key to sign and encrypt the VPN traffic. The other gateway can verify the signature and decrypt the traffic using the public key in the certificate. This ensures the authenticity, integrity, and confidentiality of the VPN tunnel.

References:

• Remote Access VPN R81.20 Administration Guide, page 12
• DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud, slide 9

You can establish a VPN before the user login to the Endpoint Client by enabling Machine Authentication in the Gateway object of the Smart Console1. Machine Authentication is a feature that allows you to authenticate with a machine certificate and establish a VPN tunnel before the Windows Logon2. This feature provides the following benefits2:

• It enhances the security of the VPN connection by verifying the identity of the machine before allowing access to the network.
• It simplifies the user experience by eliminating the need to enter credentials twice (once for the VPN and once for the Windows Logon).
• It enables seamless connectivity to the network resources and domain services, such as Group Policy, login scripts, and mapped drives. Machine Authentication is supported on Check Point Endpoint Security Client for Windows with E80.71 and higher versions2. It requires a hotfix on top of R77.30 jumbo 286 on the Security Gateway2. To configure Machine Authentication, you need to do the following steps2:
• Generate and distribute machine certificates to the Endpoint machines using a trusted Certificate Authority (CA).
• Enable Machine Authentication in the Gateway object of the Smart Console and select the CA that issued the machine certificates.
• Install policy on the Security Gateway and reboot it.
• Enable Machine Authentication in the Endpoint Security Client and select the machine certificate to use.

 Backward Compatibility means that the Management Server is able to manage older Gateways. The lowest supported version is documented in the Release Notes of each version. The Installation and Upgrade Guide only provides information about how to install or upgrade the Management Server and the Gateways, not about the compatibility between them. References: Check Point R81 Release Notes, page 6.

When configuring SmartEvent Initial settings, you must specify a basic topology for SmartEvent to help it calculate traffic direction for events. This setting is called Internal network(s) and you are defining your networks. You can specify one or more networks or IP addresses that are considered internal for SmartEvent. This helps SmartEvent to determine the direction of the traffic (inbound, outbound, or internal) and generate events accordingly. References: [SmartEvent Administration Guide]

 A pre-shared secret is a secret key that is shared between the two VPN peers before establishing a secure connection. It is used to authenticate the VPN peers and encrypt the VPN traffic. A pre-shared secret is required for a site-to-site VPN tunnel that does not use certificates, because certificates are another way of authenticating the VPN peers using public key cryptography. Without certificates, the VPN peers need to have a common secret key that only they know. References: Check Point R81 VPN Administration Guide, page 13

 The default port for the Gaia WebUI Portal is HTTPS 443. This is the standard port for secure web communication over SSL/TLS. Changing the port may cause inconsistency with the settings on the SmartConsole and is not recommended unless necessary. To change the port, you can use the CLISH command set web ssl-port  and save the configuration. References: 13

Multi-Version Cluster Upgrade (MVCLU) is a feature that allows you to upgrade a cluster of Security Gateways from one major version to another, without downtime1. MVCLU supports upgrading a cluster that runs on different versions, as long as the versions are compatible with the destination version1. The number of versions, besides the destination version, that are supported in a MVCLU depends on the destination version. For example, if the destination version is R81, then MVCLU supports up to three versions besides R81, which are R80.40, R80.30, and R80.202. Therefore, the correct answer is B, as three versions are supported in a MVCLU besides the destination version.

References: 1: ClusterXL upgrade methods and paths - Check Point Software 2: Check Point R81 - Check Point Software

The correct answer is A. Network location, the identity of a user and the identity of a machine.

Identity Awareness allows you to easily configure network access and auditing based on three items: network location, the identity of a user and the identity of a machine1. This enables you to create granular and accurate identity-based policies that control who can access what, when and how. You can also monitor and log user and machine activities for compliance and auditing purposes.

Geographical location, the telephone number of a user and the UID of a machine are not the items that Identity Awareness uses to identify and authorize users and machines.

References:

• Identity Awareness - Check Point Software1

 The command that may impact performance briefly and should not be used during heavy traffic times of day is fw tab -t connections. This command displays all the entries in the connections table, which can be very large and consume a lot of CPU resources. The other commands are less intensive and can be used safely. The command fw tab -t connections -s displays only the statistics of the connections table, such as number of entries, peak size, etc. The command fw tab -t connections -c clears all the entries in the connections table. The command fw tab -t connections -f displays only the entries that match a filter expression. References: [fw tab Command]

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server, where it is forwarded to fwm via cpd. The fwm process is responsible for managing the log files and the cpd process is responsible for communication between processes. The other options are incorrect because they involve processes that are not related to logging or communication. References: Check Point Certified Security Expert R81.20 Course Overview, sk163413: Support, Support Requests, Training … - Check Point Software, Check Point Certified Security Expert R81.20

 The IPS policy for pre-R81 gateways is installed during the Anti-bot policy install. The Anti-bot policy install includes both Anti-bot and IPS protections for pre-R81 gateways, since they share the same inspection engine. For R81 and above gateways, the IPS policy is installed separately as part of the Threat Prevention policy install, which also includes Anti-virus and Threat Emulation protections. References: R81 Threat Prevention Administration Guide, page 15.

 The reason why the web session is being disconnected after 10 minutes is that the idle timeout for the web session is specified with the “set web session-timeout” command, not the “set inactivity-timeout” command. The “set inactivity-timeout” command only affects the CLI session, not the web session. To prevent the web session from being disconnected after 10 minutes of inactivity, you need to use the “set web session-timeout” command with a higher value than 10 minutes. References: [Check Point Security Expert R81 Administration Guide], page 77.

The command fw unloadlocal removes the current security policy from the local gateway and returns it to its initial state2. This command can be used as a last resort to restore traffic flow through the gateway if the policy is causing problems. The command fw unloadpolicy is not valid, and the commands fwm unload local and fwm unload policy are used to remove policies from remote gateways3. References: 2: Check Point Software, Getting Started, Unloading Security Policies; 3: Check Point Software, Getting Started, Unloading Security Policies from Remote Gateways.