For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

The cloud-based SandBlast Mobile application that is used to register new devices and users is  Check Point Gateway . Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

 To ensure that VMAC mode is enabled, the CLI command that should be run on all cluster members is  fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1 . VMAC mode is a feature that allows ClusterXL to use virtual MAC addresses for cluster interfaces, instead of physical MAC addresses. This improves the failover performance and compatibility of ClusterXL with switches and routers. To check if VMAC mode is enabled, the command fw ctl get int fwha_vmac_global_param_enabled can be used, which returns 1 if VMAC mode is enabled, and 0 if VMAC mode is disabled. 

 To enable MTA (Mail Transfer Agent) functionality in the Security Gateway, the  Threat Prevention Software Blade Package  is required. The Threat Prevention Software Blade Package includes the Anti-Virus, Anti-Bot, and Threat Emulation blades, which can scan and hold external email with potentially malicious attachments. The MTA functionality allows the Security Gateway to act as an SMTP relay between the mail server and the Internet, and apply Threat Prevention policies to the email traffic.  The other options are either not related or not sufficient to enable MTA functionality. R

With SecureXL enabled, accelerated packets will pass through the following:  Network Interface Card and the Acceleration Device . SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. Accelerated packets are packets that match certain criteria and can be handled by SecureXL without involving the Firewall kernel. These packets bypass the OSI Network Layer, OS IP Stack, and Check Point Firewall Kernel, and are processed directly by the Network Interface Card and the Acceleration Device.  The other options are either incorrect or describe non-accelerated packets. 

The Access Control policy supports two policy layers. These are the Network layer and the Applic a tion & URL Filtering layer. The Network layer contains rules that control the network traffic based on the source, destination, service, and action.  The Application & URL Filtering layer contains rules that control the application and web access based on the application, site category, and user identity 1 2 .

The Access Control policy can also use inline layers, which are sub-policies that are embedded within a rule.  Inline layers allow more granular control over specific traffic or scenarios, such as VPN, Mobile Access, or different user groups 1 3 .  However, inline layers are not considered as separate policy layers, but rather as extensions of the parent rule 4 .

Therefore, the correct answer is A. The Access Control policy supports two policy layers.

 The deployment of Check Point API does not have the purpose of creating a customized GUI Client for manipulating the objects database. The Check Point API is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The Check Point API can be used to execute an automated script to perform common tasks, create products that use and enhance the Check Point solution, and integrate Check Point products with 3rd party solutions.  However, creating a customized GUI Client for manipulating the objects database is not a supported or intended use case of the Check Point API. 

According to the Check Point website, Capsule Connect and Capsule Workspace both offer secured connection for remote users who are using their mobile devices. However, there are differences between the two. For credential protection, Connect uses One-time Password login support and has no SSO support, whereas Workspace offers both One-Time Password and certain SSO login support. The other statements are either false or partially true. References: Capsule Connect and Capsule Workspace

 The Logs and Monitor tab is used to monitor network and security performance in SmartConsole. The Logs and Monitor tab lets you view and analyze logs, events, reports, and alerts from various sources, such as Security Gateways, Security Management Servers, Endpoint Security Servers, and SmartEvent Servers.  You can also use the Logs and Monitor tab to create custom views, filters, qu e ries, and charts to display the data that is relevant to your needs 1 2 .

According to the Check Point website, SmartUpdate is the application that should be used to install a contract file. A contract file contains information about the licenses and services that are purchased from Check Point. SmartUpdate can also be used to install software packages and patches on Security Gateways and Management Servers. The other applications are either not relevant or not capable of installing a contract file. References: SmartUpdate

  Log Consolidator  is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

The “fw monitor” tool can be best used to troubleshoot  network traffic issues . Fw monitor is a tool that allows administrators to capture packets at different inspection points in the Firewall kernel, and apply filters and flags to analyze the traffic. Fw monitor can help troubleshoot network connectivity problems, packet drops, NAT issues, VPN issues, and more. The other options are either not related or less suitable for fw monitor.

AppWiki is the Check Point feature that enables application scanning and the detection.  AppWiki is an easy to use tool that lets you search and filter Check Point’s Web 2.0 Applications Database to find out information about internet applications, including social network widgets; filter by a categ o ry, tag, or risk level; and search for a keyword or application 1 .  AppWiki helps you to identify and co n trol the applications on your network, and to apply granular policies based on the application type, risk, and characteristics 1 .  AppWiki is integrated with the Check Point Application Control Software Blade, which provides the industry’s strongest application security and identity control to organiz a tions of all sizes 1 .

Once a certificate is revoked from the Security Gateway by the Security Management Server, the ce r tificate information is stored on the Certificate Revocation List (CRL). The CRL is a list of certificates that have been revoked by the Internal Certificate Authority (ICA) and are no longer valid for Secure Internal Communication (SIC).  The CRL is signed by the ICA and issued to all the managed Security Gateways the next time a SIC connection is made 1 2 . The CRL helps to prevent unauthorized access to the Security Management Server by revoked Security Gateways.

 Identity Awareness AD-Query is using the Microsoft  WMI  API to learn users from AD. WMI stands for Windows Management Instrumentation, and it is an API that allows remote management and monitoring of Windows systems. Identity Awareness AD-Query is a feature that enables the Security Gateway to query Active Directory servers for user and computer information, such as login events, group membership, and IP addresses. By using the WMI API, Identity Awareness AD-Query can receive real-time notifications from Active Directory servers without installing any agents or scripts on them.