Identity Awareness is the Check Point software blade that provides visibility of users, groups and machines while also providing access control through identity-based policies. Identity Awareness enables administrators to define granular access rules based on user or machine identity, rather than just IP addresses. Identity Awareness also allows administrators to monitor user activity and generate reports based on user or machine identity.

Application Control is a blade that enables administrators to control access to applications and web sites by users, groups, machines, and time. Application Control can eliminate unknown and unwanted applications in your network to reduce IT complexity and application risk, identify and control which applications are in your IT environment and which to add to the IT environment, and automatically identify trusted software that has authorization to run1. However, Application Control cannot scan the content of files being downloaded by users in order to make policy decisions. That is the function of another blade called Content Awareness, which can inspect files based on their type, size, name, and data2. References: Check Point R81 Application Control Administration Guide, Check Point R81 Content Awareness Administration Guide

The Secure Network Distributor (SND) is a feature of the Security Gateway that is used to distribute packets among Firewall instances . It improves the performance and scalability of the Firewall by utilizing multiple CPU cores. The other options are not related to SND. References: [Check Point Security Gateway Architecture and Packet Flow], [Free Check Point CCSA Sample Questions and Study Guide]

The BEST method to deploy Identity Awareness for roaming users is to use identity agents, which are software components installed on endpoints that provide user and machine identity information to the Security Gateway45. Identity agents are more secure and reliable than other methods, as they do not require network changes or user interaction4. Office Mode, sharing user identities between gateways, and using captive portal are not methods to deploy Identity Awareness, but rather features or options that can be used with Identity Awareness46.

References: Identity Awareness Reference Architecture and Best Practices, Identity Awareness PDP Broker, Identity Awareness Datasheet

The Online Activation method is available for Check Point manufactured appliances. The administrator uses the Online Activation method by using the Gaia First Time Configuration Wizard, the appliance connects to the Check Point User Center and downloads all necessary licenses and contracts. This method requires internet access and a valid User Center account. References: [Check Point Licensing and Contract Operations User Guide], [Check Point R81 Gaia Installation and Upgrade Guide]

The option that allows all encrypted and non-VPN traffic that matches the rule is Accept all encrypted traffic. This option enables you to allow traffic to any destination that is encrypted, regardless of whether it is part of a VPN community or not2. Therefore, the correct answer is B. Accept all encrypted traffic. 

 The procedure that SmartEvent does not use to identify events is matching a log against local exclusions. Local exclusions are used to filter out logs that are not relevant for SmartLog, not SmartEvent12. SmartEvent uses the other procedures to identify events based on event definitions, event candidates, and global exclusions3 . References: SmartLog R81 Administration Guide, Check Point CCSA - R81: Practice Test & Explanation, SmartEvent R81 Administration Guide, [Free Check Point CCSA Sample Questions and Study Guide]

The correct answer is D because from SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path3. The Firewall Path is used when SecureXL is disabled or traffic is not eligible for acceleration3. The Accelerated Path is used when SecureXL handles the entire connection and bypasses the Firewall kernel3. The Medium Path is used when SecureXL handles part of the connection and forwards packets to the Firewall kernel for further inspection3. The other options are not valid paths of traffic flow from SecureXL perspective3. References: Check Point R81 Performance Tuning Administration Guide

SmartView is the web application for real-time event monitoring in SmartEvent R80 and above. It provides a unified view of security events across the network and allows for quick investigation and response34. References: SmartEvent R80.40 Administration Guide, SmartView

The back up solution that should be used to ensure your database can be restored on that device is snapshot . A snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system. A snapshot can be used to restore a Security Gateway or Security Management Server to its previous state at any time . Therefore, the correct answer is D. snapshot. 

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. The Full Identity Agent is a client-side software that provides full identity awareness features, such as user authentication, computer authentication, packet tagging, identity caching, and identity sharing. The other types of Endpoint Identity Agents are Custom, Complete, and Light, which have different features and capabilities. 

According to the Hewlett Packard Enterprise Support Center3, the snapshot command uses the command line to create an image of the OS. A snapshot is a point-in-time copy of a disk partition that can be used to restore the system in case of a failure or corruption. References: Hewlett Packard Enterprise Support Center

The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”. cap”number of captures”2. References: Free Check Point CCSA Sample Questions and Study Guide

If there is an Accept Implied Policy set to “First”, Jorge cannot see any logs because Log Implied Rule was not selected on Global Properties. The Log Implied Rule option enables logging for all implied rules, such as DHCP, anti-spoofing, and cleanup rules.

References: : Check Point R81 Security Management Administration Guide, page 103.

 Alerts can be viewed in SmartView Monitor, which is a graphical tool that provides real-time information about the network and security activities, such as traffic, VPN tunnels, threats, and performance4.

References: 4: Check Point R81 Security Management Administration Guide, page 25.

This answer is correct because a standalone deployment is a valid option for installing a Check Point Security Gateway and a Security Management Server on the same machine1. This option is suitable for small or medium-sized networks that do not require high availability or load balancing1.

The other answers are not correct because they are either invalid or irrelevant options for deployment. CloudSec deployment is not a valid option, but it might be confused with CloudGuard, which is a Check Point solution for securing cloud environments2. Disliked deployment is not a valid option, but it might be a typo for Distributed deployment, which is a valid option for installing a Check Point Security Gateway and a Security Management Server on separate machines1. Router only deployment is not a valid option, but it might be confused with Router mode, which is a configuration option for a Check Point Security Gateway that enables it to act as a router and forward packets between interfaces3.

• Gaia R81.20 Administration Guide
• CloudGuard Network Security
• Configuring Router Mode in Gaia Clish

 The product that correlates logs and detects security threats, providing a centralized display of potential attack patterns from all network devices is SmartEvent. SmartEvent is a software blade that analyzes logs from various sources such as Security Gateways, Endpoint Security Servers, Identity Awareness Servers, etc. and generates security events based on predefined or custom rules. SmartEvent provides a graphical interface for viewing and managing security events in real-time or historical mode. References: [Check Point R81 SmartEvent Administration Guide]

Most Check Point deployments use Gaia, which is a unified operating system for all Check Point appliances, open servers, and virtualized gateways. However, some product deployments utilize special Check Point code, such as Scalable Platforms (formerly known as Maestro), which are high-performance security gateways that can scale up to 1.5 Tbps of firewall throughput. Scalable Platforms use a special version of Gaia OS called Gaia Embedded, which is planned to be unified with Gaia OS in R81.102. References: Check Point R81 Release Notes

There are three types of software containers: security management, Security Gateway, and endpoint security. A software container is a set of software blades that provide specific functionality. A security management container manages the security policy and configuration for one or more Security Gateways. A Security Gateway container enforces the security policy on the network traffic. An endpoint security container protects the data and network access of an endpoint device2. The other options are not valid types of software containers. References: Software Containers

The options to calculate the traffic direction are Incoming, Internal, and External3. Outgoing is not an option. Incoming traffic is traffic that enters the Security Gateway from an external network. Internal traffic is traffic that originates and terminates in networks that are directly connected to the Security Gateway. External traffic is traffic that originates or terminates in networks that are not directly connected to the Security Gateway. References: Check Point R81 Security Management Administration Guide

The steps you will need to do in SmartConsole in order to get the connection working behind the Internet Security Gateway are:

• Define an accept rule in Security Policy. This rule allows the traffic from your internal networks to pass through the Security Gateway.
• Define automatic NAT for each network to NAT the networks behind a public IP. This option translates the private IP addresses of your internal networks to a public IP address assigned by your ISP router. This way, your internal networks can communicate with the Internet using a valid IP address.
• Publish and install the policy. This step applies the changes you made to the Security Gateway and activates the security and NAT rules.

References: Check Point R81 Quantum Security Gateway Guide

 The best upgrade method when the management server is not connected to the Internet is CPUSE offline upgrade . This method allows you to download the upgrade package from another source and install it manually on the management server. The other methods require Internet connection or are not supported for R80.10. References: [R80.10 Upgrade Verification and FAQ], [Check Point CCSA - R81: Practice Test & Explanation]

The Advanced Networking Blade is NOT subscription-based and therefore does not have to be renewed on a regular basis1011. The Advanced Networking Blade provides advanced routing capabilities such as BGP, OSPF, VRRP, and multicast routing10. The other blades are subscription-based and require annual renewal to receive updates and support from Check Point1012.

References: Check Point License Guide, IPS Software Blade contracts, Product Catalog

A main component of the Check Point security management architecture is SmartConsole2. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References: Check Point R81 Security Management Administration Guide

The statement that is TRUE of anti-spoofing is that it is BEST Practice to have anti-spoofing groups in sync with the routing table. Anti-spoofing prevents attackers from sending packets with a false source IP address. Anti-spoofing groups define which IP addresses are expected on each interface of the Security Gateway. If the routing table changes, the anti-spoofing groups should be updated accordingly34. References: Check Point R81 ClusterXL Administration Guide, Network Defined by Routes: Anti-Spoofing

The Check Point software blade that monitors Check Point devices and provides a picture of network and security performance is Monitoring. The Monitoring Software Blade presents a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events. It centrally monitors Check Point devices and alerts security administrators to changes to gateways, endpoints, tunnels, remote users and security activities234. References: Monitoring Software Blade, Check Point Integrated Security Architecture, Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

In order for changes made to policy to be enforced by a Security Gateway, an administrator must perform Install Policy3. This action transfers the policy package from the Security Management Server to the Security Gateway and activates it. References: Check Point R81 Security Management Administration Guide

The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3 . The other files are not related to proxy arp configuration. References: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA - R81: Practice Test & Explanation]

The order of NAT priorities is Static NAT, IP pool NAT, and hide NAT. Static NAT has the highest priority because it is a one-to-one mapping of a private IP address to a public IP address. IP pool NAT has the second highest priority because it is a one-to-many mapping of a private IP address to a pool of public IP addresses. Hide NAT has the lowest priority because it is a many-to-one mapping of multiple private IP addresses to a single public IP address1.

References: 1: Check Point R81 Security Gateway Administration Guide, page 23.

The following is considered a “Subscription Blade”, requiring renewal every 1-3 years: IPS blade4. The IPS blade is a software blade that provides protection against network attacks and exploits by inspecting traffic and blocking malicious packets. The IPS blade requires a subscription license that includes updates for the IPS signatures and Geo Protection database. Other subscription blades include Anti-Bot, Anti-Virus, URL Filtering, Application Control, Threat Emulation, and Threat Extraction. References: Check Point Licensing and Contract Operations User Guide

When logging in for the first time to a Security Management Server through SmartConsole, a fingerprint is saved to the SmartConsole cache and is available for future Security Management Server authentications. The fingerprint is a unique identifier of the Security Management Server that is used to verify its identity and prevent man-in-the-middle attacks. The SmartConsole cache is a local folder on the client machine that stores temporary files and settings.

References: Check Point Security Management Administration Guide R81, p. 25-26

 The Security Gateways collect logs and send them to the log server. The Security Gateways are the components that enforce the security policy on network traffic and generate logs for each connection that matches a rule with a tracking option. The log server is the component that receives and stores the logs from the Security Gateways and provides a centralized interface for viewing and analyzing them. The log server can be either a dedicated server or integrated with the Security Management Server. References: [Check Point R81 Security Management Administration Guide]

 Central License is the preferred and recommended method of licensing because it ties to the IP address of the management server and is not dependent on the IP of any gateway in the event it changes. Central License allows administrators to manage licenses for all Security Gateways from one central location. If the IP address of a gateway changes, the license remains valid as long as it is connected to the same management server. Central Licensing is supported with Gaia and is not the only option when deploying Gaia. Central Licensing does not tie to the IP address of a gateway and can not be changed to any gateway if needed.

References: 1: Rugged Appliances 2: SmartUpdate 3: Check Point Software Deployment Options : [Anti-Virus] : [Check Point Software Blades] : [Central License]

Sub Policies are a new feature in R80.10 Gateway that allow creating and attaching sets of rules to specific rules in the main policy4. Sub Policies are useful for delegating permissions, managing large rule bases, and applying different inspection profiles4. The other options are not new features in R80.10 Gateway. References: Check Point R80.10 Security Management Administration Guide

The Shared policies feature allows administrators to share a policy with other policy packages3. This can save time and effort when managing multiple gateways with similar security requirements. Shared policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers4. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartConsole R81 Resolved Issues

 Check Point licenses are divided into two types: central and local. Central licenses are managed by a Security Management Server and can be attached to any Security Gateway managed by that server. Local licenses are tied to the IP address of a specific Security Gateway and cannot be transferred to a gateway that has a different IP address. Formal and corporate are not types of Check Point licenses. References: [Check Point R81 Licensing and Contract Administration Guide]

Sub Policies are a new feature in R80.10 Gateway that allow creating and attaching sets of rules to specific rules in the main policy4. Sub Policies are useful for delegating permissions, managing large rule bases, and applying different inspection profiles4. The other options are not new features in R80.10 Gateway. References: Check Point R80.10 Security Management Administration Guide

By default, the WebUI listens on port 80. The WebUI is a web-based interface that allows administrators to configure and monitor Gaia OS settings and features from a web browser. The WebUI uses the HTTP protocol to communicate with the Gaia machine, which by default uses port 80 as the standard port number. The other port numbers are not used by the WebUI by default, but they can be changed by modifying the Gaia configuration file or using CLISH commands. 

A Check Point software license consists of a Software blade and a Software container. A Software blade is a modular security feature that delivers security functionality to the gateway or management server. A Software container is a set of Software blades that can be purchased as a bundle.

References: : Check Point R81 Security Management Administration Guide, page 14.

This answer is correct because the vpn tu command is used for VPN tunnel management and shows detailed information about VPN tunnels, such as the tunnel ID, peer IP, encryption domain, and status1. This command will bring up a menu for you to choose from, such as list all IPsec SAs, delete all IPsec SAs, or delete IPsec SA for given peer1.

The other answers are not correct because they either show different information or do not exist as commands. The cat $FWDlR/conf/vpn.conf command shows the VPN configuration file, which contains the VPN domains, communities, and encryption settings2. The vpn tu tlist command does not exist, but it might be confused with the vpn tunnelutil tlist command, which shows the tunnel utilization statistics3. The cpview command shows the Check Point real-time performance monitoring tool, which displays various system and network parameters, such as CPU, memory, disk, interfaces, and VPN4.

• How to use the “vpn tu” command for VPN tunnel management
• New VPN daemons in R81.10 / R81.20 - Check Point CheckMates
• Remote Access VPN R81.20 Administration Guide - Check Point Software
• Remote Access VPN R81 Administration Guide - Check Point Software

 The BEST command to view configuration details of all interfaces in Gaia CLISH is show configuration interface3. This command displays the interface name, IP address, netmask, state, MTU, and other parameters for each interface. ifconfig -a, show interfaces, and show interfaces detail are not valid commands in Gaia CLISH. References: How to configure static routes in CLISH on Gaia OS and IPSO OS, GAIA CLISH Commands - Fir3net, Gaia Administration Guide R80 - Check Point Software, Gaia Clish commands including User Defined (Extended) commands

 To enforce the Security Policy correctly, a Security Gateway requires awareness of the network topology. This means that the gateway knows which networks and interfaces are internal and external, and how to route packets between them . References: [Check Point R81 Security Gateway Technical Administration Guide], Check Point CCSA - R81: Practice Test & Explanation

 The answer is B because querying logs now is very fast because the Indexing Engine indexes logs for faster search results. The Indexing Engine is a component of the Smart-1 appliance that creates indexes for log fields and values, such as source, destination, action, and time. The indexes enable quick and efficient searches of large amounts of log data.References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point R81 Indexing Engine]

The SOLR database is used for full text search and enables powerful matching capabilities3 . SOLR is an open source enterprise search platform that provides fast and scalable indexing and searching of data. It supports advanced features such as faceting, highlighting, spell checking, synonyms, etc. The SOLR database is used by Check Point products such as SmartLog and SmartEvent to store and query logs and events3 . The other options are incorrect. Option B is false, as SOLR does not write data to the database, but only reads data from it. Option C is false, as SOLR does not serve GUI, but only provides a RESTful API for queries. Option D is false, as SOLR does not enable powerful matching capabilities and write data to the database, but only enables powerful matching capabilities. References: SOLR - Check Point Software, [Apache Solr]

The correct answer is D because the command save configuration  stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1. References: Gaia R81.10 Administration Guide

Automatic Hide NAT enables Source Port Address Translation by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

Manual NAT can offer more flexibility than Automatic NAT because it allows the administrator to define the NAT rules in any order and position1. Automatic NAT creates the NAT rules automatically and places them at the top or bottom of the NAT Rule Base2. References: Check Point R81 Firewall Administration Guide, Check Point R81 Security Management Administration Guide

 To ensure that VMAC mode is enabled, you should run the command fw ctl get int fwha_vmac_global_param_enabled on all cluster members and check that the result of the command returns the value 11. This command shows the current value of the global kernel parameter fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled or disabled. VMAC mode is a feature that associates a Virtual MAC address with each Virtual IP address of the cluster, which reduces the need for Gratuitous ARP packets and improves failover performance1. The other options are incorrect. Option A is not a valid command. Option C is a command to show the status of cluster interfaces, not VMAC mode2. Option D is a command to show the value of a different global kernel parameter, fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled for all interfaces or only for non-VLAN interfaces1. References: How to enable ClusterXL Virtual MAC (VMAC) mode, cphaprob

Smart Cloud Services is an option for deployment of Check Point SandBlast Zero-Day Protection. It is a cloud-based service that provides advanced threat prevention for files and URLs, without requiring any on-premise infrastructure or appliances . References: [Check Point SandBlast Zero-Day Protection], [Smart Cloud Services]

A security zone is a group of one or more network interfaces from different centrally managed gateways that have the same security requirements. The zone is based on the network topology and determined according to where the interface leads to. For example, a zone can be defined as internal, external, DMZ, VPN, etc. Security zones are supported by Check Point firewalls and can be used to simplify security policies and network segmentation. The firewall rule can be configured to include one or more zones as source or destination objects. The local directly connected subnet defined by the subnet IP and subnet mask is not considered part of the zone, but rather a property of the interface.References: [Security Zones], [Security Zones Best Practices]

Using AD Query, the security gateway connections to the Active Directory Domain Controllers using LDAP (Lightweight Directory Access Protocol). The other protocols are not used for this purpose.

References: : [Check Point R81 Identity Awareness Administration Guide], page 14.

Identity Sharing is a feature that allows Security Gateways to acquire and share identities with other Security Gateways, enabling identity-based access control across different network segments or domains13. Management servers, users, and administrators do not share identities with Security Gateways.

References: Identity Awareness R81.10 Administration Guide, Check Point R81.10

The command api status shows the API server status, including whether it is enabled or not, the port number, and the API version1. References: Check Point R81 API Reference Guide

The tool that is used to enable ClusterXL is cpconfig. ClusterXL is a software-based Load Sharing and High Availability solution that distributes network traffic between clusters of redundant Security Gateways1. To enable ClusterXL, you need to run the cpconfig command on each cluster member and select Enable Cluster membership for this gateway2. Therefore, the correct answer is B. cpconfig. 

 To use Application objects in a rule, the “Applications & URL Filtering” blade should be enabled on the policy layer where the rule is being created. Enabling the “Application Control” blade on a gateway is not enough3.

References: 3: Check Point R81 Security Management Administration Guide, page 102.

The Sticky Decision Function (SDF) is required to prevent failovers in an Active-Active cluster. The SDF ensures that the same cluster member handles all connections that belong to a certain session. If the SDF is not enabled, different cluster members may handle different connections of the same session, which may cause a failover or a drop12. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

The VPN Domains configuration element determines which traffic should be encrypted into a VPN tunnel vs. sent in the clear. The VPN Domain is the set of hosts and networks that are allowed to communicate securely with the gateway12. The firewall topologies, NAT rules, and the rule base do not directly affect the VPN encryption decision. References: Check Point R81 Security Gateway Technical Administration Guide, CCSA/CCSE Exam Tips & Content - R80.X vs. R81.X - Check Point CheckMates

 A clean-up rule is a rule that is placed at the end of the security policy to drop any traffic that is not explicitly allowed by the previous rules. It is a best practice to have a clean-up rule to prevent unauthorized access and log the dropped packets for analysis12. The other options are not the purpose of a clean-up rule. References: Clean-up Rule, Check Point CCSA - R81: Practice Test & Explanation

 When LDAP is integrated with Check Point Security Management, it is then referred to as User Directory. User Directory is a feature that allows you to import users and groups from an external LDAP server and use them in your security policies. User Center, User Administration, and UserCheck are different features that are not related to LDAP integration.References: [User Directory], [LDAP Integration]

The protocol that is specifically used for clustered environments is Cluster Control Protocol (CCP). CCP is a proprietary Check Point protocol that is used for communication between cluster members and for cluster administration. CCP enables cluster members to exchange state information, synchronize connections, monitor interfaces, and perform failover operations. The other options are incorrect. Clustered Protocol, Synchronized Cluster Protocol, and Control Cluster Protocol are not valid terms in Check Point terminology. References: [Cluster Control Protocol (CCP) - Check Point Software]

If a network administrator has identified a malicious host on the network and instructed you to block it, but you cannot make any firewall policy changes at this time, you can use Suspicious Activity Monitoring (SAM) rules to block this traffic. SAM rules are temporary rules that allow you to block or limit traffic from specific sources or destinations without modifying the security policy. SAM rules are created and managed by SmartView Monitor and are enforced by the security gateway for a specified duration. Anti-Bot protection, Anti-Malware protection, and Policy-based routing are not tools that can be used to block traffic without changing the firewall policy. References: [Check Point R81 SmartView Monitor Administration Guide]

Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. This option allows the administrator to select which tunnels should be permanent and which should be established on demand. The other options are not valid, as they do not match the available choices in the VPN community settings.

References: [VPN Administration Guide], [Check Point R81.10]

Stateful Inspection compiles and registers connections in the State Table. The State Table is a database that stores information about active connections and sessions on the Security Gateway. The other options are not valid names for the database that stores connection information.

References: 1: Policy Types 2: CPUSE 3: SIC : [Software Containers] : [Stateful Inspection]

To increase security, the administrator has modified the Core protection ‘Host Port Scan’ from ‘Medium’ to ‘High’ Predefined Sensitivity. The administrator should install the Threat Prevention Policy after Publishing the changes3. The Threat Prevention Policy defines how the Security Gateway inspects and protects against threats such as port scans, bot attacks, and zero-day exploits4. References: Check Point R81 Firewall Administration Guide, Check Point R81 Threat Prevention Administration Guide

 A stateful inspection firewall works by registering connection data and compiling this information in state tables. State tables are data structures that store information about the state and context of each connection, such as source, destination, service, protocol, sequence number, flags, etc. State tables enable the firewall to inspect both the header and the payload of each packet and apply security policies accordingly.References: [Stateful Inspection], [State Tables]

 DLP and Geo Policy are examples of Shared Policies. Shared Policies are policies that can be shared with other policy packages to save time and effort when managing multiple gateways with similar security requirements. Shared Policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers. Other types of policies include Inspection Policies, Unified Policies, and Standard Policies. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

R80 is supported by Gaia only, which is Check Point’s unified security operating system for all Check Point appliances, open servers, and virtualized gateways1, p. 14. Windows and SecurePlatform are not supported by R80. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Learning and Training Frequently Asked Questions (FAQs)]

The port used for full synchronization between cluster members is TCP port 2654. This port is used by the Firewall Kernel to send and receive synchronization data, such as connection tables, NAT tables, and VPN keys4. UDP port 8116 is used by the Cluster Control Protocol (CCP) for internal communications between cluster members4. References: How does the Cluster Control Protocol function in working and failure scenarios for gateway clusters?

 When you upload a package or license to the appropriate repository in SmartUpdate, the package or license is stored on the Security Management Server. SmartUpdate is a tool that allows you to centrally manage software updates and licenses for all Check Point products on your network.

References: : Check Point R81 Security Management Administration Guide, page 16.

Bridge Mode is a deployment option for Check Point Security Gateway that allows it to act as a transparent bridge between two network segments, without changing the IP addressing scheme. Bridge Mode supports most of the security features, such as Data Loss Prevention, Antivirus, Application Control, etc. However, Bridge Mode does not support NAT, because NAT requires modifying the IP addresses or ports of the packets, which contradicts the transparent nature of Bridge Mode1. References: Check Point R81 Security Gateway Technical Administration Guide

 Only one user can have read/write access in Gaia Operating System at one time2. This is to prevent conflicts and errors when multiple users try to modify the same configuration settings. References: Check Point Gaia Administration Guide

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

 The answer is A because Identity Awareness commands are used to support identity sharing between Security Gateways. Policy Decision Point (PDP) is the Security Gateway that collects identities from various sources and shares them with other gateways. Policy Enforcement Point (PEP) is the Security Gateway that enforces the policy based on the identities received from the PDP12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Security Management Administration Guide

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

The correct answer is B because Threat Extraction always delivers a file and takes less than a second to complete2. Threat Extraction removes exploitable content from files and delivers a clean and safe file to the user2. Threat Emulation analyzes files in a sandbox environment and delivers a verdict of malicious or benign2. Threat Emulation can take more than 3 minutes to complete depending on the file size and complexity2. References: Check Point R81 Threat Prevention Administration Guide

 The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway. Installing the Security Policy is not necessary because it does not affect the CoreXL configuration1. References: Check Point R81 Security Management Administration Guide

The three deployment considerations for a secure network are Remote, Standalone, and Distributed3. Remote deployment means that the Security Management Server and Security Gateway are installed on different machines. Standalone deployment means that the Security Management Server and Security Gateway are installed on the same machine. Distributed deployment means that there are multiple Security Gateways managed by one or more Security Management Servers3. Therefore, the correct answer is C. Remote, Standalone, and Distributed.

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own. In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties34 References: Part 4 - Installing Security Gateway, Deployment Options

The CDT utility supports all upgrades, including major version upgrades, Jumbo HFA’s, and hotfixes3. References: Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent

 The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway. Installing the Security Policy is not necessary because it does not affect the CoreXL configuration1. References: Check Point R81 Security Management Administration Guide

When tunnel test packets no longer invoke a response, SmartView Monitor displays Down for the given VPN tunnel1. This means that the VPN tunnel is not operational and there is no IKE or IPsec traffic passing through it. No Response, Inactive, and Failed are not valid statuses for VPN tunnels in SmartView Monitor. References: Smart View Monitor displays status for all S2S VPN tunnels - Phase1 UP

When a SAM rule is required on Security Gateway to quickly block suspicious connections which are not restricted by the Security Policy, the administrator needs to take the following action: SmartView Monitor should be opened and then the SAM rule/s can be applied immediately. Installing policy is not required. SAM stands for Suspicious Activity Monitoring and is a feature that allows administrators to block or limit connections from specific sources or destinations without modifying the security policy. SAM rules can be created from SmartView Monitor or SmartEvent based on real-time network activity or security events. References: [Check Point R81 SmartView Monitor Administration Guide]

Upgrading the Security Gateway does not require a new license to be generated and installed. The license is tied to the IP address or hostname of the Security Gateway, not the software version. However, if the IP address or hostname changes, the existing license expires, or the license is upgraded, a new license must be generated and installed12 References: Check Point R81, Managing and Installing license via SmartUpdate

To optimize drops, you can use Priority Queues and fully enable Dynamic Dispatcher on the Security Gateway23. Priority Queues are a mechanism that prioritizes part of the traffic when the Security Gateway is stressed and needs to drop packets. Dynamic Dispatcher is a feature that dynamically assigns new connections to a CoreXL FW instance based on the utilization of CPU cores. To enable both features, you need to run the command fw ctl multik set_mode 9 on the Security Gateway4. Therefore, the correct answer is C. fw ctl multik set_mode 9. References: CoreXL Dynamic Dispatcher - Check Point Software, Firewall Priority Queues in R80.x / R81.x - Check Point Software, Separate Config for Dynamic Dispatcher and Priority Queues

To view the policy installation history for each gateway, an administrator would use the Installation history tool1, p. 22. The Installation history tool shows the date and time of each policy installation, the name of the administrator who installed it, and the status of the installation3. Revisions, Gateway installations, and Gateway history are not valid tools in SmartConsole. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point SmartConsole R81 Help

Quick Mode Complete is the message that indicates IKE Phase 2 has completed successfully2. IKE Phase 2 is also known as Quick Mode or Child SA in IKEv1 and IKEv2 respectively. Aggressive Mode and Main Mode are part of IKE Phase 1, which establishes the IKE SA. IKE Mode is not a valid term for IKE negotiation. References: How to Analyze IKE Phase 2 VPN Status Messages, IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges, Understand IPsec IKEv1 Protocol

The correct answer is D because the command save configuration  stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1. References: Gaia R81.10 Administration Guide

 A firewall can NOT prevent a network bandwidth saturation attack, which is a type of denial-of-service (DoS) attack that aims to consume all the available bandwidth of a target network or device1, p. 9. A firewall can prevent other types of attacks, such as buffer overflow, SYN flood, and SQL injection, by inspecting packets and applying security rules2, p. 11-12. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

 A SAM (Suspicious Activity Monitoring) rule is implemented to provide the function or benefit of blocking suspicious activity. A SAM rule is a rule that defines an action to be taken by the firewall when it detects a suspicious activity, such as an attack, a scan, or a policy violation. The action can be blocking, dropping, rejecting, or logging the traffic that triggered the suspicious activity. A SAM rule can be created manually or automatically by other security features, such as IPS, Anti-Bot, or SmartEvent.References: [SAM Rules], [Suspicious Activity Rules]

When using Automatic Hide NAT, Source Port Address Translation (PAT) is enabled by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

 Bridge Mode Check Point Security Gateway does not support NAT. Bridge Mode is a deployment option that allows the Security Gateway to inspect traffic without being a routing hop. In Bridge Mode, the Security Gateway does not have an IP address and cannot perform NAT1. Therefore, the correct answer is C. NAT. 

The default layers that are included when creating a new policy layer are Access Control, Threat Prevention, and HTTPS Inspection. Access Control is the layer that defines the basic firewall rules. Threat Prevention is the layer that enables the protection against various types of attacks, such as IPS, Anti-Virus, Anti-Bot, etc. HTTPS Inspection is the layer that allows the inspection of encrypted traffic1. The other options are not the default layers that are included when creating a new policy layer.

 The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

Back up and restores can be accomplished through SmartConsole, WebUI, or CLI12. These are the methods to perform system backup and restore, which save and restore the Gaia OS configuration and the Security Management Server database1. WebUI, CLI, or SmartUpdate are not valid methods, as SmartUpdate is used to install software packages and patches, not to back up or restore the system3. CLI, SmartUpdate, or SmartBackup are not valid methods, as SmartBackup is a feature of SmartProvisioning that allows backing up and restoring the configuration of Security Gateways and VSX clusters4. SmartUpdate, SmartBackup, or SmartConsole are not valid methods, as SmartConsole is used to configure and manage the Security Policy, not to back up or restore the system5.

References: System Backup and Restore feature in Gaia, Check Point R81.10, INSTALLATION AND UPGRADE GUIDE R81.10, SmartProvisioning R81.10 Administration Guide, QUANTUM SECURITY MANAGEMENT R81

The tracking actions that can be selected when configuring Spoof Tracking are Log, alert, none. Spoof Tracking is a feature that detects packets with spoofed source IP addresses and logs them in SmartView Tracker. The administrator can choose to log only, log and alert, or do nothing when spoofed packets are detected. The other options are not valid tracking actions for Spoof Tracking, as they are either not available or not relevant for this feature.

References: [Spoof Tracking], [Firewall Administration Guide]

 Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication. Captive Portal is a web page that prompts users to enter their credentials. Transparent Kerberos Authentication is a method that automatically authenticates users who have a valid Kerberos ticket from the Active Directory domain controller2. UserCheck is a feature that allows users to interact with the security policy, not a method of authentication. User Directory is a component that integrates with external user databases, not a web page for authentication. Captive Portal alone is not enough to fill in the blank, as it is only one of the methods used by Browser-based Authentication.

The correct answer is D because from SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path3. The Firewall Path is used when SecureXL is disabled or traffic is not eligible for acceleration3. The Accelerated Path is used when SecureXL handles the entire connection and bypasses the Firewall kernel3. The Medium Path is used when SecureXL handles part of the connection and forwards packets to the Firewall kernel for further inspection3. The other options are not valid paths of traffic flow from SecureXL perspective3. References: Check Point R81 Performance Tuning Administration Guide

The components of Check Point Capsule are Capsule Docs, Capsule Cloud, and Capsule Workspace123. There is no Capsule Enterprise component. Capsule Docs protects business documents everywhere they go. Capsule Cloud protects mobile users outside the enterprise security perimeter. Capsule Workspace creates a secure business environment on mobile devices. References: Check Point Capsule Datasheet, Check Point Capsule Workspace Datasheet, Mobile Secure Workspace with Capsule

The INSPECT Engine is a technology that extracts detailed information from packets and stores that information in state tables. It enables stateful inspection and application layer filtering12 References: INSPECT Engine, Stateful Inspection

 The statement that information on a user is hidden, yet distributed across several servers is not an advantage to using multiple LDAP servers. LDAP (Lightweight Directory Access Protocol) is a protocol that allows access to a centralized directory service that stores information about users, groups, devices, etc. Using multiple LDAP servers can provide advantages such as faster access time, compartmentalization, and high availability, but not hiding information. Information on a user is not hidden by using multiple LDAP servers, but rather replicated or partitioned across them. Replication means that the same information is copied to all LDAP servers, while partitioning means that different information is stored on different LDAP servers. Both methods aim to improve performance and reliability, not security or privacy.References: [LDAP Integration], [LDAP]

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References: Check Point Security Management Administration Guide R81, p. 9

The Application Layer Firewalls inspect traffic through the Lower layer(s) of the TCP/IP model and up to and including the Application layer. The lower layers are the Physical, Data Link, and Network layers, which deal with the transmission and routing of packets. The Application layer is the highest layer of the TCP/IP model, which provides services and protocols for specific applications such as HTTP, FTP, SMTP, etc. The Application Layer Firewalls can inspect the content and context of the traffic and enforce granular security policies based on various criteria such as user identity, application identity, content type, etc. References: [Check Point R81 Firewall Administration Guide]

 ThreatWiki is a web-based tool that provides statistics on detected threats, such as attack types, sources, destinations, and severity. It also allows the administrator to search for specific threats and view their details and mitigation methods. The other options are not tools for viewing statistics on detected threats. References: [ThreatWiki], [ThreatWiki - Threat Emulation]

The answer is B because Geo policy shared policy is used to create policy for traffic to or from a particular location based on the source or destination country. DLP shared policy is used to prevent data loss by inspecting files and data for sensitive information. Mobile Access software blade is used to provide secure remote access to corporate resources from various devices. HTTPS inspection is used to inspect encrypted web traffic for threats and compliance4References: Check Point R81 Geo Policy Administration Guide, [Check Point R81 Data Loss Prevention Administration Guide], [Check Point R81 Mobile Access Administration Guide], [Check Point R81 HTTPS Inspection Administration Guide]

 Log query results can be exported to Comma Separated Value (csv) file format. CSV is a file format that stores tabular data in plain text. It is compatible with various applications, such as Excel, Google Sheets, etc. The other options are not valid file formats for exporting log query results.

References: 1: Gaia Roles 2: Gaia Default Users 3: Anti-Virus : [Exporting Logs]

Application information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option4. The “Extended Log” option provides additional information about the application, such as name, category, risk, and technology4. References: LOGGINGAND MONITORING R80

 Address translation is not a role of the SmartCenter, as it is performed by the Security Gateway based on the NAT policy configured in the SmartConsole5. The other options are roles of the SmartCenter, as it is responsible for status monitoring, policy configuration, and certificate authority for the Security Gateways5.

References: Gaia R81.10 Administration Guide, QUANTUM SECURITY MANAGEMENT R81, Remote Access VPN R81 Administration Guide

The most likely reason for Vanessa’s authentication failure is that she is using the wrong details for SmartConsole. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. She needs to use the credentials that were defined during the initial configuration of the Security Management Server, or the ones that were assigned to her by the administrator12. The other options are not valid reasons for this error. References: SmartConsole Login, Check Point CCSA - R81: Practice Test & Explanation

 Snapshot is the backup utility that captures the most information and tends to create the largest archives. Snapshot creates an image of the entire system, including operating system files, configuration files, databases, and logs. It can be used to restore the system in case of a failure or corruption. Backup creates a compressed file that contains configuration files and databases, but not operating system files or logs. It can be used to restore configuration settings and policies. Database Revision creates a backup of only the database files that store policies and objects. It can be used to revert to a previous revision of the database. Migrate export creates a compressed file that contains configuration files, databases, and logs, but not operating system files. It can be used to migrate data from one machine to another with different hardware or software versions.References: [Backup and Restore], [Database Revision Control], [Migrate Tools], [Hewlett Packard Enterprise Support Center]

The Sticky Decision Function (SDF) can only be changed for Load Sharing implementations, not for High Availability implementations4. References: Check Point ClusterXL R81 Administration Guide

The technologies that are used to deny or permit network traffic are Stateful Inspection, Firewall Blade, and URL/Application Blade. Stateful Inspection is a technology that inspects network traffic at the packet level and maintains the state and context of each connection. Firewall Blade is a software blade that enforces security policy and prevents unauthorized access to protected resources. URL/Application Blade is a software blade that enables administrators to control access to millions of websites and applications based on users, groups, and machines.

References: : Check Point R81 Security Gateway Administration Guide, page 9. : Check Point R81 Security Gateway Administration Guide, page 10. : Check Point R81 Security Gateway Administration Guide, page 12.

The Check Point software blade that provides Application Security and identity control is Application Control3 . Application Control enables network administrators to identify, allow, block, or limit usage of thousands of applications and millions of websites3 . Therefore, the correct answer is D. Application Control

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given. DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1. DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES. 3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

• What is DES encryption, and why was it replaced?
• Data Encryption Standard - Wikipedia
• What is 3DES encryption?
• [What is AES encryption and how does it work?]

The fwm process is responsible for managing the communication between the SmartConsole and the Security Management Server. It can only be seen on a Management Server12. References: Check Point Processes and Daemons, Check Point CCSA - R81: Practice Test & Explanation