Checkpoint 156-315.81 Dumps

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

According to the Check Point website, GAiA Software update packages can be imported and installed offline in situation where the Security Gateway with GAiA does not have access to Internet. This allows you to manually download the packages from another device and transfer them to the Security Gateway using a USB drive or other media. The other situations are either not relevant or not possible. References: Offline Software Updates

One of the major features in R81 SmartConsole is concurrent administration. This feature allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent administration improves the efficiency and productivity of security management operations1.

However, not all of the options given are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. The correct answer is B. AdminA and AdminB are editing the same rule at the same time. This is not possible because concurrent administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Therefore, the other options are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. Option A is possible because a lock icon shows that a rule or an object is locked and will be available when the administrator who locked it finishes working on it or logs out of SmartConsole12. Option C is possible because a lock icon next to a rule informs that any administrator is working on this particular rule, and hovering over the lock icon will show the name of that administrator12. Option D is possible because AdminA, AdminB and AdminC are editing three different rules at the same time, which does not create any conflicts or blockages12.

 UserCheck is a communication tool used to inform a user about a website or application they are trying to access. UserCheck allows administrators to interact with users in real time, informing them of the security policy and the actions they need to take. UserCheck can also enable users to self-remediate incidents or request exceptions from the administrator. References: Training & Certification | Check Point Software, Check Point Resource Library

 To ensure that VMAC mode is enabled, the CLI command that should be run on all cluster members is fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1. VMAC mode is a feature that allows ClusterXL to use virtual MAC addresses for cluster interfaces, instead of physical MAC addresses. This improves the failover performance and compatibility of ClusterXL with switches and routers. To check if VMAC mode is enabled, the command fw ctl get int fwha_vmac_global_param_enabled can be used, which returns 1 if VMAC mode is enabled, and 0 if VMAC mode is disabled. 

 The Logs and Monitor tab is used to monitor network and security performance in SmartConsole. The Logs and Monitor tab lets you view and analyze logs, events, reports, and alerts from various sources, such as Security Gateways, Security Management Servers, Endpoint Security Servers, and SmartEvent Servers. You can also use the Logs and Monitor tab to create custom views, filters, queries, and charts to display the data that is relevant to your needs12.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 23 2: Check Point R81 SmartConsole User Guide - Check Point Software, page 9

 According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.20 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References: Check Point R81

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work.

This is because SmartConsole has a feature called Concurrent Administration, which allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent Administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Concurrent Administration also has a feature called Session Persistence, which preserves the changes made by an administrator in case of a network failure or a SmartConsole crash. When an administrator reconnects to the Management Server after a network failure or a SmartConsole crash, they can resume their work from where they left off, without losing any changes. The changes are stored locally on the administrator’s machine until they are published to the Management Server13.

Therefore, if Tom has connected to the R81 Management Server remotely using SmartConsole and is in the process of making some Rule Base changes, when he suddenly loses connectivity, his changes will not be lost. They will be stored locally on his machine and he can resume his work when he reconnects to the Management Server.

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. The option that can be added to each Log, Detailed Log and Extended Log is Accounting/Suppression. Accounting/Suppression is a feature that allows administrators to control how often logs are generated for certain rules or connections. Accounting means that logs are generated periodically based on a specified interval or volume. Suppression means that logs are generated only for the first and last packet of a connection or session. Accounting/Suppression can be added to any tracking option to reduce the number of logs and save disk space.

The path to monitor the compliance status of the Check Point R81.20 based management is Logs & Monitor > New Tab > Open compliance View. Compliance View is a feature that allows administrators to monitor and assess the compliance level of their Check Point products and security policies based on best practices and industry standards. Compliance View provides a dashboard that shows the overall compliance status, compliance score, compliance trends, compliance issues, compliance reports, and compliance blades for different security aspects, such as data protection, threat prevention, identity awareness, etc. To access Compliance View in R81.20 SmartConsole, administrators need to go to Logs & Monitor > New Tab > Open compliance View. The other options are either incorrect or not available in R81.20.

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red exclamation mark indicates that one or more blades on the gateway have an issue that needs attention. The issue could be related to configuration, license, policy, or other factors. Deyra can hover over the icon to see more details about the problem. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

 For best practices, the recommended time for automatic unlocking of locked admin accounts is 30 minutes at least. Admin accounts can be locked due to failed login attempts, password expiration, or manual locking by another admin. To prevent unauthorized access or brute force attacks, locked admin accounts should not be unlocked automatically too soon. The recommended minimum time for automatic unlocking is 30 minutes, which can be configured from the SmartConsole under Manage > Permissions and Administrators > Advanced > Unlock locked administrators after. 

 To enable MTA (Mail Transfer Agent) functionality in the Security Gateway, the Threat Prevention Software Blade Package is required. The Threat Prevention Software Blade Package includes the Anti-Virus, Anti-Bot, and Threat Emulation blades, which can scan and hold external email with potentially malicious attachments. The MTA functionality allows the Security Gateway to act as an SMTP relay between the mail server and the Internet, and apply Threat Prevention policies to the email traffic. The other options are either not related or not sufficient to enable MTA functionality. R

Gateway API is NOT an example of a Check Point API. Check Point API is a general term that refers to various application programming interfaces (APIs) that allow external applications to interact with Check Point products and services using standard methods such as HTTP(S) requests and JSON objects. There are several types of Check Point APIs, such as Management API, Threat Prevention API, OPSEC SDK, etc. Management API is an API that allows external applications to configure, manage, and monitor Check Point management server using web services. Threat Prevention API is an API that allows external applications to send files or URLs to Check Point Threat Prevention products for scanning and analysis using web services. OPSEC SDK is an API that allows external applications to integrate with Check Point OPSEC products using C/C++ libraries and protocols. Gateway API is not a valid or existing type of Check Point API.

The methods of SandBlast Threat Emulation deployment are Cloud, Appliance, and Private. SandBlast Threat Emulation is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior for malicious indicators. SandBlast Threat Emulation can be deployed in three different methods: Cloud, Appliance, and Private. Cloud method is when the files are sent to the Check Point cloud service for emulation and analysis. This method does not require any additional hardware or software on the customer’s side, and provides the fastest updates and feeds from ThreatCloud. Appliance method is when the files are sent to a dedicated appliance on the customer’s network for emulation and analysis. This method provides more control and privacy for the customer, and supports more file types and sizes. Private method is when the files are sent to a private cloud service on the customer’s network for emulation and analysis. This method provides the highest level of control and privacy for the customer, and supports customizing the emulation environment and scenarios.

The default commands that appear when right-clicking the IP address, source or destination, in an event in SmartEvent are ping, whois, nslookup, and Telnet. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent has a feature that allows administrators to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in an event provides a list of default and customized commands that can be executed on the IP address of the active cell. The default commands are ping, whois, nslookup, and Telnet. Ping is a command that tests the connectivity and latency between two hosts by sending packets and measuring the response time. Whois is a command that queries a database for information about the owner and registrar of a domain name or an IP address. Nslookup is a command that queries a DNS server for information about a domain name or an IP address, such as its IP address, name server, mail server, etc. Telnet is a command that establishes a remote connection to another host using the Telnet protocol. 

According to the Check Point website, INSPECT Engine is the technology that extracts detailed information from packets and stores that information in state tables. INSPECT Engine is the core of Check Point’s Stateful Inspection technology, which enables Security Gateways to inspect traffic at multiple layers and enforce security policies. The other technologies are either not related or not specific enough. References: INSPECT Engine

 To set the IP address and default gateway of the Management interface on a Check Point appliance, you can use the following commands:

• set interface Mgmt ipv4-address 192.168.80.200 mask-length 24 - This command sets the IPv4 address of the Management interface to 192.168.80.200 and the subnet mask to 255.255.255.0 (24 bits).
• set static-route default nexthop gateway address 192.168.80.1 on - This command sets the default gateway to 192.168.80.1 and enables the static route.
• save config - This command saves the configuration changes to the appliance.

These commands are documented in the Check Point appliance initial installation guide, which you can find in the web search results.

The other options are incorrect because they use invalid syntax or parameters for the commands. For example, option B uses add static-route instead of set static-route, option C uses 0.0.0.0. instead of 0.0.0.0, and option D uses add static-route default instead of set static-route default.

The kind of information that you would expect to see using the sim affinity command is network interfaces and core distribution used for CoreXL. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The sim affinity command can show which network interfaces and SecureXL instances are bound to which CPU cores, and allow administrators to change the affinity settings.

 Identity Awareness AD-Query is using the Microsoft WMI API to learn users from AD. WMI stands for Windows Management Instrumentation, and it is an API that allows remote management and monitoring of Windows systems. Identity Awareness AD-Query is a feature that enables the Security Gateway to query Active Directory servers for user and computer information, such as login events, group membership, and IP addresses. By using the WMI API, Identity Awareness AD-Query can receive real-time notifications from Active Directory servers without installing any agents or scripts on them. 

The cloud-based SandBlast Mobile application that is used to register new devices and users is Check Point Gateway. Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

The way SSL VPN and IPSec VPN are different is that IPSec VPN uses an additional virtual adapter; SSL VPN uses the client network adapter only. SSL VPN and IPSec VPN are two types of VPN technologies that provide secure remote access to network resources over the internet. SSL VPN uses SSL/TLS protocol to establish an encrypted tunnel between the client and the server, and does not require any additional software or hardware on the client side. IPSec VPN uses IPSec protocol to establish an encrypted tunnel between the client and the server, and requires a dedicated virtual adapter on the client side to handle the IPSec traffic. The other options are either incorrect or not relevant to SSL VPN and IPSec VPN.

 Log Consolidator is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

 When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions: CIFS packets. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, some packets cannot be accelerated by SecureXL due to various reasons, such as unsupported features, security policy settings, or protocol limitations. One example of packets that cannot be accelerated by SecureXL are CIFS packets, which are used for file sharing and access over SMB protocol. CIFS packets are not accelerated by SecureXL because they require stateful inspection by the Firewall kernel. 

 Application Control is the software blade that provides Application Security and identity control. It allows administrators to define granular policies based on users or groups to identify, block or limit the usage of web applications and widgets. Application Control also integrates with Identity Awareness to provide user-level visibility and control. References: Training & Certification | Check Point Software, Check Point Resource Library

 The order of NAT priorities is determined by the type of NAT rule that is applied to the traffic. There are three types of NAT rules in Check Point: static NAT, IP pool NAT, and hide NAT12.

• Static NAT: This type of NAT rule maps a single IP address to another single IP address. It is usually used to allow external hosts to access internal servers or devices. Static NAT has the highest priority among the NAT rules, and it is applied before the security policy is enforced12.
• IP pool NAT: This type of NAT rule maps a range of IP addresses to another range of IP addresses. It is usually used to balance the load among multiple servers or devices. IP pool NAT has the second highest priority among the NAT rules, and it is applied after the security policy is enforced12.
• Hide NAT: This type of NAT rule hides a group of IP addresses behind a single IP address or an interface. It is usually used to allow internal hosts to access external resources. Hide NAT has the lowest priority among the NAT rules, and it is applied after the security policy is enforced12.

Therefore, the order of NAT priorities is: static NAT, IP pool NAT, hide NAT.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 209 2: Check Point R81 Security Engineering Guide - Check Point Software, page 163

 SmartEvent automatically defines events based on IPS (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent. 

 The number of cores that can be used in a Cluster for Firewall-kernel on the new device with 4 cores is 4. Cluster is a feature that allows two or more Security Gateways to provide high availability and load balancing for network traffic. Firewall-kernel is a component of the Security Gateway that performs packet inspection according to security policies. The number of cores that can be used for Firewall-kernel in a Cluster depends on the number of cores available on each device in the Cluster. The Cluster will use the lowest common denominator of cores among all devices in the Cluster for Firewall-kernel. Therefore, if one device has 2 cores and another device has 4 cores, the Cluster will use 2 cores for Firewall-kernel on each device. However, if both devices have 4 cores, the Cluster will use 4 cores for Firewall-kernel on each device.

According to the Check Point website, you can use the pre_upgrade_verifier tool to verify if your management server is ready to upgrade to R81.20. This tool checks the compatibility of your current configuration and database with the target version, and provides a detailed report of any issues or warnings. The other tools are either used for exporting or importing databases, or not valid tools. References: Upgrade Verification Service

 One of the requirements for Joey’s success in upgrading from R75.40 to R81 version of Security management using Advanced Upgrade with Database Migration method is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. Advanced Upgrade with Database Migration method is a procedure that allows administrators to upgrade their Security Management Server to a newer version by migrating their database from an older version to a new machine with a fresh installation of the newer version. One of the steps in this procedure is to copy the /var/log folder from the source machine to the target machine, which contains important log files and configuration files. To ensure that there is enough disk space on the target machine for this operation, it is required that the size of the /var/log folder on the target machine must be at least 25% of the size of the /var/log folder on the source machine. 

With SecureXL enabled, accelerated packets will pass through the following: Network Interface Card and the Acceleration Device. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. Accelerated packets are packets that match certain criteria and can be handled by SecureXL without involving the Firewall kernel. These packets bypass the OSI Network Layer, OS IP Stack, and Check Point Firewall Kernel, and are processed directly by the Network Interface Card and the Acceleration Device. The other options are either incorrect or describe non-accelerated packets. 

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

• 1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”
• 2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1
• 3, Check Point Certified Security Expert R81, page 5
• 5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”

Ken can use either of the two commands lock database override or unlock database to obtain a configuration lock from another administrator on R81 Security Management Server via CLI. These commands allow him to override the existing lock and gain exclusive access to the database. He can also use the WebUI to perform the same action. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address. Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

ThreatCloud is a collaboration platform for all the Check Point customers to share information about malicious and benign files that all of the customers can benefit from as it makes emulation of known files unnecessary. ThreatCloud is a cloud-based service that collects and analyzes threat intelligence from multiple sources, such as Check Point products, third-party vendors, open sources, and customers. ThreatCloud provides real-time updates and feeds to Check Point products, such as SandBlast, which is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment. By integrating with ThreatCloud, a Threat Emulation appliance can benefit from the shared information about malicious and benign files, and avoid emulating files that are already known to be safe or harmful. This can improve the performance and efficiency of the Threat Emulation appliance. The other options are either incorrect or not relevant to ThreatCloud or Threat Emulation. 

The file that gives you a list of all security servers in use, including port number, is $FWDIR/conf/fwauthd.conf. Security servers are processes that handle application-level protocols such as HTTP, FTP, SMTP, etc., and perform security checks on them. Fwauthd.conf is a configuration file that defines which security servers are enabled, which ports they listen on, and which inspection points they are attached to. 

According to the Check Point R81 release notes, acceleration is not supported for connections that require a Security server, such as HTTPS Inspection, Content Awareness, or Anti-Virus. The Security server performs deep inspection and modification of the traffic, which prevents acceleration. The other options are either false or not the most likely reason. References: Check Point R81

The essential means by which state synchronization works to provide failover in the event an active member goes down, ccp is used specifically for clustered environments to allow gateways to report their own state and learn about the states of other members in the cluster. Ccp stands for Cluster Control Protocol, and it is a proprietary protocol that runs on UDP port 8116. Ccp is responsible for exchanging state information, health checks, load balancing decisions, and synchronization network configuration between cluster members. The other options are either commands or daemons that are related to cluster operations, but not the protocol itself. 

 The TCP/IP model is a four-layer model that describes how data is transmitted over a network. The four layers are: Application, Transport, Internet, and Network Access. The Application layer provides services and protocols for applications to communicate with each other. The Transport layer provides reliable or unreliable data delivery between hosts. The Internet layer provides routing and addressing of packets across networks. The Network Access layer provides physical and logical access to the network media. References: Training & Certification | Check Point Software, Check Point Resource Library

 According to the Check Point website, SmartEvent Maps is a feature that was supported in previous versions of SmartEvent, but is not supported in R81. SmartEvent Maps displayed a graphical representation of security events on a world map. The other options are either supported or not valid features in R81. References: SmartEvent Maps

 The first thing that must be done if “fwm sic_reset” could not be completed is to change internal CA via cpconfig. Fwm sic_reset is a command that allows administrators to reset Secure Internal Communication (SIC) between Security Management Server and Security Gateways or other Check Point modules. SIC is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). If fwm sic_reset fails, it means that there is a problem with the ICA or the certificates that prevents SIC from being reset. To resolve this problem, administrators need to change internal CA via cpconfig, which is a command that allows administrators to configure various settings on Security Gateways or Management Servers, including the ICA. Changing internal CA via cpconfig will create a new ICA with a new certificate, and allow SIC to be reset with the new certificate.

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction. 

 According to the Check Point website, Vanessa needs to fill in the following details in the System Restore window before she can click OK button and test the backup: Server, Protocol, Username, Password, Path, Comment, All Members. These details specify the source and destination of the backup file, as well as the scope of the restore operation. The other options are either missing or incorrect details. References: System Restore

The command that would show the API server status is api status. API stands for Application Programming Interface, and it is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. API status is a command that shows the current status of the API server, such as whether it is enabled or disabled, running or stopped, listening on which port, using which certificate, etc. The other commands are either invalid or perform different functions. 

The “fw monitor” tool can be best used to troubleshoot network traffic issues. Fw monitor is a tool that allows administrators to capture packets at different inspection points in the Firewall kernel, and apply filters and flags to analyze the traffic. Fw monitor can help troubleshoot network connectivity problems, packet drops, NAT issues, VPN issues, and more. The other options are either not related or less suitable for fw monitor.

In R81.20, dbedit scripts are being replaced by the mgmt_cli utility for managing and configuring security policies and objects. Here's an explanation of each option:

A. dbedit is not supported in R81.20: This is not entirely accurate. While dbedit is still available and functional in R81.20, it is being phased out in favor of mgmt_cli for policy and object management.

B. dbedit is fully supported in R81.20: This statement is not accurate because although dbedit can still be used, it is not the primary recommended tool for policy management in R81.20.

C. You can use dbedit to modify threat prevention or access policies, but not create or modify layers: This statement is partially true, but it does not provide the complete picture. You can use dbedit for some policy-related tasks, but it's not the primary tool for policy management in R81.20.

D. dbedit scripts are being replaced by mgmt_cli in R81.20: This is the correct and recommended approach. mgmt_cli is the primary tool for managing security policies and objects in R81.20, and it is gradually replacing dbedit for these tasks.

Therefore, option D is the most accurate and recommended answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Check Point Capsule is a suite of solutions designed to provide comprehensive mobile security and secure access. The components of Check Point Capsule include:

Capsule Docs (Option A): A component that secures document sharing and protects sensitive data.

Capsule Cloud (Option B): A component that provides cloud-based security services.

Capsule Workspace (Option D): A component that provides secure workspace on mobile devices.

Option C, "Capsule Enterprise," is not a recognized component of Check Point Capsule based on the available information. Therefore, it is the correct answer as the component that is NOT part of Check Point Capsule.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

Firewall Management (fwm) is available on any management product, including Multi-Domain and on products that requite direct GUI access, such as SmartEvent, It provides the following:

– GUI Client communication

– Database manipulation

– Policy Compilation

– Management HA sync

To determine the cause of a cluster gateway showing "Down" despite running "clusterXL_admin up" on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

References: Check Point documentation or training materials related to High Availability and ClusterXL.

The Correlation Unit in Check Point Security Management performs several actions, but it does not assign a severity level to the event. The Correlation Unit is responsible for identifying patterns in logs, marking logs that are part of larger patterns, generating events based on the Event policy, and adding new log entries to ongoing events. However, assigning a severity level to an event is typically done through the Event policy configuration, not by the Correlation Unit.

References: Check Point Certified Security Expert R81 Study Guide

The Sticky Decision Function in ClusterXL is primarily used in Load Sharing implementations. In Load Sharing, the pivot member is responsible for determining the destination of new connections and ensures that traffic from the same source IP address is directed to the same cluster member. This ensures session stickiness for the same source IP, improving load sharing efficiency.

References: Check Point Certified Security Expert R81 documentation and learning resources.

 SecureXL is a technology that accelerates the performance of the Check Point Security Gateway by offloading CPU-intensive operations from the Firewall kernel to the SecureXL device. SecureXL can handle various types of traffic, such as TCP, UDP, ICMP, non-IP, VPN, NAT, etc. SecureXL can also work with various features, such as CoreXL, ClusterXL, QoS, etc.

One way to indicate that SecureXL is enabled is to use the fwaccel commands in clish. Clish is a command-line shell that provides a user-friendly interface for configuring and managing Check Point products. The fwaccel commands are used to control and monitor SecureXL operations, such as enabling or disabling SecureXL, viewing SecureXL statistics, managing SecureXL templates, etc. For example, the command fwaccel stat shows the status of SecureXL, such as whether it is on or off, how many packets are accelerated or not accelerated, etc.

The other options are not valid indicators of SecureXL being enabled:

• A. Dynamic objects are available in the Object Explorer: Dynamic objects are objects that represent IP addresses that change over time, such as VPN clients, DHCP clients, etc. Dynamic objects are available in the Object Explorer regardless of whether SecureXL is enabled or not.
• B. SecureXL can be disabled in cpconfig: Cpconfig is a command-line tool that allows you to configure various settings of Check Point products, such as administrator password, GUI clients, SNMP extension, etc. SecureXL can be disabled in cpconfig only if it was enabled before. Therefore, this option does not indicate that SecureXL is enabled.
• D. Only one packet in a stream is seen in a fw monitor packet capture: Fw monitor is a command-line tool that allows you to capture and analyze network traffic passing through the Security Gateway. Fw monitor shows the traffic at different inspection points in the Firewall kernel. If SecureXL is enabled, some packets may be accelerated by SecureXL and bypass the Firewall kernel inspection. Therefore, fw monitor may not see all packets in a stream. However, this does not mean that only one packet in a stream will be seen by fw monitor. Some packets may still go through the Firewall kernel inspection and be seen by fw monitor. Therefore, this option does not indicate that SecureXL is enabled.

Therefore, the correct answer is C.

References: How to enable/disable Check Point SecureXL via CLI, Part 3 - SecureXL, What is SecureXL?, Clish - Command Line Interface Shell, sk30583: What is FW Monitor?

The FWD daemon uses TCP port 256 to do a Full Synchronization between gateway cluster members. This port is also used for other synchronization types, such as Delta Synchronization and Accelerated Synchronization. The FWD daemon is responsible for synchronizing the connections table, NAT table, and VPN keys between cluster members. References: ClusterXL Administration Guide, SK25977 - Ports Used by Check Point Software

The secure application for Mail/Calendar for mobile devices in Check Point is called "Capsule Workspace." Capsule Workspace provides secure access to email and calendar data on mobile devices while maintaining security policies and controls.

References: Check Point Certified Security Expert R81 documentation and learning resources.

ClusterXL supports Dynamic Routing for both Unicast and Multicast traffic. Dynamic Routing protocols, such as OSPF, BGP, or PIM, can be configured on cluster members to exchange routing information with other routers. ClusterXL supports two modes of operation for Dynamic Routing: New Mode and Legacy Mode. References: ClusterXL Administration Guide, SK98226 - ClusterXL New Mode Overview

The Correlation Unit in SmartEvent architecture has the function of analyzing each log entry as it arrives at the log server according to the Event Policy. When it identifies a threat pattern, it forwards an event to the SmartEvent Server. This is an essential function in threat detection and analysis, as it helps in identifying and alerting about security threats based on the configured policies.

Option A correctly describes the function of the Correlation Unit, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

To enable VMAC mode on a cluster member, you need to set the value of the global kernel parameter fwha_vmac_global_param_enabled to 1. This can be done on-the-fly using the command fw ctl set int fwha_vmac_global_param_enabled 1 on all cluster members. This command does not require a reboot or a policy installation. VMAC mode allows the cluster to use a virtual MAC address for its virtual IP addresses, which reduces the number of gratuitous ARP packets sent upon failover and avoids ARP cache issues on some routers and switches. References: How to enable ClusterXL Virtual MAC (VMAC) mode

The correct command to store the GAIA configuration in a file is save configuration 1. This will create a file with the current system level configuration in the home directory of the current user1. The other commands are incorrect because they either do not exist or do not save the configuration to a file. References: 1: Backing up Gaia system level &solutionid=sk102234)

Multiple administrators can connect to a Security Management Server at the same time. Each administrator has their own username and works in a session that is independent of other administrators. This allows for collaboration and simultaneous management tasks by different administrators.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Capsule Connect and Capsule Workspace are both components of Check Point's remote access solution, but they serve different purposes and have distinct features:

A. Capsule Connect provides a Layer 3 VPN, which allows remote users to connect securely to their corporate network. It typically provides network-level access, allowing users to access resources on the corporate network. On the other hand, Capsule Workspace provides a secure workspace environment, including a virtual desktop with usable applications. It is more focused on providing application-level access to users in a secure manner.

B. This statement is partially true. Capsule Workspace is designed to provide secure access to a wide range of applications and resources, not limited to specific applications.

C. Capsule Connect does provide business data isolation by creating a secure VPN tunnel for remote users, ensuring that their network traffic is isolated from the public internet.

D. Capsule Connect usually requires an installed application or VPN client on the client device to establish a secure connection to the corporate network. This statement is not entirely accurate because an installed application or client is typically required.

Therefore, option A is the correct answer as it accurately distinguishes between Capsule Connect and Capsule Workspace based on their primary functionalities.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The correct command to verify the CPUSE (Check Point Update Service Engine) version is:

Option B is incorrect because it uses the "[Expert@HostName:0]#" prompt, which is typically used for expert mode commands, but the CPUSE version can be checked using the "show installer status build" command in standard mode.

Option C is incorrect because it uses the "[Expert@HostName:0]#" prompt, and while it includes the "build" parameter, it's not the standard command to check the CPUSE version.

Option D is incorrect because it uses the "HostName:0>" prompt, but it lacks the "show" command and uses "build" instead of "status build."

References: Check Point Certified Security Expert R81 documentation

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

CPM stands for Check Point Management, which is a process that runs on the Security Management server and controls the management operations, such as policy installation, object creation, configuration backup, etc. CPM also controls other processes that are related to the management functions, such as:

• web_services: This process is responsible for providing web services for the communication between SmartConsole and the Security Management server. It handles requests from SmartConsole clients and forwards them to CPM or other processes.
• dle_server: This process is responsible for managing the log files and indexes. It handles queries from SmartLog and SmartEvent and provides log data to CPM or other processes.
• object_Store: This process is responsible for storing and retrieving objects from the database. It handles requests from CPM or other processes and provides object data.

Therefore, the correct answer is D.

The other options are incorrect because:

• A. Object-Store, Database changes, CPM Process and web-services: This option includes some processes that are controlled by CPM, such as Object-Store, CPM Process, and web-services, but it also includes Database changes, which is not a process but an action performed by CPM or other processes.
• B. web-services, CPMI process, DLEserver, CPM process: This option includes some processes that are controlled by CPM, such as web-services, DLEserver, and CPM process, but it also includes CPMI process, which is not a process but a protocol used by CPM or other processes to communicate with each other.
• C. DLEServer, Object-Store, CP Process and database changes: This option includes some processes that are controlled by CPM, such as DLEServer and Object-Store, but it also includes CP Process and database changes, which are not processes but a generic term for any Check Point process and an action performed by CPM or other processes respectively.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

Implicit MEP (Multicast Ethernet Point) options refer to the way multicast traffic is handled within a network. In this case, the question is asking about an implicit MEP option, and the correct answer is:

A. Primary-backup: This is an implicit MEP option where one switch (primary) forwards multicast traffic while the other switch (backup) does not forward the traffic. It is used to ensure redundancy in case the primary switch fails.

B. Source address-based, C. Round-robin, and D. Load Sharing are not implicit MEP options; they are different methods of handling multicast traffic and do not describe the concept of primary-backup.

Therefore, option A is the correct answer as it represents an implicit MEP option.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

NAT (Network Address Translation) is one item that will not be configured on the R81 Security Management Server when setting up an externally managed log server. NAT is a technique that allows devices with private IP addresses to communicate with devices with public IP addresses by translating the private addresses to public ones. NAT is not relevant for configuring an externally managed log server, which requires only the IP address, SIC (Secure Internal Communication), and FQDN (Fully Qualified Domain Name) of the log server. References: Check Point Security Expert R81 Course, Logging and Monitoring Administration Guide

When Dynamic Dispatcher is enabled, it dynamically assigns connections, but there are exceptions. The exception mentioned in the question is:

VoIP (Option D): VoIP connections are an exception when Dynamic Dispatcher is enabled. They are not assigned dynamically but follow a different rule set to ensure quality and reliability for VoIP traffic.

The other options, Threat Emulation (Option A), HTTPS (Option B), and QoS (Option C), are dynamically assigned when Dynamic Dispatcher is enabled.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

To deploy a TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway, you can utilize Check Point Cloud Services. In this scenario, you can leverage cloud-based email security services provided by Check Point without the need for an on-premises Security Gateway.

Option C correctly states that you can use only Check Point Cloud Services for this scenario, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 User-mode processes are processes that run in the user space of the operating system, as opposed to kernel-mode processes that run in the kernel space. User-mode processes are usually less privileged and have less access to system resources than kernel-mode processes. Check Point products use both user-mode and kernel-mode processes to provide various functionalities and services.

The following are some of the user-mode processes that can be seen on the management server and gateway:

• fwd: This process is responsible for policy installation, logging, and communication with other Check Point components. It runs on both the management server and gateway.
• cpd: This process is responsible for licensing, certificate management, and communication with SmartConsole. It runs on both the management server and gateway.
• cpwd: This process is responsible for monitoring and restarting other processes. It runs on both the management server and gateway.

The following is a user-mode process that can only be seen on the management server:

• fwm: This process is responsible for managing the security policy database, compiling the security policy, and generating reports. It runs only on the management server.

Therefore, the correct answer is B.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

• A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.
• B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.
• D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

References: ClusterXL R81.20 Administration Guide, ClusterXL Administration Guide R80.40, sk25977 - Ports used by Check Point software

 Security Checkup Summary can be easily conducted within Views. Views is a feature in SmartConsole that allows you to create customized dashboards and reports based on various security data sources, such as logs, events, audit trails, and more. You can use Views to perform a Security Checkup Summary, which is a comprehensive analysis of your network security posture and potential risks. You can use predefined templates or create your own views to generate the summary. References: Check Point Security Expert R81 Course, Views Administration Guide

 The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them. It runs on the Log Server machine or on a dedicated machine1. To check the status of the SmartEvent Correlation Unit, you can use the command cpstat cpsead on the machine where it is installed. This command will show you information such as the number of logs processed, the number of events generated, the CPU and memory usage, and the status of the connection to the SmartEvent Server23.

References: SmartEvent Administration Guide R76, SmartEvent Administration Guide R75, SmartEvent Performance Tuning Guide

 For ClusterXL to work properly, one of the mandatory requirements is that the Magic MAC number must be unique per cluster node. The Magic MAC number is a MAC address that is used by ClusterXL to hide the physical MAC addresses of the cluster members from the network. This way, the cluster can present a single virtual MAC address to the network, and avoid ARP issues when a failover occurs. The Magic MAC number is derived from the Cluster Virtual IP address, which must also be unique per cluster. 

The Check Point daemon that monitors the other daemons is cpwd (Check Point Watchdog). It is responsible for monitoring the health and status of various Check Point daemons and processes running on the Security Gateway. If any daemon or process stops responding or encounters an issue, cpwd can restart it to ensure the continued operation of the Security Gateway.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Dynamic Dispatch is a feature that enhances CoreXL performance by dynamically assigning new connections to CoreXL FW instances based on their CPU utilization1. To enable Dynamic Dispatch on Security Gateway without enabling Firewall Priority Queues (FPQ), you need to run the command fw ctl multik set_mode 4 in Expert mode and reboot2. This command will set the CoreXL mode to Dynamic Dispatcher without FPQ. The other options are not correct because:

• A. fw ctl Dyn_Dispatch on: This command does not exist and will return an error message.
• B. fw ctl Dyn_Dispatch enable: This command does not exist and will return an error message.
• D. fw ctl multik set_mode 1: This command will set the CoreXL mode to Static Dispatcher without FPQ, which is the default mode2. This mode will use a static hash function to assign new connections to CoreXL FW instances based on their IP addresses and protocol.

References: CoreXL Dynamic Dispatcher, To fully enable Dynamic Dispatcher on a Security Gateway, Running Dynamic Dispatch / Dynamic Split / Dynamic Balancing on VSEC/IaaS in Vmware, Dynamic Balancing for CoreXL

 The Threat Prevention profile in Check Point R81.20 SmartConsole application allows you to enforce the following software blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. These software blades provide comprehensive protection against various types of threats, such as network attacks, malware, ransomware, phishing, and zero-day exploits. You can configure the profile settings for each software blade, such as the action to take, the protection scope, and the exceptions. References: Check Point Security Expert R81 Course, Threat Prevention Administration Guide

 The fwaccel stat command on the gateway shows the status of SecureXL acceleration, including the number of accelerated and non-accelerated connections, and the reason for non-acceleration. The reason for non-acceleration can be either a rule that disables templating, or a feature that is not supported by SecureXL. To determine which rule disables templating, the administrator can use the -s option to show the rule numbers and names. For example:

 The cpinfo command is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The cpinfo output can be used for troubleshooting or sent to Check Point support for analysis. The -x parameter is used to get information about the specified Virtual System on a VSX gateway. A Virtual System is a virtualized firewall instance that runs on a VSX gateway and has its own security policy and objects. References: Check Point Security Expert R81 Course, cpinfo Utility, VSX Administration Guide

Check Point's SecureXL technology, which is responsible for acceleration, has certain limitations and conditions under which acceleration may not occur. In this context, the question is asking about factors that will NOT affect acceleration.

Option B, "A 5-tuple match," will not affect acceleration. A 5-tuple match refers to the matching of source IP, source port, destination IP, destination port, and protocol. SecureXL can accelerate traffic that matches these criteria, but it's not a factor that hinders acceleration.

Options A, C, and D can all affect acceleration:

Option A mentions "Connections destined to or originated from the Security gateway," which implies that SecureXL acceleration can apply to these connections.

Option C mentions "Multicast packets," and SecureXL may have limitations in handling multicast traffic efficiently.

Option D mentions "Connections that have a Handler (ICMP, FTP, H.323, etc.)," and certain protocols (such as FTP) may require special handling and might not be fully accelerated by SecureXL.

References: Check Point Certified Security Expert R81 Study Guide

To use SmartConsole R81 for managing SmartEvent R81, you need to have the following ports open:

• Port 19009 for communication over HTTPS (443)
• Port 19009 for communication over HTTP (80)

These ports are necessary for the SmartConsole to communicate with SmartEvent for management and monitoring purposes.

References: Check Point Certified Security Expert R81 documentation and learning resources.

The command used to display status information for various components is show sysenv all. This command provides comprehensive status information about the system's environment and various components, including hardware and software components. It can be useful for troubleshooting and monitoring the system's health.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.:

 A best practice before starting to troubleshoot using the fw monitor tool is to disable SecureXL. SecureXL is a performance acceleration solution that optimizes the packet flow through the Security Gateway. However, SecureXL can also bypass some inspection points and cause some packets to be invisible to fw monitor. Therefore, disabling SecureXL can ensure that fw monitor captures all the relevant packets for troubleshooting purposes. References: Check Point Security Expert R81 Course, fw monitor, SecureXL

In SmartEvent, the administrator can configure different types of automatic reactions, which include:

• Mail notifications
• Blocking the source of the event
• Blocking the event activity
• Running an external script
• Sending an SNMP trap

So, the correct answer is "Mail, Block Source, Block Event Activity, External Script, SNMP Trap."

References: Check Point documentation or training materials related to SmartEvent configuration and automatic reactions.

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

The main difference between SSL VPN (Secure Sockets Layer Virtual Private Network) and IPSec VPN (Internet Protocol Security Virtual Private Network) is in the way they operate:

SSL VPN typically does not require the installation of a resident VPN client. It often relies on a web browser to establish the VPN connection, making it more convenient for remote users who may not want to install dedicated VPN software.

IPSec VPN, on the other hand, often requires the installation of a resident VPN client on the user's device to establish the VPN connection. This client software is necessary for configuring and managing the VPN connection.

Option C, stating that SSL VPN and IPSec VPN are the same, is incorrect because they have distinct characteristics as described above.

Option A is incorrect because it inaccurately suggests that IPSec VPN does not require a resident VPN client, which is not true in most cases.

Option B is incorrect because it wrongly claims that SSL VPN requires the installation of a resident VPN client.

References: Check Point Certified Security Expert R81 Study Guide

 The port used for SmartConsole to connect to the Security Management Server is CPMI port 18191/TCP. CPMI stands for Check Point Management Interface, which is a proprietary protocol that enables secure communication between the SmartConsole and the Security Management Server. CPMI uses SSL encryption and authentication to protect the data exchange. References: Check Point Security Expert R81 Course, SK52421 - Ports used by Check Point software

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality. According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

• Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.
• OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.
• Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

References: What is an API Gateway?, How to use Check Point API with Postman quick guide, Home - Check Point Developers, Introduction to RESTful APIs and JSON format, Checkpoint API tutorial, part 1 - getting started

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

 DES (Data Encryption Standard) is a symmetric block cipher that uses a 56-bit key to encrypt and decrypt 64-bit blocks of data. It was developed by IBM in 1975 and adopted by the US government as a standard for encryption. However, DES has been proven to be insecure and vulnerable to various attacks, such as brute force, differential cryptanalysis, and linear cryptanalysis. A brute force attack can break DES in a matter of hours using modern hardware. Differential cryptanalysis can reduce the number of keys to be searched by a factor of four, and linear cryptanalysis can reduce it by a factor of two. Therefore, DES is the least secure encryption algorithm among the options given.

References: Types of Encryption, Secure Organization’s Data With These Encryption Algorithms, Comparative study of symmetric cryptographic algorithms

At least 20GB is the recommended size of the root partition when installing a dedicated R81 SmartEvent server. The root partition is the primary partition that contains the operating system files and other essential files for booting and running the system. The SmartEvent server requires at least 20GB of free space on the root partition to install and operate properly. If the root partition size is less than 20GB, you may encounter errors or performance issues with SmartEvent. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

The API command to create a new host with the name "New Host" and IP address "192.168.0.10" is:

This command adds a host object with the specified name and IP address to the Check Point configuration.

References: Check Point documentation or training materials related to API commands.

Sticky Decision Function (SDF) is a feature that ensures that VPN traffic is handled by the same core on a Security Gateway with multiple CPU cores. This improves the performance and stability of VPN tunnels by avoiding out-of-order packets and reducing encryption overhead. However, the limitation of employing SDF is that acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF. This means that SDF may reduce the overall throughput and scalability of the Security Gateway. Therefore, SDF should be used only when necessary and only on gateways that are dedicated to VPN traffic. References: R81 Performance Tuning Administration Guide

Check Point Protect is a lightweight app that can be used to gather and analyze threats to your mobile device. It provides real-time threat intelligence, device posture assessment, and secure browsing protection3. The other applications are either not designed for mobile devices, or do not offer threat analysis features. References: R81 CCSA & CCSE exams released featuring Promo for… - Check Point …, Check Point Protect - Apps on Google Play

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

 TACACS+ is not an authentication method that is used for Mobile Access. Mobile Access supports the following authentication methods: username and password (internal, LDAP, or RADIUS), certificate, SecurID, DynamicID, and SMS2. TACACS+ is a protocol that provides access control for routers, network access servers, and other network devices, but it is not supported by Mobile Access3. References: Check Point R81 Mobile Access Administration Guide, TACACS+ - Wikipedia

The Management API supports three methods of communication: mgmt_cli command, SmartConsole GUI dialog box, and Gaia CLI. Sending API commands over an http connection using web-services is not a supported method. References: Check Point Management APIs

The statement that is correct about the Sticky Decision Function is It is not supported with either the Performance pack of a hardware based accelerator card. The Sticky Decision Function (SDF) is a feature that ensures that packets from the same connection are handled by the same cluster member in a Load Sharing configuration. However, SDF is not compatible with SecureXL acceleration, which is enabled by default or by using a Performance pack or a hardware based accelerator card4. The other statements are either incorrect or outdated about SDF. References: Check Point R81 ClusterXL Administration Guide, Sticky Decision Function - Check Point CheckMates

 In R81, IPS is managed by the Threat Prevention Policy. The Threat Prevention Policy is a unified policy that allows you to configure and enforce IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction settings in one place. References: Threat Prevention Administration Guide

Threat Simulator is not a component of Check Point SandBlast. Check Point SandBlast is a solution that provides advanced protection against zero-day threats using four components: Threat Emulation, Threat Extraction, Threat Cloud, and Threat Prevention. References: Check Point SandBlast Network

 Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits. To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features. References: R81 Performance Tuning Administration Guide

The API server is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. You can verify that the API server is responding by using the following command in Expert mode:

This command will display the current status of the API server, such as running, stopped, or initializing. It will also show the API version, port number, and SSL certificate information. References: Check Point R81 REST API Reference Guide

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

The CPM process is the core process of the Security Management Server that handles all management operations. It listens to TCP-port 19009 by default. References: CPM process

To simplify security administration when working with multiple Security Gateways enforcing an extensive number of rules, you would choose to create a separate Security Policy package for each remote Security Gateway. A Security Policy package is a set of rules and objects that can be assigned to one or more Security Gateways. This allows you to manage different policies for different gateways from the same Management Server1. The other options are either not effective or not feasible for simplifying security administration. References: Check Point R81 Security Management Administration Guide

To help SmartEvent determine whether events originated internally or externally, you must define the traffic direction using the Initial Settings under General Settings in the Policy Tab. There are four options available to calculate the traffic direction: Incoming, Outgoing, Internal, and Other. Incoming means the source is external and the destination is internal. Outgoing means the source is internal and the destination is external. Internal means both the source and the destination are internal. Other means both the source and the destination are external. References: SmartEvent R81 Administration Guide

Advanced Security Checkups can be easily conducted within the Reports tab in the Logs & Monitor view in SmartConsole. The Reports tab allows you to generate and view various reports that provide insights into the security status and performance of your network. You can use predefined reports or create custom reports based on your needs. You can also schedule reports to run automatically and send them by email. Some of the predefined reports that can help you conduct advanced security checkups are:

• Security Overview: This report provides a summary of the security posture of your network, including the number and severity of incidents, the top attacked hosts and services, the top attackers and attack methods, the top detected threats and vulnerabilities, etc.
• Security Best Practices: This report evaluates your security configuration and policy against the Check Point best practices and provides recommendations for improvement. It covers areas such as firewall policy, NAT policy, VPN policy, identity awareness, threat prevention, etc.
• Compliance Status: This report assesses your compliance level with various regulations and standards, such as PCI DSS, ISO 27001, NIST 800-53, etc. It shows the compliance score, the compliance status of each requirement, the compliance status of each gateway and blade, etc.
• Network Activity: This report shows the network activity and traffic patterns on your network, including the top sources and destinations of traffic, the top protocols and applications used, the top bandwidth consumers, etc.
• System Health: This report monitors the health and performance of your management server and gateways, including the CPU utilization, memory usage, disk space, network interfaces, etc. References: R81 Logging and Monitoring Administration Guide

 Connections to the Check Point R81 Web API use the HTTPS protocol. The Web API is a RESTful web service that allows you to perform management tasks on the Security Management Server using HTTP requests. References: Check Point Management APIs

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

 You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types. The Inspect action means that the file will be sent to the Threat Emulation engine for analysis, and the Bypass action means that the file will not be sent and will be allowed or blocked based on other Threat Prevention blades1. The other options are not valid actions for file types in Threat Prevention profiles. References: Check Point R81 Threat Prevention Administration Guide

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

The cpmq set command enables or disables multi-queue per interface. Multi-queue is a feature that allows distributing the network traffic among several CPU cores, improving the throughput and performance of the Security Gateway. References: Multi-Queue

 Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default. References: CPM process

The Check Point ThreatCloud is a worldwide collaborative security network that collects and analyzes threat data from millions of sensors, security gateways, and other sources, and delivers real-time threat intelligence and protection to Check Point products. References: Check Point ThreatCloud

The Check Point TE appliance in Recommended Mode includes 2(OS) images. One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version. References: [Check Point R81 Threat Emulation Administration Guide]

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network. References: Security Gateway R81 Administration Guide:

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts. References: Anti-Bot Software Blade

There are four ways to use the Management API for creating host object with R81 Management API: Using Web Services, Using mgmt_cli tool, Using CLISH, and Using SmartConsole GUI console. Events are collected with SmartWorkflow from Trouble Ticket systems is not a correct option. References: Check Point Management APIs

 Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances. References: SecureXL Mechanism

CoreXL is supported when one of the following features is enabled: IPS. CoreXL does not support Check Point Suite with these features: Route-based VPN, IPv6, Overlapping NAT, QoS, Content Awareness, Application Control, URL Filtering, Identity Awareness, HTTPS Inspection, DLP, Anti-Bot, Anti-Virus, Threat Emulation. References: CoreXL

 Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions . References: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References: R81 Mobile Access Administration Guide

 Check Point Central Deployment Tool (CDT) communicates with the Security Gateway / Cluster Members over Check Point SIC using TCP port 18191 by default. CDT is a tool that allows you to perform simultaneous configuration changes on multiple gateways or clusters using predefined commands or scripts. References: Check Point Central Deployment Tool (CDT)

PDP is not a valid CPVIEW view. CPVIEW is a command-line tool that shows the status of different system parameters, such as CPU, memory, disk, network, and firewall. The valid views are IDA, RAD, VPN, FW, QoS, and others. PDP is a process that handles identity awareness and authentication. References: Check Point R81 Gaia Administration Guide, Check Point Identity Awareness Administration Guide R81

The correct command to observe the Sync traffic in a VRRP environment is fw monitor –e “accept dst=224.0.0.18;”. This command captures the packets that have the destination IP address of 224.0.0.18, which is the multicast address used by VRRP for synchronization. The other commands are either not valid or not specific to VRRP Sync traffic. References: [Check Point R81 ClusterXL Administration Guide], Check Point R81 Performance Tuning Administration Guide

Check Point currently supports four types of APIs: R81 Management API, Identity Awareness Web Services API, OPSEC SDK, and Gaia REST API. The Open REST API is not a valid option. References: Check Point APIs

 The cphaprob -a if command displays the interface status of all cluster members, including the interface name, IP address, state, monitor mode, and sync status. References: cphaprob - Check Point Support Center

Session unique identifiers are passed to the web API using the X-chkp-sid HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations. References: Check Point R81 REST API Reference Guide

 R81.20 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81. 

 Tom will need two machines to install Check Point R81 in a distributed deployment, if he does not include a SmartConsole machine in his calculations. A distributed deployment consists of a Security Management Server that manages one or more Security Gateways. Therefore, Tom will need one machine for the Security Management Server and another machine for the Security Gateway. The other options are either too few or too many machines for a distributed deployment. References: Check Point R81 Installation and Upgrade Guide

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation. References: CPD process

The correct command to show actual allowed connections in the state table is option B: fw tab –t connections. This command displays the contents of the "connections" table, which contains information about the active connections being tracked by the firewall.

Option A (fw tab –t StateTable) is incorrect as there is no "StateTable" table; it should be "connections."

Option C (fw tab –t connection) is also incorrect, as it should be "connections."

Option D (fw tab connections) is not the correct syntax for the command.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The command cphaprob igmp can be used to display the Multicast MAC address of a cluster. This command shows the IGMP (Internet Group Management Protocol) information for each cluster interface, including the VRID (Virtual Router ID), the Multicast IP address, and the Multicast MAC address3. The other commands do not show the Multicast MAC address information. References: Check Point R81 ClusterXL Administration Guide

The SmartEvent component that creates events is the Correlation Unit, which is responsible for correlating and analyzing security events to identify patterns and potential threats.

Option A, "Consolidation Policy," does not create events but is used to configure policies for event consolidation.

Option C, "SmartEvent Policy," is not responsible for creating events but is used to configure policies related to SmartEvent.

Option D, "SmartEvent GUI," is the graphical user interface for managing SmartEvent but does not create events itself.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

References: VPN Administration Guide

Browser-Based Authentication is an identity awareness method that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Browser-Based Authentication redirects users to a web page where they can enter their credentials and be authenticated by an external server, such as LDAP or RADIUS. After authentication, users can access the Internet and corporate resources according to the security policy rules that apply to their identity.

Browser-Based Authentication is suitable for scenarios where users can use company issued or personal laptops, since it does not require any installation or configuration on the user’s device. It also supports various operating systems and browsers, and can be customized to match the company’s branding.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 9
• Configuring Browser-Based Authentication in SmartConsole
• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 13

The Check Point software blade that provides protection from zero-day and undiscovered threats is Threat Emulation. Threat Emulation is a sandboxing technology that inspects files for malicious behavior in a virtual environment before they reach the end user. Threat Emulation can detect and block malware that tries to evade traditional signature-based solutions by using unknown or obfuscated techniques. Threat Emulation can also generate forensic reports and provide actionable intelligence on the malware origin and behavior. 

 Return-oriented programming (ROP) exploits are detected by Check Point Anti-Virus / Threat Emulation blade. ROP exploits are a type of code reuse attack that bypasses common exploit mitigation techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Check Point Anti-Virus / Threat Emulation blade can detect and prevent ROP exploits using its behavioral analysis engine that monitors the execution flow of processes and identifies malicious patterns. References: [Check Point Security Expert R81 Threat Prevention Administration Guide], page 17.

The "Network Access VPN Domain" feature allows remote-access VPN users to access resources across a site-to-site VPN tunnel. This feature allows remote users to securely access internal network resources as if they were physically connected to the network. This is achieved by adding the remote-access VPN users to a "VPN Domain" that has access to the internal network resources via a site-to-site VPN tunnel. This VPN Domain is also referred to as a "Network Access VPN Domain".

 The Anti-Virus feature of the Threat Prevention policy blocks traffic from infected websites by matching logs against ThreatCloud information about the reputation of the website. ThreatCloud is a collaborative network that collects and analyzes threat data from millions of sources worldwide. It assigns a reputation score to each website based on its malicious activity and behavior. If a website has a low reputation score, it is considered infected and blocked by the Anti-Virus blade. References: Training & Certification | Check Point Software, CCSE section

 How many interfaces can you configure to use the Multi-Queue feature? You can configure up to 5 interfaces to use the Multi-Queue feature. Multi-Queue is a performance enhancement feature that allows distributing the network traffic among multiple CPU cores, instead of using a single core for all traffic. Multi-Queue can be enabled on interfaces that have high traffic load and support multiple receive/transmit queues. Multi-Queue can be configured via SmartConsole or via CLI with the command sim affinity -m. References: R81 Performance Tuning Administration Guide, page 18.

The cpprod_util command is a utility that provides information about the installed Check Point products and their versions. The cpprod_util MgmtIsPrimary option checks if the Security Management Server is installed as a primary or a secondary server in a High Availability cluster2. If the server is primary, the command returns “yes”. If the server is secondary, the command returns “no”. Therefore, Bob can use this command to verify the provisioning of the secondary Security Management Server.

References: 2: cpprod_util

R81 cpconfig - > Enter the number of the Check Point CoreXL option. ( Enter 1 to select Change the number of firewall instances. OR Enter 2 for the option Change the number of IPv6 firewall instances.) -> Enter the total number of IPv4 (IPv6) CoreXL Firewall instances you wish the Security Gateway to run. Follow the instructions on the screen. -> Exit from the cpconfig menu. - Reboot the Security Gateway.

The WebUI offers three methods for downloading hotfixes via CPUSE: Automatic, Manually, and Scheduled. Force override is not a valid method for downloading hotfixes. Force override is an option that can be used when installing a hotfix to override the compatibility check and force the installation of the hotfix. References: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)

 The benefit of Manual NAT over Automatic NAT is that you have full control over the priority of the NAT rules. Manual NAT allows you to create NAT rules that are independent of the security policy and specify the order in which they are applied. Automatic NAT creates NAT rules based on the objects’ NAT properties and places them according to predefined criteria. The other options are not benefits of Manual NAT over Automatic NAT. References: : Check Point Software, Getting Started, NAT Rule Base.

The WebUI can be used to manage user accounts and assign privileges to users. It can also add users to your Gaia system and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server1. References: Check Point Resource Library, page 3.

 Windows Management Instrumentation (WMI) is a protocol that allows remote management and monitoring of Windows systems. It is used by AD Query to connect to the Active Directory Domain Controllers and query them for user and computer information. AD Query uses WMI to get real-time updates on user logon events, group membership changes, and computer status changes. WMI is not the same as LDAP, which is a protocol for accessing and modifying directory services. HTTPS and RDP are also different protocols that are not used by AD Query. References: Check Point R81 Identity Awareness Administration Guide, page 17

 On R81.20 the IPS Blade is managed by the Threat Prevention policy. The Threat Prevention policy is a unified policy that includes Anti-virus, IPS, Anti-bot, and Threat Emulation software blades. The IPS blade provides protection against network attacks and exploits by inspecting the traffic and blocking malicious packets. The IPS blade can be configured with different profiles and exceptions to suit different security needs. References: R81 Threat Prevention Administration Guide, page 15.

CoreXL is a technology that improves the performance of the Security Gateway by utilizing multiple CPU cores for processing traffic. CoreXL creates multiple instances of the firewall kernel (fwk) that run in parallel on different CPU cores. The number of kernel instances can be configured using the cpconfig command on the Security Gateway3. The minimum number of CPU cores required to enable CoreXL is 2, as one core is reserved for SND (Secure Network Distributor) and one core is used for running a kernel instance4. If the Security Gateway has only one CPU core, CoreXL cannot be enabled. Therefore, the correct answer is C.

References: 3: CoreXL Administration Guide 4: [CoreXL Frequently Asked Questions (FAQ)]

 Secure Configuration Verification (SCV) is a feature that allows the Mobile Access Gateway to check the compliance of remote access clients with the enterprise security policy before granting them access to internal resources. SCV checks can be defined in a file named local.scv, which is located in the $FWDIR/conf directory on the Mobile Access Gateway1. The file can be edited manually or using the SCV Editor tool2. Therefore, the correct answer is D.

References: 1: Secure Configuration Verification 2: SCV Editor

 The command to add users to or from existing roles is add rba user roles . This command allows you to assign one or more roles to a user in the Gaia database. Roles are collections of permissions that define what actions a user can perform on the system. You can use predefined roles or create your own custom roles. To remove a role from a user, you can use the command delete rba user roles . 

The command that lists firewall chain is fw ctl chain1. This command displays the list of chain modules that are registered on the Security Gateway2. Chain modules are components of the Firewall kernel that inspect and process packets according to the security policy and other features3. The order of the chain modules determines the order of the packet inspection and processing3. The fw ctl chain command can help you troubleshoot connectivity or performance issues, or to verify that a feature is enabled or disabled on the Security Gateway2. To run this command, you need to access the Security Gateway in expert mode and run fw ctl chain1.

References: How to use fw ctl chain - Check Point Software, fw ctl chain - Check Point Software, R81.x Security Gateway Architecture (Logical Packet Flow) - Check Point CheckMates

Identity Awareness maps users and computer identities, enabling enforcement of Access Control policy rules and auditing data based on identity. It is an easy-to-deploy and scalable solution that works for both Active Directory and non-Active Directory based networks, including employees and guest users1. By considering network location, user identity, and machine identity, organizations can control access between different segments in the network using an identity-based policy2.

References:

• Check Point Troubleshooting Expert - R81 (CCTE) Reference Materials
• Check Point Certified Troubleshooting Expert R81.20 - CCTE
• Check Point CCTE Certification Sample Questions and Practice Exam

 SmartEvent Security Checkups can be run from the Reports activity in Logs and Monitor. A Security Checkup is a report that analyzes network traffic and security events and provides recommendations for improving security posture. To run a Security Checkup, go to Logs & Monitor > Reports > New Report > Security Checkup. The other activities in Logs and Monitor do not have the option to run a Security Checkup. References: : Check Point Software, Getting Started, Running a Security Checkup Report.

 The correct upgrade method for upgrading from R80.40 to R81.20 without any downtime is the Multi-Version Cluster Upgrade (MVC). MVC is a new feature in R80.40 that replaces the deprecated Connectivity Upgrade (CU). MVC allows you to upgrade cluster members to a newer version without losing connectivity and test the new version on some of the cluster members before you decide to upgrade the rest of the cluster members. MVC synchronizes connections between cluster members that run different versions and ensures that the cluster remains operational during the upgrade process. MVC is intended only to test the current configuration in the newer version and not to change the security policy and install it on cluster members with different software versions. MVC is disabled by default and can be enabled on each cluster member individually. MVC has some limitations, such as not supporting VSX clusters, IPS blade, or SecureXL acceleration.

References:

• Multi-Version Cluster (MVC) replaces Connectivity Upgrade (CU) in R80.40
• Multi-Version Cluster (MVC) Upgrade
• Configuring the Multi-Version Cluster Mechanism

Implied rules are predefined rules that are automatically added to the Access Control rulebase by the Security Management Server. Implied rules allow the control connections that are essential for the functionality and security of the Check Point products, such as communication between the Security Gateway and the Security Management Server, synchronization between cluster members, logging, VPN, and ICMP. Implied rules are not visible in the SmartConsole, but they can be viewed and modified using the Global Properties window.

The references are:

• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 12
• Check Point R81 Quantum Security Gateway Guide, page 141
• Check Point R81 Firewall Administration Guide, page 21

 The correct syntax to add a new host named “emailserver1” with IP address 10.50.23.90 using GAiA Management CLI is mgmt_cli add host name "emailserver1" ip-address 10.50.23.90. The name and ip-address parameters are required and must be enclosed in double quotes. The other options are missing the double quotes or have incorrect parameter names1. References: 1: Check Point Software, Getting Started, Adding a Host.

Starting R81, the Access Control Policy installation process is accelerated thereby reducing the duration of the process significantly. According to the Check Point R81 Security Management Administration Guide1, Accelerated Install Policy is a new feature in R81 that optimizes common use-cases and drastically speeds up the installation with up to 90% improvement. Policy installation is accelerated depending on the changes that were made to the Access Control policy since the last installation. When the policy installation is accelerated, the icon will appear under the “Install Policy Acceleration” column in the Install Policy window.

References:

• Accelerated Install Policy - Check Point Software, section “Accelerated Install Policy”

The FWD process provides logging services, such as forwarding logs from Gateway to Log Server, providing Log Export API (LEA) and Event Logging API (EL-A) services. The FWD process is responsible for sending logs from the Security Gateway to the Security Management Server or Log Server, and for fetching logs from the Security Management Server or Log Server to SmartConsole. The FWD process also handles the communication with external logging applications that use the LEA or EL-A protocols.

References:

• FWD process does not work after reboot - Check Point CheckMates, section “FWD process does not work after reboot”
• Check Point R81, section “Logging and Monitoring”
• CoreXL Dynamic Dispatcher - Check Point Software, section “Example of output”

 The statement that is not true about site-to-site VPN domain-based is that a VPN domain is a service or user that can send or receive VPN traffic through a VPN gateway. A VPN domain is a host or network that can send or receive VPN traffic through a VPN gateway, not a service or user. A service or user can be part of a VPN community, which defines the encryption and authentication methods for the VPN traffic. References: [Check Point Security Expert R81 Administration Guide], page 146.

 Check Point Support in many cases asks you for a configuration summary of your Check Point system. This is also called cpinfo. Cpinfo is a utility that collects diagnostic data on a Check Point gateway, management server, or log server. It generates a file that contains information such as product version, license details, OS details, network configuration, installed hotfixes, status of Check Point processes, firewall tables, etc. This file can be used by Check Point Support to troubleshoot issues or analyze performance. References: [Cpinfo Utility]

From SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path. Firewall Path is the path that handles packets that are not processed by SecureXL and are sent to the Firewall kernel for inspection. Accelerated Path is the path that handles packets that are processed by SecureXL and bypass the Firewall kernel. Medium Path is the path that handles packets that are partially processed by SecureXL and partially by the Firewall kernel1. References: Check Point R81 Performance Tuning Administration Guide

When using the Mail Transfer Agent, the debug logs are stored in /var/log/mail.mta.elg. This file contains information about the email messages that are processed by the Mail Transfer Agent, such as sender, recipient, subject, size, action, etc. You can use the command mailq to view the current mail queue and the command maild -d to enable debug mode for the Mail Transfer Agent. References: [Mail Transfer Agent]

 The type of SecureXL template that is not valid among the options is Deny template. SecureXL templates are pre-allocated data structures that store information about connections that match certain criteria. They are used to accelerate the processing of packets that belong to those connections. The valid types of SecureXL templates are Accept, Drop, NAT, and Crypt. The Accept template is used for connections that are allowed by the Firewall policy. The Drop template is used for connections that are blocked by the Firewall policy. The NAT template is used for connections that require Network Address Translation. The Crypt template is used for connections that require encryption or decryption. References: [SecureXL Templates]

 To optimize Rule Base efficiency, the most hit rules should be towards the top of the Rule Base. This is because the Rule Base is processed from top to bottom, and the first rule that matches the traffic is applied. Therefore, placing the most hit rules at the top reduces the number of rules that need to be checked and improves the performance of the firewall. References: R81 Security Management Administration Guide, page 97.

The command that should be used to remove the policy from the gateway by logging in through console access is “fw unloadlocal”. This command will unload all security policies from a gateway or cluster member and allow all traffic to pass through it. This command can be useful for troubleshooting purposes or for emergency access to a gateway. References: [Check Point R81 CLI Reference Guide]

 In the Check Point Security Management Architecture, both the Security Management Server and Security Gateway can store logs. The Security Management Server stores logs related to management activities, while the Security Gateway stores logs related to network traffic1. References: Check Point Resource Library, page 3.

The pre-defined Permission Profile that should be assigned to an administrator that requires full access to audit all configurations without modifying them is Read Only All. This profile grants read-only access to all features and blades in SmartConsole, including logs and reports. This profile is suitable for auditors who need to review the security policy and settings, but not change them. References: R81 Security Management Administration Guide, page 57.

The correct Check Point command to check if the API services are running for the GAIA operating system is gala_api status. The gala_api command is used to manage the API services in the GAIA operating system, and the status option is used to check the status of the API services.

You will find the config.txt file in the home directory of your user account (e.g. /home/admin/)1. The save configuration config.txt command is a Clish command that saves the current Gaia configuration to a text file2. The file is stored in the home directory of the user who executed the command, and it can be accessed by using the cat or less commands in expert mode1. The file can also be transferred to another machine by using the scp or sftp commands1. The config.txt file contains the Clish commands that are needed to restore the Gaia configuration to the same state as when the file was saved2. The file can be used for backup, migration, or troubleshooting purposes2.

References: How to backup and restore Gaia configuration - Check Point Software, Gaia R81.20 Administration Guide - Check Point Software

The verified answer is C. Identity Awareness.

Identity Awareness is the Check Point software blade that provides detailed visibility of users, groups, and machines, while also providing application and access control through the creation of accurate, identity-based policies1. Identity Awareness allows you to easily configure network access and auditing based on three items: network location, the identity of a user and the identity of a machine1. Identity Awareness integrates with multiple identity sources, such as Microsoft Active Directory, Cisco Identity Services Engine, and RADIUS Accounting23.

Application Control is the Check Point software blade that enables network administrators to identify and control thousands of applications and widgets, and millions of websites, based on categories, risk, and characteristics.

Firewall is the Check Point software blade that provides stateful inspection and enforcement of network traffic, and protects against network and application-level attacks.

URL Filtering is the Check Point software blade that enables secure web access by blocking access to malicious and inappropriate websites, and enforcing compliance with corporate policies.

References:

• Identity Awareness - Check Point Software1
• Check Point Integrated Security Architecture - Check Point Software2
• Cisco Identity Services Engine and Check Point Integration3
• Application Control - Check Point Software
• Firewall - Check Point Software
• URL Filtering - Check Point Software

 SecureXL uses templates to accelerate the connection rate by creating a connection entry in the SecureXL Connections Table without notifying the Firewall kernel for a predefined period of time1. This reduces the load on the Firewall kernel and improves the performance of new connections1. SecureXL uses five attributes to identify a connection and create a template: source address, destination address, source port, destination port, and protocol2. These attributes form a unique 5-tuple that defines a connection2.

References: : ATRG: SecureXL for R80.20 and higher : Performance Tuning Administration Guide R80

 Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. Permanent VPN tunnels are always active and prevent VPN tunnel negotiation failures due to idle time or traffic volume. You can configure permanent VPN tunnels in SmartConsole by selecting the Permanent Tunnel option in the VPN Community Properties window.

 The base level encryption key used by Capsule Docs is RSA 2048. This means that Capsule Docs uses a 2048-bit RSA public key encryption algorithm to encrypt and decrypt documents. RSA is an asymmetric encryption algorithm that uses two keys: a public key that can be shared with anyone, and a private key that must be kept secret. AES, SHA-256, and RSA 1024 are not the base level encryption keys used by Capsule Docs. References: : Check Point Software, Getting Started, Capsule Docs Encryption.

 Gaia has two default user accounts that cannot be deleted: Admin and Monitor. Admin is a superuser account that has full access to all Gaia features and commands. Monitor is a read-only account that can view Gaia configuration and status but cannot make any changes. Both accounts have predefined passwords that can be changed by the Admin user. References: [Check Point R81 Gaia Administration Guide], page 29

SRC: GAIA R81.20 Administration Guide User Management -> Users These users are created by default and cannot be deleted: admin and monitor

Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_report.pdf file was delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing some graphs, tables and links.

The component of SandBlast protection that her company is using on a Gateway is SandBlast Threat Extraction. SandBlast Threat Extraction is a software blade that provides protection against malicious files by removing potentially risky elements, such as macros, embedded objects, scripts, etc. The sanitized files are delivered to the users with a notification about the removed elements. SandBlast Threat Extraction can also reconstruct the original files after they are scanned by SandBlast Threat Emulation, which is another software blade that provides protection against malicious files by emulating them in a virtual sandbox and analyzing their behavior. References: R81 Threat Prevention Administration Guide, page 37.

According to the Check Point R81.20 documentation, the central deployment feature allows you to install up to 10 packages simultaneously on multiple gateways1.

References1: Check Point R81.20 Administration Guide, page 35.

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. Packet tagging is a feature that allows the Endpoint Identity Agent to add a tag to the packets sent by the user’s device, which contains the user’s identity information. This way, the Security Gateway can identify the user without requiring additional authentication methods. Computer authentication is a feature that allows the Endpoint Identity Agent to authenticate the user’s device using a certificate, which ensures that only authorized devices can access the network resources. The Full Endpoint Identity Agent supports both packet tagging and computer authentication, as well as other features such as Single Sign-On (SSO), Multi-Factor Authentication (MFA), and VPN.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 15
• Endpoint Identity Agent - Check Point CheckMates
• Check Point Identity Agent - All flavors for Windows OS in a single package (Full, Light, v1 and v2 for Terminal Server)

 The Priority Queue is a feature that allows the firewall to prioritize certain types of traffic over others, such as control and routing traffic, when the CPU load is high. The Priority Queue has four levels of priority: Control, Routing, High Priority and Heavy Data Queue1. The Control level has the highest priority and is reserved for firewall control traffic, such as policy installation and synchronization. The Routing level has the second highest priority and is used for routing protocols, such as OSPF and BGP. The High Priority level has the third highest priority and is used for user-defined traffic that needs to be prioritized, such as VoIP or video conferencing. The Heavy Data Queue level has the lowest priority and is used for bulk data transfer, such as FTP or HTTP2. Therefore, the correct answer is C.

References: 1: Firewall Priority Queues 2: Firewall Priority Queues setting

 ClusterXL and VRRP are the two cluster solutions that are available under R81.20. According to the ClusterXL R81.20 Administration Guide1, ClusterXL is a Check Point software-based clustering solution that provides high availability and load sharing for Check Point Security Gateways and Cluster Members. ClusterXL supports two modes: High Availability and Load Sharing. In High Availability mode, all Cluster Members are connected to the same network segment and share a virtual IP address. One member is active and handles all traffic, while the others are in standby mode and ready to take over in case of a failure. In Load Sharing mode, all Cluster Members are active and share the traffic load according to a predefined algorithm. ClusterXL supports both unicast and multicast modes for Load Sharing1.

VRRP (Virtual Router Redundancy Protocol) is an industry standard protocol that provides high availability for routers or firewalls by creating a virtual router with a virtual IP address that is shared by a group of routers or firewalls. One router or firewall is elected as the master and handles all traffic directed to the virtual IP address, while the others are backups that monitor the master and take over if it fails. VRRP can be used with Check Point Security Gateways to provide redundancy and failover for external interfaces1.

NSRP (NetScreen Redundancy Protocol) is a proprietary protocol developed by Juniper Networks that provides high availability and load balancing for NetScreen firewalls. NSRP is not supported by Check Point products2.

HSRP (Hot Standby Router Protocol) is a Cisco proprietary protocol that provides high availability for routers by creating a virtual router with a virtual IP address that is shared by a group of routers. One router is elected as the active router and handles all traffic directed to the virtual IP address, while another router is elected as the standby router and monitors the active router and takes over if it fails. HSRP is not supported by Check Point products.

IP Clustering is a feature of Linux Virtual Server (LVS) that provides high availability and load balancing for IP-based services by creating a cluster of real servers that are accessed through a virtual IP address. The cluster is managed by a director that routes requests to the real servers according to a scheduling algorithm. IP Clustering is not supported by Check Point products.

References: : ClusterXL R81.20 Administration Guide : Check Point R81.20 : Solved: R81.20 - Check Point CheckMates : [Hot Standby Router Protocol - Wikipedia] : [Linux Virtual Server - Wikipedia]

The Check Point Compliance Blade is a security management tool that monitors the compliance status of the Security Gateways and Security Management Servers with various regulatory standards1. The Compliance Blade supports the following regulatory standards2:

• GLBA: The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, is a US federal law that requires financial institutions to protect the privacy and security of their customers’ personal information.
• CJIS: The Criminal Justice Information Services Division, also known as CJIS, is a division of the US Federal Bureau of Investigation that provides criminal justice information services to law enforcement, national security, and intelligence agencies. CJIS has a set of security policies and requirements that govern the access, use, and protection of the CJIS data.
• NCIPA: The National Counterintelligence and Security Center Insider Threat Program Maturity Framework, also known as NCIPA, is a US government framework that provides guidance and best practices for establishing and enhancing insider threat programs within federal agencies. NCIPA defines five levels of maturity for insider threat programs, from initial to optimized.
• SOCI: This is not a valid option for a configurable Compliance Regulation. There is no such regulatory standard with this acronym. However, there is a similar acronym, SOC 2, which stands for Service Organization Control 2, which is a set of standards and criteria for auditing the security, availability, processing integrity, confidentiality, and privacy of service providers that store, process, or transmit customer data3.

Therefore, the correct answer is C, as SOCI is not a configurable Compliance Regulation.

References: 1: ATRG: Compliance Blade (R80.10 and higher) - Check Point Software 3 2: Check Point R81 - Check Point Software 1 3: SOC 2 Compliance Checklist: What You Need to Know - Varonis