156-215.81 Sample Questions Answers

The answer is B because bridge mode deployment adds a Security Gateway to an existing environment without changing IP routing. Bridge mode is a transparent mode that does not require assigning IP addresses to the Security Gateway interfaces. Distributed deployment is a deployment where the Security Management Server and the Security Gateway are installed on separate machines. Remote deployment is a deployment where the Security Gateway is installed on a remote site and connects to the Security Management Server over a VPN tunnel. Standalone deployment is a deployment where the Security Management Server and the Security Gateway are installed on the same machine.References: [Check Point R81 Bridge Mode], [Check Point R81 Deployment Scenarios]

 Only one user can have read/write access in Gaia Operating System at one time2. This is to prevent conflicts and errors when multiple users try to modify the same configuration settings. References: Check Point Gaia Administration Guide

According to the Check Point R81.10 SmartConsole for Windows1, to restore a backup, you need to supply the following data: Server, Protocol, Username, Password, and Path. The Server is the IP address or hostname of the Security Management Server. The Protocol is either SCP or SFTP. The Username and Password are the credentials for the Security Management Server. The Path is the location of the backup file on the Security Management Server. References: Check Point R81.10 SmartConsole for Windows

When logging in for the first time to a Security Management Server through SmartConsole, a fingerprint is saved to the SmartConsole cache and is available for future Security Management Server authentications. The fingerprint is a unique identifier of the Security Management Server that is used to verify its identity and prevent man-in-the-middle attacks. The SmartConsole cache is a local folder on the client machine that stores temporary files and settings.

References: Check Point Security Management Administration Guide R81, p. 25-26

Security Zones are a feature of Application Control and Identity Awareness that allow you to define groups of network objects based on their level of trust. Security Zones do not work with Manual NAT rules, because Manual NAT rules are applied before the Application Control and Identity Awareness policy is enforced1. References: Check Point R81 Security Management Administration Guide

 Log, Alert, and None are the tracking options that an Administrator can select when configuring Anti-Spoofing. Log means that the packet will be logged in SmartView Tracker. Alert means that the packet will trigger an alert in SmartView Monitor. None means that no action will be taken2. The other options are not valid tracking options.

There are three types of software containers: security management, Security Gateway, and endpoint security. A software container is a set of software blades that provide specific functionality. A security management container manages the security policy and configuration for one or more Security Gateways. A Security Gateway container enforces the security policy on the network traffic. An endpoint security container protects the data and network access of an endpoint device2. The other options are not valid types of software containers. References: Software Containers

 In order to modify Security Policies, the administrator can use SmartConsole or mgmt_cli (API) on any computer where SmartConsole is installed. SmartConsole is a graphical tool that allows the administrator to create, edit, and manage security policies using a web browser. mgmt_cli (API) is a command-line tool that allows the administrator to perform the same tasks using commands and scripts. Both tools can connect to the Security Management Server remotely from any computer that has SmartConsole installed.References: [SmartConsole Overview], [mgmt_cli (API)]

The difference between the Install Policy button on the SmartConsole’s tab and the Install Policy within a specific policy is that the former installs all the policies that are selected in the Install Policy window, while the latter pre-selects the installation for only the current policy and for the applicable gateways5 . The other options are not accurate differences. References: Installing Policies, [Check Point CCSA - R81: Practice Test & Explanation]

Resource is NOT an objects category in SmartConsole1, p. 18. The objects categories in SmartConsole are Network Object, Host, Network, Group, Gateway, Cluster, VPN Community, Service, Time Object, Access Role, Custom Application / Site, Data Center Object, Limit. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point SmartConsole R81 Help]

 If AdminB sees a lock icon on a rule, it means that the rule is locked by AdminA and will be made available if the session is published. A session is a set of changes made by an administrator in SmartConsole. A session can be published to save and share the changes with other administrators, or discarded to cancel the changes and unlock the objects1.

References: 1: Check Point R81 Security Management Administration Guide, page 18.

 The answer is A because changing the Security Gateway IP-address requires re-establishing the trust with the Security Management Server by initializing the Secure Internal Communication (SIC). Changing the Security Gateway name in command line or changing the Security Management Server name or IP-address in SmartConsole does not require re-establishing the trust, but it may require updating the topology and pushing the policy.References: [Check Point R81 Security Management Administration Guide], [Check Point R81 Security Gateway Administration Guide]

 A security gateway is a device that enforces the security policy on the traffic that passes through it. There are three deployment options available for a security gateway: Standalone, Distributed, and Bridge Mode. Standalone means that the security gateway and the security management server are installed on the same machine. Distributed means that the security gateway and the security management server are installed on separate machines. Bridge Mode means that the security gateway acts as a transparent bridge between two network segments, without changing the IP addressing scheme1. References: Check Point R81 Security Gateway Technical Administration Guide

The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3 . The other files are not related to proxy arp configuration. References: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA - R81: Practice Test & Explanation]

The tool used to enable cluster membership on a Gateway is cpconfig2. This tool allows you to configure basic settings of Check Point products, such as cluster membership, administrator name and password, GUI clients, and Secure Internal Communication (SIC)2. References: Next Generation Security Gateway Guide R80

The position of an implied rule is manipulated in the Global Properties window. Implied rules are predefined rules that are not displayed in the rule base. They allow or block traffic for essential services such as communication with Check Point servers, logging, and VPN traffic. The position of an implied rule can be changed in the Global Properties > Firewall > Implied Rules section56. References: How to view Implied Rules in R80.x / R81.x SmartConsole, Implied Rules

 The GUI tool that can be used to view and apply Check Point licenses is SmartUpdate. SmartUpdate is a centralized tool that allows you to manage licenses, software packages, and hotfixes for multiple gateways and clusters12. cpconfig, Management Command Line, and SmartConsole are not tools for license management. References: Check Point R81 SmartUpdate Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

References: Threat Emulation is not a policy type available for each policy package. Threat Emulation is a software blade that is part of the Threat Prevention policy type. The other options are valid policy types that can be configured for each policy package. References: [Threat Prevention Administration Guide R80.40], [Security Policies Administration Guide R80.40]

Upgrading the Security Gateway does not require a new license to be generated and installed. The license is tied to the IP address or hostname of the Security Gateway, not the software version. However, if the IP address or hostname changes, the existing license expires, or the license is upgraded, a new license must be generated and installed12 References: Check Point R81, Managing and Installing license via SmartUpdate

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given. DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1. DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES. 3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

• What is DES encryption, and why was it replaced?
• Data Encryption Standard - Wikipedia
• What is 3DES encryption?
• [What is AES encryption and how does it work?]

Active Directory Query is an identity acquisition method that allows a Security Gateway to identify Active Directory users and computers. Active Directory Query enables the Security Gateway to query the Active Directory Domain Controllers for user and computer information, such as IP addresses, group memberships, and login events.

References: : Check Point R81 Identity Awareness Administration Guide, page 14.

R80 is supported by Gaia only, which is Check Point’s unified security operating system for all Check Point appliances, open servers, and virtualized gateways1, p. 14. Windows and SecurePlatform are not supported by R80. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Learning and Training Frequently Asked Questions (FAQs)]

Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. This option allows the administrator to select which tunnels should be permanent and which should be established on demand. The other options are not valid, as they do not match the available choices in the VPN community settings.

References: [VPN Administration Guide], [Check Point R81.10]

SecurID is a Check Point supported authentication scheme that typically requires a user to possess a token. A token is a physical device that generates a one-time password that changes periodically. The user must enter the password along with their username to authenticate. References: Remote Access VPN R81.20 Administration Guide, page 30.

The statement that a Sectional Title can be used to disable multiple rules by disabling only the sectional title is false. A Sectional Title is a visual divider that helps organize and navigate large rule bases. It does not affect the rule enforcement order or the rule functionality. Disabling a Sectional Title does not disable the rules under it. To disable multiple rules, you need to select them individually or use Shift+Click or Ctrl+Click to select them in bulk, and then right-click and choose Disable Rule(s). The other statements are true. Section titles are not sent to the gateway side, they are only displayed in SmartConsole. These sections are simple visual divisions of the Rule Base and do not hinder the order of rule enforcement. Sectional Titles do not need to be created in SmartConsole, they can also be created using SmartConsole CLI or API commands.References: [Sectional Titles], [SmartConsole CLI Guide], [SmartConsole API Reference Guide]

The default port numbers for an LDAP server are 389 for standard connections and 636 for SSL connections. LDAP (Lightweight Directory Access Protocol) is a protocol that allows access to directory services over TCP/IP. Therefore, the correct answer is B. 389, 636. 

Domain-based— VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

This statement is not true because a VPN domain is not a service or user, but a host or network that can send or receive VPN traffic through a VPN Gateway1. This is the definition given in the Site to Site VPN R81 Administration Guide1. The other statements are true according to the same guide1.

• Remote Access VPN R81.20 Administration Guide
• Site to Site VPN R81 Administration Guide
• DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

The answer is C because inline layer can be defined as a rule action in a policy layer. Inline layer is a sub-policy that contains additional rules that are applied only if the parent rule matches. Ordered layer is a policy layer that contains rules that are applied in order, from top to bottom. One policy can be either inline or ordered, but not both. Pre-R80 Gateways do support ordered layers, but not inline layers5 References: Check Point R81 Policy Layers and Sub-Policies, [Check Point R81 Security Gateway Administration Guide]

 Threat Prevention is a comprehensive solution that protects networks from malicious attacks by using multiple security blades, such as Anti-Bot, Anti-Virus, IPS, Threat Emulation, and Threat Extraction. A Threat Prevention profile defines the actions and settings for each blade and can be applied to different network segments or scenarios. The Perimeter profile is one of the predefined profiles that uses sanitization technology to protect users from malicious files and links. Sanitization technology includes Threat Emulation and Threat Extraction blades, which can detect and remove malware from files and web content. References: [Check Point R81 Threat Prevention Administration Guide]

 The answer is B because AES-CBC-256 is not a supported encryption algorithm for IPsec Security Associations (Phase 2) in R81. The supported encryption algorithms are AES-GCM-128, AES-GCM-256, AES-CBC-128, 3DES, and NULL3 References: Check Point R81 VPN Administration Guide

 A Security Policy is created in SmartConsole, stored in the Security Management Server, and distributed to the various Security Gateways. SmartConsole is a graphical user interface that allows administrators to create and edit security policies. The Security Management Server is a central server that stores and manages the security policies. The Security Gateways are devices that enforce the security policies on the network traffic.

References: : Check Point R81 Security Gateway Administration Guide, page 9.

 The Security Gateways collect logs and send them to the log server. The Security Gateways are the components that enforce the security policy on network traffic and generate logs for each connection that matches a rule with a tracking option. The log server is the component that receives and stores the logs from the Security Gateways and provides a centralized interface for viewing and analyzing them. The log server can be either a dedicated server or integrated with the Security Management Server. References: [Check Point R81 Security Management Administration Guide]

The types of VPN communities are Meshed, Star, and Combination. A Meshed community is a group of Security Gateways that have VPN connections between every pair of members. A Star community has one Security Gateway as the center and other Security Gateways or hosts as satellites. A Combination community is a group of Meshed and Star communities. References: [Check Point R81 Site-to-Site VPN Administration Guide]

A shared policy is a set of rules that can be used in multiple policy packages. It allows the administrator to create a common security policy for different gateways or domains, and avoid duplication and inconsistency. The other options are not advantages of a shared policy. References: [Shared Policies Overview], [Shared Policies Best Practices]

SmartView is the web application for real-time event monitoring in SmartEvent R80 and above. It provides a unified view of security events across the network and allows for quick investigation and response34. References: SmartEvent R80.40 Administration Guide, SmartView

 The BEST immediate action to take when you have discovered suspicious activity in your network is to create a suspicious action rule to block that traffic. A suspicious action rule is a special type of rule that is triggered when a predefined condition is met, such as a malicious file download, a ransomware attack, or a data exfiltration attempt13. A suspicious action rule can block the traffic, quarantine the source, or send an alert to the administrator. Creating a policy rule to block the traffic may not be effective if the traffic does not match the rule criteria or if the policy installation is delayed. Waiting until traffic has been identified before making any changes may allow the threat to spread or cause more damage. Contacting ISP to block the traffic may not be feasible or timely, and may also affect legitimate traffic. References: Check Point R81 Security Gateway Technical Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

The licensing feature that is used to verify licenses and activate new licenses added to the License and Contracts repository is Automatic licensing and Verification tool1, p. 8. Automatic licensing is a feature that allows the Security Management Server to automatically attach licenses to Security Gateways. Verification tool is a feature that allows the Security Management Server to verify the validity of licenses and contracts2. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Licensing and Contract Administration Guide R81

This log filter will show only the logs that have the action of “Key Install”, which means that the Security Gateway installed a new encryption key for the VPN tunnel1. It will also show only the logs that have the IP address of 1.1.1.1, which is the remote gateway that has some issues. Finally, it will show only the logs that have the Quick Mode, which is the IKE Phase 2 negotiation that establishes the agreed networks for both gateways2.

The other log filters are not correct because they either include the Main Mode, which is the IKE Phase 1 negotiation that establishes the secure channel between the gateways2, or they do not specify the IP address of the remote gateway.

• Logging and Monitoring R81.20 Administration Guide
• Remote Access VPN R81.20 Administration Guide
• Remote Access VPN R81 Administration Guide

 Core Protections are installed as part of the Threat Prevention Policy. Core Protections are a set of IPS protections that are essential for securing your network against malicious traffic4. The other policies do not include Core Protections.

References: 1: Check Point CLI Reference Card 2: Anti-Spoofing 3: SmartView Tracker 4: Core Protections

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate1. A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2. A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3. The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication. PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4. Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4. PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

• What is mutual authentication? | Two-way authentication
• Mutual authentication - AWS Client VPN
• VPN authentication options - Windows Security
• Mutual Authentication | Top 3 Methods of Mutual Authentication
• Authentication methods and features - Microsoft Entra

A Check Point Software license consists of two components, the Software Blade and the Software Container. There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security1. A Software Blade is a specific security function that can be enabled or disabled on a Software Container. A Software Container is a platform that runs one or more Software Blades. Security Management is a container that manages the security policy and configuration of Security Gateways. Security Gateway is a container that enforces the security policy on network traffic. Endpoint Security is a container that protects endpoints from threats and data loss. References: Check Point Licensing and Contract Operations User Guide

One of the major features in R80.x SmartConsole is concurrent administration, which allows multiple administrators to work on the same Security Policy at the same time12. However, only one administrator can edit a rule at a time. If AdminA and AdminB are editing the same rule at the same time, it will cause a conflict and prevent them from saving their changes12. Therefore, the correct answer is B. AdminA and AdminB are editing the same rule at the same time.

The scenario where it is a valid option to transfer a license from one hardware device to another is from a 4400 Appliance to a 2200 Appliance. This is because both appliances are Check Point products and have the same license type (Central License). You can transfer a license from one hardware device to another if they have the same license type and vendor3. Therefore, the correct answer is A. From a 4400 Appliance to a 2200 Appliance. 

 Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication. Captive Portal is a web page that prompts users to enter their credentials. Transparent Kerberos Authentication is a method that automatically authenticates users who have a valid Kerberos ticket from the Active Directory domain controller2. UserCheck is a feature that allows users to interact with the security policy, not a method of authentication. User Directory is a component that integrates with external user databases, not a web page for authentication. Captive Portal alone is not enough to fill in the blank, as it is only one of the methods used by Browser-based Authentication.

The Object Explorer is the part of SmartConsole that allows administrators to add, edit, delete, and clone objects. Objects are entities that represent network elements, such as hosts, networks, gateways, services, users, etc. The Object Explorer provides a tree view of all the objects in the database and allows searching, filtering, and grouping them2. References: Check Point R81 SmartConsole R81 User Guide

The WebUI can be used to manage Operating System user accounts and add users to your Gaia system, assign privileges to users, and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server. This is done by the SmartConsole1.

References: 1: Check Point R81 Security Management Administration Guide, page 11.

The best way to restrict access to a network resource only allowing certain users to access it, and only when they are on a specific network, is to create an Access Role object, with specific users or user groups specified, and specific networks defined. Then, use this access role as the “Source” of an Access Control rule. This allows for granular control over network traffic based on user identity and location3.

References: 3: Check Point R81 Security Gateway Administration Guide, page 13.

 The answer is A because Identity Awareness commands are used to support identity sharing between Security Gateways. Policy Decision Point (PDP) is the Security Gateway that collects identities from various sources and shares them with other gateways. Policy Enforcement Point (PEP) is the Security Gateway that enforces the policy based on the identities received from the PDP12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Security Management Administration Guide

 Stateful Inspection and Proxies are two different technologies for implementing firewall security. Stateful Inspection is a technique that inspects packets at the network layer and maintains a state table that tracks the status of each connection. Proxies are applications that act as intermediaries between clients and servers, and inspect packets at the application layer. The competition between stateful inspection and proxies was based on performance, protocol support, and security. When it comes to performance, stateful inspection was significantly faster than proxies, because it did not have to process the payload of each packet and could handle more concurrent connections1. References: Check Point R81 Security Gateway Technical Administration Guide

The BEST way to tune the profile in order to lower the CPU load still maintaining security at good level is to set the Performance Impact to Medium or lower. This will reduce the number of packets that are inspected by the Threat Prevention blades, while still providing a high level of protection . Setting High Confidence to Low and Low Confidence to Inactive will lower the security level, as it will allow more traffic that may be malicious. The problem is likely with the Threat Prevention Profile, as it can have a significant impact on the CPU utilization of the Security Gateway. Adding more memory to the appliance will not solve the problem, as memory is not the bottleneck in this case. Setting the Performance Impact to Very Low Confidence to Prevent will increase the CPU load, as it will inspect more packets and block more traffic that may be false positives.

References: Threat Prevention Administration Guide, Check Point R81.10

The Accounting tracking option is used to monitor the amount of data that passes through a connection. When this option is enabled on a traffic rule, the involved traffic logs are updated every 10 minutes to show how much data has passed on the connection. This information can be used for billing or auditing purposes3. References: Check Point R81 Logging and Monitoring Administration Guide

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red “X” in the status column indicates that one or more blades on the Security Gateway have a problem that requires attention. The other options are not correct, as they do not match the status shown in the image. If the SmartCenter Server cannot reach this Security Gateway, the status column would show a yellow triangle with an exclamation mark. If the VPN software blade is reporting a malfunction, the blades column would show a red “X” on the VPN icon. If the Security Gateway’s MGNT NIC card is disconnected, the IP column would show “N/A” instead of the IP address.

References: Remote Access VPN R81 Administration Guide, Check Point R81.10

 To use Application objects in a rule, the “Applications & URL Filtering” blade should be enabled on the policy layer where the rule is being created. Enabling the “Application Control” blade on a gateway is not enough3.

References: 3: Check Point R81 Security Management Administration Guide, page 102.

 Identity Awareness is a software blade that lets an administrator easily configure network access and auditing based on three items: network location, the identity of a user, and the identity of a machine. These items are used to identify and authenticate users and machines, and to enforce identity-based policies. Network location refers to the IP address or subnet of the source or destination of the traffic. The identity of a user can be obtained from various sources, such as Active Directory, LDAP, or Captive Portal. The identity of a machine can be verified by using Secure Domain Logon or Identity Agent. 

 Identity Captive Portal is a Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication2. To enable Identity Captive Portal for a specific rule, you need to right click Accept in the rule, select “More”, and then check “Enable Identity Captive Portal”3. References: Identity Awareness Administration Guide R80, Identity awareness with captive portal in Checkpoint R80

When doing a Stand-Alone Installation, you would install the Security Management Server with none of the other Check Point architecture components. A Stand-Alone Installation is a type of installation that combines the Security Management Server and the Security Gateway on one computer or appliance3, p. 14. SmartConsole, SecureClient, and SmartEvent are not Check Point architecture components, but software applications that can be installed separately. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Installation and Upgrade Guide R81]

The administrator can edit a list of trusted SmartConsole clients in three ways: in cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server, and in SmartConsole: Manage and Settings > Permissions and Administrators > Advanced > Trusted Clients

 Security questions are not an authentication scheme used for accounts created through SmartConsole4. The available authentication schemes are Check Point password, RADIUS, TACACS, SecurID, LDAP, and Certificate. References: Check Point R81 Security Management Administration Guide

The command cplic print is used to verify license installation. It displays the installed licenses and their expiration dates . References: [Check Point R81 Command Line Interface Reference Guide], Check Point :: Pearson VUE

The INSPECT Engine is the core component of Check Point’s Stateful Inspection technology. It is used to extract state related information from packets and store that information in state tables. The INSPECT Engine also evaluates the security policy and enforces it on the packets1. References: Check Point R81 Security Gateway Technical Administration Guide

The two Check Point Protocols that are used by are FWD and LEA567. FWD is the Firewall Daemon that handles communication between different Check Point components, such as Security Management Server, Security Gateway, SmartConsole, etc. LEA is the Log Export API that allows external applications to retrieve logs from the Security Gateway or Security Management Server. Therefore, the correct answer is B. FWD and LEA. References: Border Gateway Protocol - Check Point Software, Check Point IPS Datasheet, List of valid protocols for services? - Check Point CheckMates

The User Directory is used to obtain identification and security information about network users. It can be integrated with external user databases such as LDAP, RADIUS, or TACACS+. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 9.

 Once a license is activated, a Service Contract file should be installed. This file contains information about the license expiration date, support level, and other details3. The other options are not valid file names.

References: 3: Check Point R81 Security Management Administration Guide, page 15.

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. You can add Accounting and/or Suppression to each of these options1. Accounting enables you to track the amount of data that is sent or received by a specific rule. Suppression enables you to reduce the number of logs that are generated by a specific rule. Therefore, the correct answer is C. Accounting/Suppression. References: Logging and Monitoring Administration Guide R80 - Check Point Software

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud123. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications2. Capsule Docs protects business documents everywhere they go with encryption and access control1. Capsule Cloud provides cloud-based security services to protect mobile users from threats3. References: Check Point Capsule, Check Point Capsule Workspace, Mobile Secure Workspace with Capsule

The fwm process is responsible for managing the communication between the SmartConsole and the Security Management Server. It can only be seen on a Management Server12. References: Check Point Processes and Daemons, Check Point CCSA - R81: Practice Test & Explanation

The Access Role object type is used to grant network access to an LDAP user group. It defines a set of users and machines that can access a specific network resource34 References: Access Role, LDAP User Group

Most Check Point deployments use Gaia, which is a unified operating system for all Check Point appliances, open servers, and virtualized gateways. However, some product deployments utilize special Check Point code, such as Scalable Platforms (formerly known as Maestro), which are high-performance security gateways that can scale up to 1.5 Tbps of firewall throughput. Scalable Platforms use a special version of Gaia OS called Gaia Embedded, which is planned to be unified with Gaia OS in R81.102. References: Check Point R81 Release Notes

SmartConsole, SmartEvent GUI client, and SmartView Web Application allow viewing of billions of consolidated logs and shows them as prioritized security events1. SmartView Web Application is a web-based interface that provides access to SmartEvent reports and dashboards2. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartEvent Administration Guide

Captive Portal is an authentication method used for Identity Awareness4. Captive Portal is a web-based authentication method that redirects users to a browser-based login page when they try to access the network. Users must provide their credentials to access the network resources. Captive Portal can be used for guest users or users who are not identified by other methods4. SSL, PKI, and RSA are not authentication methods used for Identity Awareness, but rather encryption or certificate technologies. References: Identity Awareness Reference Architecture and Best Practices

Quick Mode Complete is the message that indicates IKE Phase 2 has completed successfully2. IKE Phase 2 is also known as Quick Mode or Child SA in IKEv1 and IKEv2 respectively. Aggressive Mode and Main Mode are part of IKE Phase 1, which establishes the IKE SA. IKE Mode is not a valid term for IKE negotiation. References: How to Analyze IKE Phase 2 VPN Status Messages, IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges, Understand IPsec IKEv1 Protocol

A main component of the Check Point security management architecture is SmartConsole2. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References: Check Point R81 Security Management Administration Guide

 Snapshot is the backup utility that captures the most information and tends to create the largest archives. Snapshot creates an image of the entire system, including operating system files, configuration files, databases, and logs. It can be used to restore the system in case of a failure or corruption. Backup creates a compressed file that contains configuration files and databases, but not operating system files or logs. It can be used to restore configuration settings and policies. Database Revision creates a backup of only the database files that store policies and objects. It can be used to revert to a previous revision of the database. Migrate export creates a compressed file that contains configuration files, databases, and logs, but not operating system files. It can be used to migrate data from one machine to another with different hardware or software versions.References: [Backup and Restore], [Database Revision Control], [Migrate Tools], [Hewlett Packard Enterprise Support Center]

The command that shows the installed licenses in Expert mode is cplic print. This command displays information about the licenses that are installed on the local machine or a remote machine1. The other commands are not valid for showing licenses in Expert mode. 

The BEST method to deploy Identity Awareness for roaming users is to use identity agents, which are software components installed on endpoints that provide user and machine identity information to the Security Gateway45. Identity agents are more secure and reliable than other methods, as they do not require network changes or user interaction4. Office Mode, sharing user identities between gateways, and using captive portal are not methods to deploy Identity Awareness, but rather features or options that can be used with Identity Awareness46.

References: Identity Awareness Reference Architecture and Best Practices, Identity Awareness PDP Broker, Identity Awareness Datasheet

The options to calculate the traffic direction are Incoming, Internal, and External3. Outgoing is not an option. Incoming traffic is traffic that enters the Security Gateway from an external network. Internal traffic is traffic that originates and terminates in networks that are directly connected to the Security Gateway. External traffic is traffic that originates or terminates in networks that are not directly connected to the Security Gateway. References: Check Point R81 Security Management Administration Guide

The command that is used to monitor cluster members is cphaprob state. This command shows the state of each cluster member (Active, Standby, Down, etc.) and the reason for the state (OK, HA Failure, CCP Failure, etc.). It also shows the state synchronization status (Synchronized or Not Synchronized) and the uptime of each cluster member. The other options are incorrect. Option B is a command to show the status of cluster services, not cluster members. Option C is not a valid command by itself, as it requires an argument such as state, status, list, etc. Option D is not a valid command at all. References: [cphaprob]

There are three types of Endpoint Identity Agents: Full, Light, and Terminal. Custom is not a valid type2.

References: 2: Check Point R81 Endpoint Security Administration Guide, page 18.

 Phase 1 of the two-phase negotiation process conducted by IKE operates in Main mode or Aggressive mode12. Main mode is more secure than Aggressive mode, as it protects the identities of the peers and uses six messages to establish the IKE SA13. Authentication, Quick, and High Alert are not valid modes for IKE phase 1.

References: Understand IPsec IKEv1 Protocol, Internet Key Exchange for IPsec VPNs Configuration Guide, Internet Key Exchange

When tunnel test packets no longer invoke a response, SmartView Monitor displays Down for the given VPN tunnel1. This means that the VPN tunnel is not operational and there is no IKE or IPsec traffic passing through it. No Response, Inactive, and Failed are not valid statuses for VPN tunnels in SmartView Monitor. References: Smart View Monitor displays status for all S2S VPN tunnels - Phase1 UP

When dealing with rule base layers, two layer types can be utilized: Ordered Layers and Inline Layers5. Ordered Layers are executed sequentially according to their order in the policy. Inline Layers are embedded in a parent layer and are executed only if the parent rule matches. References: Check Point R81 Firewall Administration Guide, [Check Point R81 Security Management Administration Guide]

Since Bob and Joe both have Administrator Roles on their Gaia Platform and they both are logged in on different interfaces, they will both be able to make changes. Gaia allows multiple administrators to log in simultaneously and perform different tasks without locking the database or logging out each other. References: Gaia R81.20 Administration Guide, page 18.

In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway using the CPLIC command1. This command allows you to install a license from a file or from the User Center1. Therefore, the correct answer is D. True, Central License can be installed with CPLIC command on a Security Gateway. 

 Identity Awareness is the Check Point software blade that provides visibility of users, groups and machines while also providing access control through identity-based policies. Identity Awareness enables administrators to define granular access rules based on user or machine identity, rather than just IP addresses. Identity Awareness also allows administrators to monitor user activity and generate reports based on user or machine identity.

The default tracking option of a rule is Log3. This means that the Security Gateway will generate a log entry for every connection that matches the rule. The log entry will contain information such as source, destination, service, action, and time. Other tracking options include None, Alert, Mail, SNMP Trap, User Alert, and Accounting. References: Check Point R81 Firewall Administration Guide

 In hide NAT, the source IP address is translated. Hide NAT is also known as many-to-one NAT or PAT (Port Address Translation). It maps multiple private IP addresses to one public IP address by using different port numbers. Hide NAT allows outbound connections from the private network to the public network, but not inbound connections from the public network to the private network. In static NAT, the source or destination IP address is translated depending on the direction of the traffic. Static NAT is also known as one-to-one NAT or bi-directional NAT. It maps one private IP address to one public IP address and allows both outbound and inbound connections. In simple NAT, there is no translation of IP addresses. Simple NAT is also known as routing mode or transparent mode. It allows traffic to pass through the NAT device without any modification. There is no hide NAT for destination IP address translation5678 References: What Is Network Address Translation (NAT)?, Network address translation, Network Address Translation Definition, Network Address Translation (NAT)

Automatic Hide NAT rules are created by the administrator when they configure NAT for network objects or groups in the object properties. Automatic Hide NAT rules allow multiple private IP addresses to share a single public IP address when accessing external networks. Source Port Address Translation (PAT) is enabled by default for Automatic Hide NAT rules, which means that the Security Gateway assigns a unique source port number for each connection from the same source IP address. This allows the Security Gateway to keep track of the connections and translate the reply packets correctly. 

The ports to which the Client Authentication daemon listens on by default are 259 and 900. Client Authentication is a method that allows users to authenticate with the Security Gateway before they are allowed access to protected resources. The Client Authentication daemon (fwauthd) runs on the Security Gateway and listens for authentication requests on TCP ports 259 and 900 . References: [Check Point R81 Remote Access VPN Administration Guide], [Check Point R81 Quantum Security Gateway Guide]

Manage and Command Line is not a valid application navigation tab in the R80 SmartConsole, as it does not exist in the interface. The image shows the navigation toolbar of the R80 SmartConsole, which has four tabs: Security Policies, Logs & Monitor, Gateways & Servers, and Manage & Settings1. The Command Line Interface button is located in the system information area, not in the navigation toolbar1.

References: Application Control and URL Filtering - Check Point Software

 Authentication rules are defined for user groups rather than individual users1. To define authentication rules, you must first define users and groups. You can define users with the Check Point user database, or with an external server, such as LDAP1. UserCheck is a feature that enables user interaction with security events2. Individual users and all users in the database are not valid options for defining authentication rules. References: How to Configure Client Authentication, UserCheck

The Publish operation sends the modifications made via SmartConsole in the private session and makes them public is the correct answer. This is because publishing is the process of saving your changes to the database and making them available to other administrators. Publishing also allows you to install policies on Security Gateways. References: [Publishing Changes]

In order for changes made to policy to be enforced by a Security Gateway, an administrator must perform Install Policy3. This action transfers the policy package from the Security Management Server to the Security Gateway and activates it. References: Check Point R81 Security Management Administration Guide

The command to restore a backup of Check Point configurations without the OS information is restore_backup4. This command restores the Gaia OS configuration and the firewall database from a compressed file. The other commands are not valid for this purpose. import backup is not a valid command. cp_merge is a command to merge policies or objects from different databases. migrate import is a command to import a previously exported database using migrate export. References: System Backup and Restore feature in Gaia, [cp_merge], [migrate import]

The correct answer is A because the traffic from source 192.168.1.1 to www.google.com is handled by the Slow Path if the Application Control Blade on the gateway is inspecting the traffic 2. The Slow Path is used when traffic requires inspection by one or more Software Blades2. The other paths are used for different scenarios2. References: Check Point R81 Performance Tuning Administration Guide

The Status Attention means that at least one Software Blade has a minor issue, but the gateway works1. For example, this could indicate a license expiration warning, a policy installation failure, or a blade activation problem2. References: Check Point R81 SmartConsole Guide, Check Point R81 Security Management Administration Guide

Central licensing is the preferred licensing model because it ties the package license to the IP-address of the Security Management Server and has no dependency on the gateway. This allows for easier management and distribution of licenses across multiple gateways1.

References: 1: Check Point R81 Security Management Administration Guide, page 14.

Stateful Inspection is a firewall technology that inspects both the header and the payload of each packet and keeps track of the state and context of each connection. Packet Filtering is a firewall technology that inspects only the header of each packet and does not keep track of the state or context of each connection. A benefit that Stateful Inspection offers over Packet Filtering is that only one rule is required for each connection, whereas Packet Filtering requires two rules for each connection (one for each direction). Stateful Inspection also offers other benefits over Packet Filtering, such as enhanced security, performance, and flexibility. Stateful Inspection does not offer unlimited connections because of virtual memory usage, nor does it avoid using memory to record the protocol used by the connection.References: [Stateful Inspection], [Packet Filtering], [Firewall Technologies]

The three deployment considerations for a secure network are Remote, Standalone, and Distributed3. Remote deployment means that the Security Management Server and Security Gateway are installed on different machines. Standalone deployment means that the Security Management Server and Security Gateway are installed on the same machine. Distributed deployment means that there are multiple Security Gateways managed by one or more Security Management Servers3. Therefore, the correct answer is C. Remote, Standalone, and Distributed.

Service blades must be attached to a Security Gateway. A Security Gateway is a device that enforces security policies on traffic that passes through it. A service blade is a software module that provides a specific security function, such as firewall, VPN, IPS, etc. A Security Gateway can have one or more service blades attached to it, depending on the license and hardware capabilities. The other options are incorrect. A management container is a virtualized environment that hosts a Security Management Server or a Log Server. A management server is a device that manages security policies and distributes them to Security Gateways. A Security Gateway container is not a valid term in Check Point terminology. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 CloudGuard Administration Guide]

The correct syntax for adding a host using GAiA management CLI is mgmt add host name ip-address 2. References: Check Point GAiA R81 Command Line Interface Reference Guide

 It is Best Practice to have an Explicit CleanUp rule at the end of each policy layer. This rule will log and drop any traffic that does not match any of the preceding rules in the layer1, p. 23. References: Check Point CCSA - R81: Practice Test & Explanation

Multiple administrators can connect to a Security Management Server at the same time, and each administrator has their own username and works in a session that is independent of other administrators1. This allows concurrent administration and prevents conflicts between different administrators. The other options are incorrect. Only one administrator can be connected is false. All administrators can modify a network object at the same time is false, as only one administrator can lock and edit an object at a time. Only one has the right to write is false, as all administrators have write permissions unless they are restricted by roles or permissions. References: Security Management Server - Check Point Software

The command show cluster state is used to monitor cluster members in CLI. It displays information such as the cluster mode, the cluster members, their status, their priority, and their interfaces.References: [ClusterXL Administration Guide], [Check Point CLI Reference Card]

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own. In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties34 References: Part 4 - Installing Security Gateway, Deployment Options

To achieve the requirement of giving the Network Operations Center administrator access to Check Point Security devices mostly for troubleshooting purposes, but not to the expert mode, and still allowing her to run tcpdump, you need to:

• Add tcpdump to CLISH using add command. This command adds a new command to the Command Line Interface Shell (CLISH) that allows running tcpdump without entering the expert mode .
• Create a new access role. This option defines a set of permissions and commands that can be assigned to a user or a group of users.
• Add tcpdump to the role. This option grants the permission to run tcpdump to the role.
• Create new user with any UID and assign role to the user. This option creates a new user account with any User ID (UID) and assigns the role that has tcpdump permission to the user.

References: [How to add a new command to CLISH], [Check Point R81 Gaia Administration Guide], [Check Point R81 Identity Awareness Administration Guide]

 Bridge Mode Check Point Security Gateway does not support NAT. Bridge Mode is a deployment option that allows the Security Gateway to inspect traffic without being a routing hop. In Bridge Mode, the Security Gateway does not have an IP address and cannot perform NAT1. Therefore, the correct answer is C. NAT. 

Endpoint Identity Agent and Browser-Based Authentication are the identity sources that provide the highest level of security for sensitive servers, as they require user authentication and can enforce granular access rules based on user identity. AD Query, Terminal Servers Endpoint Identity Agent, and RADIUS and Account Logon are less secure, as they rely on passive methods of identity acquisition or do not support identity-based access control12.

References: Identity Awareness R81.10 Administration Guide, Identity Awareness AD Query

An LDAP server holds one or more Account Units. An Account Unit is a logical representation of an LDAP server in the Check Point database. It defines the connection parameters, authentication methods, and user and group information that are retrieved from the LDAP server. An Account Unit allows the Security Gateway to use the LDAP server for user authentication and identity awareness. The other options are incorrect. A Server Unit is a logical representation of a Check Point server in the Check Point database. An Administrator Unit is a logical representation of an administrator or an administrator group in the Check Point database. An Account Server is not a valid term in Check Point terminology. References: [Check Point R81 Identity Awareness Administration Guide], [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

The statement that is true regarding Gaia command line is that all configuration changes should be made in CLISH and expert-mode should be used for OS-level tasks. CLISH is the default shell of Gaia CLI that provides a limited set of commands for basic configuration and troubleshooting. Expert mode is an advanced shell that allows running Linux commands and accessing the file system. Configuration changes should not be done in expert-mode, as they may cause inconsistencies or errors in the system. The other statements are false regarding Gaia command line. 

The Windows Security Event that will NOT map a username to an IP address in Identity Awareness is Kerberos Ticket Timed Out. This event occurs when a Kerberos ticket expires and is not renewed, which means that the user is no longer active on the network. Identity Awareness does not use this event to map a username to an IP address, as it does not indicate a valid user session. The other events are used by Identity Awareness to map a username to an IP address, as they indicate a successful user authentication or activity on the network.

References: [Kerberos Ticket Expiration and Renewal], [Identity Awareness AD Query]

LDAP (Lightweight Directory Access Protocol) is a protocol that allows accessing and maintaining distributed directory information services over a network. User Directory integration is a feature of Identity Awareness that allows Check Point products to use LDAP servers as identity sources. When configuring LDAP with User Directory integration, changes applied to a User Directory template are reflected immediately for all users who are using that template. A User Directory template defines the settings for connecting to an LDAP server and retrieving user information3. References: Check Point R81 Identity Awareness Administration Guide

The SOLR database is used for full text search and enables powerful matching capabilities3 . SOLR is an open source enterprise search platform that provides fast and scalable indexing and searching of data. It supports advanced features such as faceting, highlighting, spell checking, synonyms, etc. The SOLR database is used by Check Point products such as SmartLog and SmartEvent to store and query logs and events3 . The other options are incorrect. Option B is false, as SOLR does not write data to the database, but only reads data from it. Option C is false, as SOLR does not serve GUI, but only provides a RESTful API for queries. Option D is false, as SOLR does not enable powerful matching capabilities and write data to the database, but only enables powerful matching capabilities. References: SOLR - Check Point Software, [Apache Solr]

Multi-domain management server is a valid deployment option for R81, not R80. R80 supports multi-domain security management, which is a centralized management solution for large-scale, distributed environments with many different domain networks1. References: Multi-Domain Security Management Administration Guide R80

The statement that is TRUE of anti-spoofing is that it is BEST Practice to have anti-spoofing groups in sync with the routing table. Anti-spoofing prevents attackers from sending packets with a false source IP address. Anti-spoofing groups define which IP addresses are expected on each interface of the Security Gateway. If the routing table changes, the anti-spoofing groups should be updated accordingly34. References: Check Point R81 ClusterXL Administration Guide, Network Defined by Routes: Anti-Spoofing

To provide updated malicious data signatures to all Threat Prevention blades, the Threat Prevention gateway does share the data to the ThreatCloud for use by other Threat Prevention blades. The ThreatCloud is a collaborative network and cloud-driven knowledge base that delivers real-time dynamic security intelligence to security gateways. The Threat Prevention gateway can send and receive updates from the ThreatCloud about new threats and malicious data signatures. References: [Check Point R81 Threat Prevention Administration Guide]

The policy type that is used to enforce bandwidth and traffic control rules is QoS. QoS stands for Quality of Service and is a software blade that allows administrators to prioritize network traffic according to various criteria such as source, destination, service, application, user, etc. QoS can also limit the bandwidth consumption of certain traffic types or guarantee a minimum bandwidth for critical applications. References: [Check Point R81 QoS Administration Guide]