156-215.81 Check Point Certified Security Administrator R81.20 CCSA (156-215.81.20) Questions and Answers

 RADIUS Accounting gets identity data from requests generated by the accounting client. RADIUS Accounting is a feature that allows tracking and measuring resource usage of network services by users. The accounting client, which is usually a network access server (NAS), sends accounting requests to a RADIUS server with information about user sessions, such as start and stop times, bytes transmitted and received, IP addresses, etc. The RADIUS server records this information in a database for billing, auditing, or reporting purposes. One of the mandatory attributes that the accounting client must include in every accounting request is the User-Name attribute, which identifies the user who is accessing the network service.

The INSPECT Engine is the core component of Check Point’s Stateful Inspection technology. It is used to extract state related information from packets and store that information in state tables. The INSPECT Engine also evaluates the security policy and enforces it on the packets1. References: Check Point R81 Security Gateway Technical Administration Guide

Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. This option allows the administrator to select which tunnels should be permanent and which should be established on demand. The other options are not valid, as they do not match the available choices in the VPN community settings.

References: [VPN Administration Guide], [Check Point R81.10]

The GAiA Portal is the WebUI for Check Point security appliances. By default, it uses the HTTPS protocol for secure communication. The default port for HTTPS-based web access is port 443.

Port 4434 (A) is not the default port for GAiA Portal.

Port 80 (B) is the default for standard HTTP, but GAiA Portal requires HTTPS.

Port 8080 (C) is sometimes used for alternative web services, but not for GAiA Portal.

Port 443 (D) is the correct default port for GAiA Portal access.

Thus, the correct answer is D. 443.

 Log, Alert, and None are the tracking options that an Administrator can select when configuring Anti-Spoofing. Log means that the packet will be logged in SmartView Tracker. Alert means that the packet will trigger an alert in SmartView Monitor. None means that no action will be taken2. The other options are not valid tracking options.

The selected option “Accept Domain Name over UDP (Queries)” means that UDP Queries will be accepted by the traffic allowed only through interfaces with external anti-spoofing topology and this will be done before first explicit rule written by Administrator in a Security Policy. This option enables the Security Gateway to accept DNS queries from external hosts and forward them to internal DNS servers. The queries are accepted by an implied rule that is applied before the explicit rules in the Security Policy. The implied rule only allows queries from interfaces that have external anti-spoofing groups defined . References: Check Point R81 Quantum Security Gateway Guide, Implied Rules

Application information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option4. The “Extended Log” option provides additional information about the application, such as name, category, risk, and technology4. References: LOGGINGAND MONITORING R80

When a policy package is installed, user and objects databases are also distributed to the target installation Security Gateways14. The user and objects databases contain information about network objects, users, groups, services, VPN domains, and more14. Therefore, the correct answer is A. User and objects databases.

The answer is D because in R80 and above, the first administrator to connect to the Management Server using SmartConsole gets a lock on only the objects being modified in his session of the Management Database. Other administrators can connect to make changes using different sessions, but they cannot modify the same objects as the first administrator until he publishes his changes. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously12 References: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide

The types of VPN communities are Meshed, Star, and Combination. A Meshed community is a group of Security Gateways that have VPN connections between every pair of members. A Star community has one Security Gateway as the center and other Security Gateways or hosts as satellites. A Combination community is a group of Meshed and Star communities. References: [Check Point R81 Site-to-Site VPN Administration Guide]

 A clean-up rule is a rule that is placed at the end of the security policy to drop any traffic that is not explicitly allowed by the previous rules. It is a best practice to have a clean-up rule to prevent unauthorized access and log the dropped packets for analysis12. The other options are not the purpose of a clean-up rule. References: Clean-up Rule, Check Point CCSA - R81: Practice Test & Explanation

One limitation of using Security Zones in the network is that Security Zones will not work in Manual NAT rules. Manual NAT rules are rules that explicitly define how to translate the source and destination IP addresses and ports of each connection. Manual NAT rules do not support using Security Zones as objects, only network objects or groups. Automatic NAT rules are rules that automatically define how to translate the source and destination IP addresses and ports of each connection based on the network objects or groups properties. Automatic NAT rules support using Security Zones as objects. Security Zones can also work in firewall policy layer and network topology.References: [Security Zones Best Practices], [NAT Methods]

Browser-Based Authentication is the best method for enabling Identity Awareness on the Check Point firewalls for users who use company issued or personal laptops. Browser-Based Authentication redirects users to a web page where they enter their credentials to access the network resources. This method does not require any installation or configuration on the user’s device and supports any operating system and browser. AD Query is a method that queries Active Directory servers for user login events and maps them to IP addresses. This method does not work for personal laptops that are not joined to the domain. Identity Agents are software agents that run on Windows or macOS devices and provide user and machine identity information to the firewall. This method requires installation and management of the agents on each device, which may not be feasible for personal laptops. Terminal Servers Agent is a method that identifies users who connect to Windows Terminal Servers or Citrix servers via RDP or ICA protocols. This method does not apply to laptops that connect directly to the network910 References: Identity Awareness Reference Architecture and Best Practices, Part 10 - Identity

The command show config-state can be used to verify if there are unsaved changes in GAiA that will be lost with a reboot . The other commands are not valid in GAiA. References: [Check Point GAiA Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation]

In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway using the CPLIC command1. This command allows you to install a license from a file or from the User Center1. Therefore, the correct answer is D. True, Central License can be installed with CPLIC command on a Security Gateway. 

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. You can add Accounting and/or Suppression to each of these options1. Accounting enables you to track the amount of data that is sent or received by a specific rule. Suppression enables you to reduce the number of logs that are generated by a specific rule. Therefore, the correct answer is C. Accounting/Suppression. References: Logging and Monitoring Administration Guide R80 - Check Point Software

 The command that can be used to determine the software version from the CLI is fw ver. This command displays the version of the firewall module and the build number3 . fw stat, fw monitor, and cpinfo are not commands for software version identification. References: Check Point R81 Command Line Interface Reference Guide, [156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics]

 Check Point technologies that deny or permit network traffic are packet filtering, stateful inspection, and application layer firewall1, p. 15-16. Packet filtering is a basic firewall technique that examines packets based on their source and destination addresses and ports2, p. 13. Stateful inspection is an advanced firewall technique that tracks the state and context of network connections and inspects packets based on their content and sequence2, p. 13. Application layer firewall is a firewall technique that operates at the application layer of the OSI model and inspects packets based on their application protocols and data2, p. 14. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

 The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway. Installing the Security Policy is not necessary because it does not affect the CoreXL configuration1. References: Check Point R81 Security Management Administration Guide

 Identity Awareness allows the Security Administrator to configure network access based on network location, identity of a user, and identity of a machine1. These are the three main identity sources that Identity Awareness supports1. References: Identity Awareness R80.40 Administration Guide

 Authentication rules are defined for user groups rather than individual users1. To define authentication rules, you must first define users and groups. You can define users with the Check Point user database, or with an external server, such as LDAP1. UserCheck is a feature that enables user interaction with security events2. Individual users and all users in the database are not valid options for defining authentication rules. References: How to Configure Client Authentication, UserCheck

SmartView Monitor is the tool that allows you to monitor the top bandwidth on SmartConsole. SmartView Monitor is a graphical tool that displays real-time network and security performance data, such as traffic, throughput, connections, CPU usage, memory usage, etc. You can use SmartView Monitor to identify the top bandwidth consumers and optimize your network performance.References: [SmartView Monitor], [Monitoring Network Traffic]

The protocol that is specifically used for clustered environments is Cluster Control Protocol (CCP). CCP is a proprietary Check Point protocol that is used for communication between cluster members and for cluster administration. CCP enables cluster members to exchange state information, synchronize connections, monitor interfaces, and perform failover operations. The other options are incorrect. Clustered Protocol, Synchronized Cluster Protocol, and Control Cluster Protocol are not valid terms in Check Point terminology. References: [Cluster Control Protocol (CCP) - Check Point Software]

The IPS (Intrusion Prevention System) Software Blade provides comprehensive protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities. The other options are not related to this function.

References: : [Check Point R81 Threat Prevention Administration Guide], page 9.

Domain-based— VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

This statement is not true because a VPN domain is not a service or user, but a host or network that can send or receive VPN traffic through a VPN Gateway1. This is the definition given in the Site to Site VPN R81 Administration Guide1. The other statements are true according to the same guide1.

Remote Access VPN R81.20 Administration Guide

Site to Site VPN R81 Administration Guide

DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud

The Online Activation method is available for Check Point manufactured appliances. The administrator uses the Online Activation method by using the Gaia First Time Configuration Wizard, the appliance connects to the Check Point User Center and downloads all necessary licenses and contracts. This method requires internet access and a valid User Center account. References: [Check Point Licensing and Contract Operations User Guide], [Check Point R81 Gaia Installation and Upgrade Guide]

The option that allows all encrypted and non-VPN traffic that matches the rule is Accept all encrypted traffic. This option enables you to allow traffic to any destination that is encrypted, regardless of whether it is part of a VPN community or not2. Therefore, the correct answer is B. Accept all encrypted traffic. 

 The best upgrade method when the management server is not connected to the Internet is CPUSE offline upgrade . This method allows you to download the upgrade package from another source and install it manually on the management server. The other methods require Internet connection or are not supported for R80.10. References: [R80.10 Upgrade Verification and FAQ], [Check Point CCSA - R81: Practice Test & Explanation]

The type of NAT that is a one-to-one relationship where each host is translated to a unique address is Static NAT. Static NAT maps an unregistered IP address to a registered IP address on a one-to-one basis3. This means that for each internal host, there is a corresponding external address that represents it3. Therefore, the correct answer is B

 The correct answer is A because session unique identifiers are passed to the web api using the X-chkp-sid http header option1. The X-chkp-sid header is used to authenticate and authorize API calls1. The other options are not related to session unique identifiers. References: Check Point R81 Security Management Administration Guide

Gaia can be configured using the command line interface (CLI) or the WebUI. The CLI is a text-based interface that allows you to configure and manage Gaia settings using commands and scripts. The WebUI is a graphical interface that allows you to configure and manage Gaia settings using a web browser. Gaia Interface and GaiaUI are not valid terms for Gaia configuration tools.References: [Gaia Administration Guide], [Gaia Overview]

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given. DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1. DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES. 3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

What is DES encryption, and why was it replaced?

Data Encryption Standard - Wikipedia

What is 3DES encryption?

[What is AES encryption and how does it work?]

Gaia includes Check Point Upgrade Service Engine (CPUSE), which can directly receive updates for licensed Check Point products for the Gaia operating system and the Gaia operating system itself. CPUSE is an advanced tool that automates software updates and upgrades on Gaia platforms. It can download and install packages such as hotfixes, Jumbo Hotfix Accumulators, minor versions, major versions, and OS updates.References: [CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)], [Check Point R81]

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. The Full Identity Agent is a client-side software that provides full identity awareness features, such as user authentication, computer authentication, packet tagging, identity caching, and identity sharing. The other types of Endpoint Identity Agents are Custom, Complete, and Light, which have different features and capabilities. 

 Threat Prevention is a comprehensive solution that protects networks from malicious attacks by using multiple security blades, such as Anti-Bot, Anti-Virus, IPS, Threat Emulation, and Threat Extraction. A Threat Prevention profile defines the actions and settings for each blade and can be applied to different network segments or scenarios. The Perimeter profile is one of the predefined profiles that uses sanitization technology to protect users from malicious files and links. Sanitization technology includes Threat Emulation and Threat Extraction blades, which can detect and remove malware from files and web content. References: [Check Point R81 Threat Prevention Administration Guide]

The function that can NOT be performed in the Unified SmartConsole Gateways and Servers tab is Open SSH. SSH is a secure shell protocol that allows remote access to a device via command line interface. The Unified SmartConsole does not provide an option to open SSH from the Gateways and Servers tab, as it is not a graphical user interface. The other functions can be performed in the Unified SmartConsole Gateways and Servers tab, such as upgrading the software version, opening WebUI, or opening service request with Check Point Technical Support.

References: [SSH (Secure Shell)], [QUANTUM SECURITY MANAGEMENT R81]

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own. In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties34 References: Part 4 - Installing Security Gateway, Deployment Options

The options to calculate the traffic direction are Incoming, Internal, and External3. Outgoing is not an option. Incoming traffic is traffic that enters the Security Gateway from an external network. Internal traffic is traffic that originates and terminates in networks that are directly connected to the Security Gateway. External traffic is traffic that originates or terminates in networks that are not directly connected to the Security Gateway. References: Check Point R81 Security Management Administration Guide

Application Control/URL filtering database library is known as AppWiki. AppWiki is an application classification and identification database that enables administrators to control access to thousands of applications and millions of websites. References: [Check Point R81 Application Control Administration Guide], [Check Point AppWiki]

 DLP and Geo Policy are examples of Shared Policies. Shared Policies are policies that can be shared with other policy packages to save time and effort when managing multiple gateways with similar security requirements. Shared Policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers. Other types of policies include Inspection Policies, Unified Policies, and Standard Policies. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

 A security gateway is a device that enforces the security policy on the traffic that passes through it. There are three deployment options available for a security gateway: Standalone, Distributed, and Bridge Mode. Standalone means that the security gateway and the security management server are installed on the same machine. Distributed means that the security gateway and the security management server are installed on separate machines. Bridge Mode means that the security gateway acts as a transparent bridge between two network segments, without changing the IP addressing scheme1. References: Check Point R81 Security Gateway Technical Administration Guide

The Check Point software blade that provides Application Security and identity control is Application Control3 . Application Control enables network administrators to identify, allow, block, or limit usage of thousands of applications and millions of websites3 . Therefore, the correct answer is D. Application Control

 Extended Log is a tracking option that enables administrators to see additional information about the traffic that matches a security rule, such as data type, file name, file size, etc. However, to see any data type information, Content Awareness must be enabled on the Security Gateway. Content Awareness is a blade that inspects files based on their type, size, name, and data. Content Awareness is required for Extended Log to work properly3. References: Check Point R81 Content Awareness Administration Guide

Anti-Virus is the Check Point software blade that prevents malicious files from entering a network using virus signatures and anomaly-based protections from ThreatCloud. Anti-Virus scans files and email attachments for viruses, worms, trojans, and other types of malware. It also uses ThreatCloud, a collaborative network that delivers real-time dynamic security intelligence, to detect unknown malware based on their behavior. Firewall is a software blade that enforces security policy by inspecting and controlling network traffic. Application Control is a software blade that enables administrators to control access to web applications. Anti-spam and Email Security is a software blade that protects email infrastructure from spam, phishing, and malware attacks.

The statement that is true regarding Gaia command line is that all configuration changes should be made in CLISH and expert-mode should be used for OS-level tasks. CLISH is the default shell of Gaia CLI that provides a limited set of commands for basic configuration and troubleshooting. Expert mode is an advanced shell that allows running Linux commands and accessing the file system. Configuration changes should not be done in expert-mode, as they may cause inconsistencies or errors in the system. The other statements are false regarding Gaia command line. 

The backups are stored in Check Point appliances as *.tgz files under /var/CPbackup. This is the default location for backup files created by the backup command. Therefore, the correct answer is B. Saved as *.tgz under /var/CPbackup

Identity Sharing is a feature that allows Security Gateways to acquire and share identities with other Security Gateways, enabling identity-based access control across different network segments or domains13. Management servers, users, and administrators do not share identities with Security Gateways.

References: Identity Awareness R81.10 Administration Guide, Check Point R81.10

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work. This is because SmartConsole uses a session mechanism that allows users to work offline and save their changes locally until they are ready to publish them to the Management13. If Tom loses connectivity, he can resume his session when he reconnects and continue working on his Rule Base changes. He does not need to reboot his SmartConsole computer, clear the cache, or restore changes. His changes will not be lost since he lost connectivity. References: Check Point R81 Security Management Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

The answer is A because the graphic shows the properties of a personal .p12 certificate file issued for user John. A .p12 file is a file format that contains a user’s private key and public key certificate. The graphic shows that the certificate file is valid and has an expiration date of 07-Apr-2018. The graphic also shows that the certificate file is issued by an internal CA, which is a Check Point component that manages certificates for users and gateways.References: Check Point R81 Certificate Management, Check Point R81 Internal CA

Since Bob and Joe both have Administrator Roles on their Gaia Platform and they both are logged in on different interfaces, they will both be able to make changes. Gaia allows multiple administrators to log in simultaneously and perform different tasks without locking the database or logging out each other. References: Gaia R81.20 Administration Guide, page 18.

The command show cluster state is used to monitor cluster members in CLI. It displays information such as the cluster mode, the cluster members, their status, their priority, and their interfaces.References: [ClusterXL Administration Guide], [Check Point CLI Reference Card]

The three types of UserCheck messages are inform, ask, and block. Inform messages notify users about security events and do not require any user action. Ask messages prompt users to choose whether to allow or block an action. Block messages prevent users from performing an action and display a reason1. References: Check Point R81 Logging and Monitoring Administration Guide

Secure Internal Communication (SIC) is handled by the CPD process3. CPD is the Check Point Daemon that runs on all Check Point modules and handles internal licensing and SIC operations. SIC is a mechanism that ensures secure communication between Check Point components using certificates and encryption. References: Check Point R81 Security Management Administration Guide

 Only one user can have read/write access in Gaia Operating System at one time2. This is to prevent conflicts and errors when multiple users try to modify the same configuration settings. References: Check Point Gaia Administration Guide

The Next Generation Threat Emulation software blade package uses CPU-level and OS-level sandboxing in order to detect and block malware1, p. 41. It emulates files in a virtual environment and inspects their behavior for malicious activity3. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Threat Emulation Administration Guide R81

Stateful Inspection compiles and registers connections in the State Table. The State Table is a database that stores information about active connections and sessions on the Security Gateway. The other options are not valid names for the database that stores connection information.

References: 1: Policy Types 2: CPUSE 3: SIC : [Software Containers] : [Stateful Inspection]

The Status Attention means that at least one Software Blade has a minor issue, but the gateway works1. For example, this could indicate a license expiration warning, a policy installation failure, or a blade activation problem2. References: Check Point R81 SmartConsole Guide, Check Point R81 Security Management Administration Guide

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

The User Directory is used to obtain identification and security information about network users. It can be integrated with external user databases such as LDAP, RADIUS, or TACACS+. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 9.

A Check Point Software license consists of two components, the Software Blade and the Software Container. There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security1. A Software Blade is a specific security function that can be enabled or disabled on a Software Container. A Software Container is a platform that runs one or more Software Blades. Security Management is a container that manages the security policy and configuration of Security Gateways. Security Gateway is a container that enforces the security policy on network traffic. Endpoint Security is a container that protects endpoints from threats and data loss. References: Check Point Licensing and Contract Operations User Guide

The “Hit Count” feature is enabled or disabled on the Policy layer in SmartConsole1. To enable or disable the “Hit Count” feature, right-click on the Policy layer and select “Edit Layer”. Then, check or uncheck the “Enable Hit Count” option1. References: Solved: Hit Count in R80.x

 The answer is A because Identity Awareness commands are used to support identity sharing between Security Gateways. Policy Decision Point (PDP) is the Security Gateway that collects identities from various sources and shares them with other gateways. Policy Enforcement Point (PEP) is the Security Gateway that enforces the policy based on the identities received from the PDP12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Security Management Administration Guide

Capsule Connect provides a Layer 3 VPN that allows users to access corporate resources securely from their mobile devices2. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications3. Capsule Workspace also provides a desktop with usable applications such as email, calendar, contacts, documents, and web applications3. References: Check Point Capsule Connect, Check Point Capsule Workspace

When URL Filtering is set, only the host part of the URL is sent to the Check Point Online Web Service for analysis. The host part is the part of the URL that identifies the web server, such as www.example.com. The Check Point Online Web Service uses this information to categorize the URL and return the appropriate action to the Security Gateway. The other options are not sent to the Check Point Online Web Service for analysis, as they may contain sensitive or irrelevant data.

References: 1: Policy Layers 2: Adding a New Log Server 3: Suspicious Activity Monitoring : [URL Filtering]

The fwm process is responsible for managing the communication between the SmartConsole and the Security Management Server. It can only be seen on a Management Server12. References: Check Point Processes and Daemons, Check Point CCSA - R81: Practice Test & Explanation

Verification Error. Rule 4 (Web Inbound) hides Rule 6 (Webmaster access) is the correct answer. This is because Rule 4 has a broader source and destination than Rule 6, and both rules have the same service (HTTP). Therefore, Rule 6 will never be matched, and the Webmaster access will be denied. References: Check Point R80.10 - Part 3 - Rule Base Order

 To ensure that VMAC mode is enabled, you should run the command fw ctl get int fwha_vmac_global_param_enabled on all cluster members and check that the result of the command returns the value 11. This command shows the current value of the global kernel parameter fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled or disabled. VMAC mode is a feature that associates a Virtual MAC address with each Virtual IP address of the cluster, which reduces the need for Gratuitous ARP packets and improves failover performance1. The other options are incorrect. Option A is not a valid command. Option C is a command to show the status of cluster interfaces, not VMAC mode2. Option D is a command to show the value of a different global kernel parameter, fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled for all interfaces or only for non-VLAN interfaces1. References: How to enable ClusterXL Virtual MAC (VMAC) mode, cphaprob

 When you upload a package or license to the appropriate repository in SmartUpdate, the package or license is stored on the Security Management Server. SmartUpdate is a tool that allows you to centrally manage software updates and licenses for all Check Point products on your network.

References: : Check Point R81 Security Management Administration Guide, page 16.

This answer is correct because these are the two forms of Check Point licenses that are used to activate the software blades on the Security Gateways and the Security Management Servers1. A central license is a license that is attached to a Security Management Server and can be used to manage multiple Security Gateways1. A local license is a license that is attached to a specific Security Gateway and can only be used by that gateway1.

The other answers are not correct because they are either irrelevant or inaccurate options for Check Point licenses forms. Security Gateway and Security Management are not license forms, but software components that provide firewall, VPN, and other security features2. On-premise and Public Cloud are not license forms, but deployment options for Check Point products3. Access Control and Threat Prevention are not license forms, but software blades that provide different security functions.

Check Point License Guide

Check Point Software Blade Quick Licensing Guide

Check Point CloudGuard Network Security

[Check Point Software Blades]

When a SAM rule is required on Security Gateway to quickly block suspicious connections which are not restricted by the Security Policy, the administrator needs to take the following action: SmartView Monitor should be opened and then the SAM rule/s can be applied immediately. Installing policy is not required. SAM stands for Suspicious Activity Monitoring and is a feature that allows administrators to block or limit connections from specific sources or destinations without modifying the security policy. SAM rules can be created from SmartView Monitor or SmartEvent based on real-time network activity or security events. References: [Check Point R81 SmartView Monitor Administration Guide]

The BEST way to tune the profile in order to lower the CPU load still maintaining security at good level is to set the Performance Impact to Medium or lower. This will reduce the number of packets that are inspected by the Threat Prevention blades, while still providing a high level of protection . Setting High Confidence to Low and Low Confidence to Inactive will lower the security level, as it will allow more traffic that may be malicious. The problem is likely with the Threat Prevention Profile, as it can have a significant impact on the CPU utilization of the Security Gateway. Adding more memory to the appliance will not solve the problem, as memory is not the bottleneck in this case. Setting the Performance Impact to Very Low Confidence to Prevent will increase the CPU load, as it will inspect more packets and block more traffic that may be false positives.

References: Threat Prevention Administration Guide, Check Point R81.10

 In R80 Management, apart from using SmartConsole, objects or rules can also be modified using a complete CLI and API interface using SSH and custom CPCode integration. This allows you to automate tasks, integrate with third-party tools, and create custom scripts . 3rd Party integration of CLI and API for Gateways or Management prior to R80 is not relevant for R80 Management. A complete CLI and API interface for Management with 3rd Party integration is not a specific option. References: [Check Point R81 Security Management Administration Guide], [Check Point Learning and Training Frequently Asked Questions (FAQs)]

The Shared policies feature allows administrators to share a policy with other policy packages3. This can save time and effort when managing multiple gateways with similar security requirements. Shared policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers4. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartConsole R81 Resolved Issues

The key that is created during Phase 2 of a site-to-site VPN is a symmetrical IPSec key3. This key is used to encrypt and decrypt the data that is exchanged between the VPN peers3. The symmetrical IPSec key is derived from the shared secret and the Diffie-Hellman public keys that are exchanged during Phase 13. References: Site to Site VPN in R80.x - Tutorial for Beginners

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate1. A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2. A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3. The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication. PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4. Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4. PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

What is mutual authentication? | Two-way authentication

Mutual authentication - AWS Client VPN

VPN authentication options - Windows Security

Mutual Authentication | Top 3 Methods of Mutual Authentication

Authentication methods and features - Microsoft Entra

The correct answer is D because from SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path3. The Firewall Path is used when SecureXL is disabled or traffic is not eligible for acceleration3. The Accelerated Path is used when SecureXL handles the entire connection and bypasses the Firewall kernel3. The Medium Path is used when SecureXL handles part of the connection and forwards packets to the Firewall kernel for further inspection3. The other options are not valid paths of traffic flow from SecureXL perspective3. References: Check Point R81 Performance Tuning Administration Guide

The components of Check Point Capsule are Capsule Docs, Capsule Cloud, and Capsule Workspace123. There is no Capsule Enterprise component. Capsule Docs protects business documents everywhere they go. Capsule Cloud protects mobile users outside the enterprise security perimeter. Capsule Workspace creates a secure business environment on mobile devices. References: Check Point Capsule Datasheet, Check Point Capsule Workspace Datasheet, Mobile Secure Workspace with Capsule

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud123. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications2. Capsule Docs protects business documents everywhere they go with encryption and access control1. Capsule Cloud provides cloud-based security services to protect mobile users from threats3. References: Check Point Capsule, Check Point Capsule Workspace, Mobile Secure Workspace with Capsule

When logging in for the first time to a Security Management Server through SmartConsole, a fingerprint is saved to the SmartConsole cache and is available for future Security Management Server authentications. The fingerprint is a unique identifier of the Security Management Server that is used to verify its identity and prevent man-in-the-middle attacks. The SmartConsole cache is a local folder on the client machine that stores temporary files and settings.

References: Check Point Security Management Administration Guide R81, p. 25-26

 The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

An explicit rule is created by an administrator and configured to allow or block traffic based on specified criteria. Explicit rules are displayed in the Rule Base and can be modified by the administrator. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 12.

This answer is correct because these are the software components that are used by the pre-defined Autonomous Threat Prevention Profiles in R81.20 and higher1. These profiles provide zero-maintenance protection from zero-day threats and continuously and autonomously ensure that your protection is up-to-date with the latest cyber threats and prevention technologies2.

The other answers are not correct because they either include software components that are not part of the Autonomous Threat Prevention Profiles, such as Sandbox, ThreatCloud, Zero Phishing, Sanitization, C&C Protection, JPS, File and URL Reputation, or they omit some of the software components that are part of the Autonomous Threat Prevention Profiles, such as Anti-Bot, Anti-Virus, and Macro Extraction.

Autonomous Threat Prevention Management - Check Point Software

Check Point Quantum R81.20 (Titan) Release

Threat Prevention R81.20 Best Practices - Check Point Software

Check Point R81

The Threat Prevention policy is a unified policy that manages three software blades: IPS, Anti-Virus, and Threat Emulation7. The Threat Prevention policy enables you to configure settings and actions for detecting and preventing various types of threats, such as malware, exploits, botnets, etc. Application Control and URL Filtering are not part of the Threat Prevention policy, but they are part of a separate policy that controls access to applications and websites based on categories, users, groups, and machines

 UserCheck is not an identity source used for Identity Awareness. UserCheck is a feature that allows you to interact with users when they trigger Data Loss Prevention or Threat Prevention incidents2. Identity Awareness uses different methods to acquire identities, such as AD Query, Identity Agent, Browser-Based Authentication, Terminal Servers, Captive Portal, and RADIUS3 . Therefore, the correct answer is B. UserCheck.

 From the Gaia web interface, the operation that CANNOT be performed on a Security Management Server is Verify a Security Policy. This operation can only be done from SmartConsole4. References: Check Point R81 SmartConsole Online Help

The Hit count feature will work independently from logging and track the hits even if the Track option is set to “None”1, p. 23. When you enable Hit Count, the Security Management Server collects the data from supported Security Gateways and displays the number of connections that each rule matches in SmartConsole3. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Security Management Administration Guide R81

The default shell of Gaia CLI is clish, which stands for Check Point command line interface shell1. It provides a user-friendly interface to configure and manage Check Point products. References: Check Point Gaia Administration Guide

 URL Filtering employs a technology called UserCheck, which educates users on web usage policy in real time. UserCheck is a feature that allows the firewall to interact with the users and inform them about the web usage policy and its violations. UserCheck can also allow users to request access to blocked websites or report false positives. UserCheck helps users understand and comply with the web usage policy and reduces the workload of the administrators.

SmartConsole provides a consolidated solution for everything that is necessary for the security of an organization, such as Security Policy Management and Log Analysis. Security Policy Management is the process of defining and enforcing rules that control the access and protection of network resources. Log Analysis is the process of collecting, analyzing, and reporting on log data that is generated by network devices and applications. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions from a single console. The other options are not part of SmartConsole, but rather separate software blades or features that can be integrated with SmartConsole. 

References: Certificate-based authentication is considered to be the more secure and preferred VPN authentication method. It uses digital certificates to verify the identity of the VPN client and server, and provides stronger encryption and mutual authentication. Password-based authentication methods are less secure and more vulnerable to brute-force attacks, phishing, and keylogging. MD5 is a hashing algorithm, not an authentication method. Pre-shared secret is a symmetric key that is shared between the VPN peers, but it can be compromised if it is not changed frequently or stored securely12 References: VPN authentication options, Windows VPN technical guide

A Distributed Deployment is when the Security Management Server and Security Gateway are installed on separate machines. In this setup, the Security Gateway communicates its status to the Security Management Server, which resides at a different IP address.

Option A (Incorrect): "Targeted" is not an official Check Point deployment mode.

Option B (Incorrect): In Bridge Mode, the Security Gateway acts as a Layer 2 bridge and does not communicate its status to another IP.

Option D (Incorrect): In Standalone Mode, the Security Gateway and Management Server are on the same machine, meaning it does not communicate status to a different IP.

Thus, the correct answer is C. Distributed.

The answer is B because Geo policy shared policy is used to create policy for traffic to or from a particular location based on the source or destination country. DLP shared policy is used to prevent data loss by inspecting files and data for sensitive information. Mobile Access software blade is used to provide secure remote access to corporate resources from various devices. HTTPS inspection is used to inspect encrypted web traffic for threats and compliance4References: Check Point R81 Geo Policy Administration Guide, [Check Point R81 Data Loss Prevention Administration Guide], [Check Point R81 Mobile Access Administration Guide], [Check Point R81 HTTPS Inspection Administration Guide]

The default Gaia user that has full read/write access is admin3. The admin user is the superuser that can perform any administrative task on the Gaia system, such as configuring network settings, installing software updates, managing licenses, creating snapshots, and more. The admin user can also access the Gaia Portal, which is a web-based interface for managing Gaia settings and features. References: Check Point R81 Gaia Administration Guide

Accept all encrypted traffic is the option that will match a connection regardless of its association with a VPN community2. This option allows encrypted traffic from any VPN peer, even if it is not defined in a VPN community2. References: Site to Site VPN in R80.x - Tutorial for Beginners

 Anti-Virus is the single Security Blade that can be turned on to block both malicious files from being downloaded as well as block websites known to host malware. Anti-Virus scans files and email attachments for viruses, worms, trojans, and other types of malware. It also uses ThreatCloud, a collaborative network that delivers real-time dynamic security intelligence, to detect unknown malware based on their behavior3. Anti-Bot is a Security Blade that detects and blocks botnet communications, but it does not scan files or block websites. URL Filtering is a Security Blade that enables administrators to control access to web applications, but it does not scan files or detect malware.

Permissions and Administrators are defined on the Manage and Settings tab in SmartConsole3. This tab allows you to create and manage administrator accounts, roles, permissions, and authentication methods for accessing SmartConsole and other Check Point management interfaces. References: Check Point R81 Security Management Administration Guide

An LDAP server holds one or more Account Units. An Account Unit is a logical representation of an LDAP server in the Check Point database. It defines the connection parameters, authentication methods, and user and group information that are retrieved from the LDAP server. An Account Unit allows the Security Gateway to use the LDAP server for user authentication and identity awareness. The other options are incorrect. A Server Unit is a logical representation of a Check Point server in the Check Point database. An Administrator Unit is a logical representation of an administrator or an administrator group in the Check Point database. An Account Server is not a valid term in Check Point terminology. References: [Check Point R81 Identity Awareness Administration Guide], [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

The three deployment considerations for a secure network are Remote, Standalone, and Distributed3. Remote deployment means that the Security Management Server and Security Gateway are installed on different machines. Standalone deployment means that the Security Management Server and Security Gateway are installed on the same machine. Distributed deployment means that there are multiple Security Gateways managed by one or more Security Management Servers3. Therefore, the correct answer is C. Remote, Standalone, and Distributed.

Each cluster, at a minimum, should have at least three interfaces4. These are:

A sync interface for synchronizing state information between cluster members.

A cluster interface for sending and receiving cluster control packets.

A production interface for handling regular traffic that passes through the cluster4. References: Check Point R80.20 – How to configure Cluster firewalls – First Time Setup

URL Filtering is a blade that enables administrators to control access to millions of websites by category, users, groups, and machines. URL Filtering can be used to improve organizational security, decrease legal liability, and control data security by preventing users from accessing malicious or inappropriate websites. However, URL Filtering cannot be used to control bandwidth issues, such as limiting the amount of traffic or prioritizing certain applications over others3. For that purpose, other blades such as QoS (Quality of Service) or SecureXL are more suitable. References: Check Point R81 URL Filtering Administration Guide

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References: Check Point Security Management Administration Guide R81, p. 9

R80 is supported by Gaia only, which is Check Point’s unified security operating system for all Check Point appliances, open servers, and virtualized gateways1, p. 14. Windows and SecurePlatform are not supported by R80. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Learning and Training Frequently Asked Questions (FAQs)]

The scenario where it is a valid option to transfer a license from one hardware device to another is from a 4400 Appliance to a 2200 Appliance. This is because both appliances are Check Point products and have the same license type (Central License). You can transfer a license from one hardware device to another if they have the same license type and vendor3. Therefore, the correct answer is A. From a 4400 Appliance to a 2200 Appliance. 

 A stateful inspection firewall works by registering connection data and compiling this information in state tables. State tables are data structures that store information about the state and context of each connection, such as source, destination, service, protocol, sequence number, flags, etc. State tables enable the firewall to inspect both the header and the payload of each packet and apply security policies accordingly.References: [Stateful Inspection], [State Tables]

 The GUI tool that can be used to view and apply Check Point licenses is SmartUpdate. SmartUpdate is a centralized tool that allows you to manage licenses, software packages, and hotfixes for multiple gateways and clusters12. cpconfig, Management Command Line, and SmartConsole are not tools for license management. References: Check Point R81 SmartUpdate Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

Central licensing is the preferred licensing model because it ties the package license to the IP-address of the Security Management Server and has no dependency on the gateway. This allows for easier management and distribution of licenses across multiple gateways1.

References: 1: Check Point R81 Security Management Administration Guide, page 14.

A layer can support different combinations of blades, but the supported blades are Firewall (Network Access Control), Application & URL Filtering, and Content Awareness. These blades provide granular control over network traffic based on applications, users, content, and risk1. Mobile Access is not a supported blade in a layer2.

References: 1: Check Point R81 Security Management Administration Guide, page 101. 2: Check Point R81 Security Gateway Administration Guide, page 11.

The answer is C because inline layer can be defined as a rule action in a policy layer. Inline layer is a sub-policy that contains additional rules that are applied only if the parent rule matches. Ordered layer is a policy layer that contains rules that are applied in order, from top to bottom. One policy can be either inline or ordered, but not both. Pre-R80 Gateways do support ordered layers, but not inline layers5 References: Check Point R81 Policy Layers and Sub-Policies, [Check Point R81 Security Gateway Administration Guide]

Logs & Monitor is the SmartConsole tab that is used to monitor network and security performance. This tab allows you to view and analyze logs and events from various sources, such as Security Gateways, Security Management Servers, and SmartEvent Servers. You can also use this tab to generate reports and troubleshoot issues. References: [Logging and Monitoring Administration Guide R80.20]

A main component of the Check Point security management architecture is SmartConsole2. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References: Check Point R81 Security Management Administration Guide

Two basic rules that Check Point recommends for building an effective security policy are Cleanup Rule and Stealth Rule. A Cleanup Rule is a rule that is placed at the end of the rule base and drops or logs any traffic that does not match any of the previous rules2. A Stealth Rule is a rule that is placed at the top of the rule base and protects the Security Gateway from direct access by unauthorized users3. The other options are not basic rules for building a security policy, but rather types or categories of rules.

When enabling tracking on a rule, the default option is Log. This option generates a log entry for each connection that matches the rule. The log entry contains information such as the source, destination, service, action, and time of the connection.References: [Logging and Monitoring R81], [Logging and Monitoring]

Rugged appliances are small appliances with ruggedized hardware and like Quantum Spark appliance they use Gaia embedded as the operating system. Gaia embedded is a lightweight version of Gaia that is designed for small and medium businesses1. Centos Linux, Gaia, and Red Hat Enterprise Linux version 5 are not the operating systems used by Rugged appliances.

 Check Point licenses are divided into two types: central and local. Central licenses are managed by a Security Management Server and can be attached to any Security Gateway managed by that server. Local licenses are tied to the IP address of a specific Security Gateway and cannot be transferred to a gateway that has a different IP address. Formal and corporate are not types of Check Point licenses. References: [Check Point R81 Licensing and Contract Administration Guide]

The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities4. This option enables you to define which VPN communities are allowed in the rule. All Connections (Clear or Encrypted) allows traffic to any destination, regardless of whether it is encrypted or not. Accept all encrypted traffic allows traffic to any encrypted destination, regardless of the VPN community. All Site-to-Site VPN Communities allows traffic to any site-to-site VPN gateway, regardless of the VPN community4. Therefore, the correct answer is C. Specific VPN Communities.

You can use the same layer in multiple policies or rulebases. A layer is a set of rules that can be shared, reused, or inherited by different policies. This allows you to create modular and flexible security policies that can be applied to different scenarios.References: [Layers], [Policy Layers and Sub-Policies]

In Check Point Gaia WebUI, different icons are used to indicate various system states.

Eyeglasses (A) typically represent "view-only" access.

Pencil (B) represents "edit" or read/write access, meaning the user can modify configurations.

Padlock (C) is often used to indicate locked or restricted settings.

Book (D) does not indicate access permissions.

Therefore, the correct answer is "Pencil" (B), which represents that read/write access is enabled in the WebUI.

 If there are two administrators logged in at the same time to the SmartConsole, and there are objects locked for editing, the administrator who locked the objects must publish or discard the session to make them available to other administrators. Publishing or discarding the session will save or discard the changes made by the administrator and unlock the objects for editing by others3.

References: 3: Check Point R81 Security Management Administration Guide, page 18.

If the NAT property ‘Translate destination on client side’ is not enabled in Global properties, nothing needs to be configured on the client side, because the Gateway takes care of all details necessary. The Gateway translates the destination IP address before sending the packet to the client, so the client does not need to know about the NAT rule or add any host route or ARP entry.

References: Check Point Security Engineering Study Guide, p. 136-137