Check Point 156-215.81.20 Check Point Certified Security Administrator R81.20 Online Training

exams

5 months ago

Question #1

Which is a suitable command to check whether Drop Templates are activated or not?

A . fw ctl get int activate_drop_templates
B . fwaccel stat
C . fwaccel stats
D . fw ctl templates Cd

Correct Answer: B
B

Explanation:

The command fwaccel stat shows the status of SecureXL, including whether Drop Templates are enabled or not1.

Reference: Check Point SecureXL R81 Administration Guide

Question #2

Please choose correct command syntax to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI?

A . hostname myHost12 ip-address 10.50.23.90
B . mgmt add host name ip-address 10.50.23.90
C . add host name emailserver1 ip-address 10.50.23.90
D . mgmt add host name emailserver1 ip-address 10.50.23.90

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct syntax for adding a host using GAiA management CLI is mgmt add host name <name> ip-address <ip-address>2.

Reference: Check Point GAiA R81 Command Line Interface Reference Guide

Question #3

The CDT utility supports which of the following?

A . Major version upgrades to R77.30
B . Only Jumbo HFA’s and hotfixes
C . Only major version upgrades to R80.10
D . All upgrades

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The CDT utility supports all upgrades, including major version upgrades, Jumbo HFA’s, and hotfixes3.

Reference: Check Point Upgrade Service Engine (CPUSE) – Gaia Deployment Agent

Question #4

Using ClusterXL, what statement is true about the Sticky Decision Function?

A . Can only be changed for Load Sharing implementations
B . All connections are processed and synchronized by the pivot
C . Is configured using cpconfig
D . Is only relevant when using SecureXL

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Sticky Decision Function (SDF) can only be changed for Load Sharing implementations, not for High Availability implementations4.

Reference: Check Point ClusterXL R81 Administration Guide

Question #5

What command would show the API server status?

A . cpm status
B . api restart
C . api status
D . show api status

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The command api status shows the API server status, including whether it is enabled or not, the port number, and the API version1.

Reference: Check Point R81 API Reference Guide

Question #6

How Capsule Connect and Capsule Workspace differ?

A . Capsule Connect provides a Layer3 VPN. Capsule Workspace provides a Desktop with usable applications
B . Capsule Workspace can provide access to any application
C . Capsule Connect provides Business data isolation
D . Capsule Connect does not require an installed application at client

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Capsule Connect provides a Layer 3 VPN that allows users to access corporate resources securely from their mobile devices2. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications3. Capsule Workspace also provides a desktop with usable applications such as email, calendar, contacts, documents, and web applications3.

Reference: Check Point Capsule Connect, Check Point Capsule Workspace

Question #7

Which of the following is a new R80.10 Gateway feature that had not been available in R77.X and older?

A . The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence.
B . Limits the upload and download throughput for streaming media in the company to 1 Gbps.
C . Time object to a rule to make the rule active only during specified times.
D . Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Sub Policies are a new feature in R80.10 Gateway that allow creating and attaching sets of rules to specific rules in the main policy4. Sub Policies are useful for delegating permissions, managing large rule bases, and applying different inspection profiles4. The other options are not new features in R80.10 Gateway.

Reference: Check Point R80.10 Security Management Administration Guide

Question #8

What are the three components for Check Point Capsule?

A . Capsule Docs, Capsule Cloud, Capsule Connect
B . Capsule Workspace, Capsule Cloud, Capsule Connect
C . Capsule Workspace, Capsule Docs, Capsule Connect
D . Capsule Workspace, Capsule Docs, Capsule Cloud

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud123. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications2. Capsule Docs protects business documents everywhere they go with encryption and access control1. Capsule Cloud provides cloud-based security services to protect mobile users from threats3.

Reference: Check Point Capsule, Check Point Capsule Workspace, Mobile Secure Workspace with Capsule

Question #9

Full synchronization between cluster members is handled by Firewall Kernel.

Which port is used for this?

A . UDP port 265
B . TCP port 265
C . UDP port 256
D . TCP port 256

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The port used for full synchronization between cluster members is TCP port 2654. This port is used by the Firewall Kernel to send and receive synchronization data, such as connection tables, NAT tables, and VPN keys4. UDP port 8116 is used by the Cluster Control Protocol (CCP) for internal communications between cluster members4.

Reference: How does the Cluster Control Protocol function in working and failure scenarios for gateway clusters?

Question #10

What is true about the IPS-Blade?

A . in R80, IPS is managed by the Threat Prevention Policy
B . in R80, in the IPS Layer, the only three possible actions are Basic, Optimized and Strict
C . in R80, IPS Exceptions cannot be attached to “all rules”
D . in R80, the GeoPolicy Exceptions and the Threat Prevention Exceptions are the same

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

In R80, IPS is managed by the Threat Prevention Policy567. The Threat Prevention Policy defines how to protect the network from malicious traffic using IPS, Anti-Bot, Anti-Virus, and Threat Emulation software blades5. The IPS layer in the Threat Prevention Policy allows configuring IPS protections and actions for different network segments5. The other options are not true about the IPS-Blade.

Reference: Check Point IPS Datasheet, Check Point IPS Software Blade, Quantum Intrusion Prevention System (IPS)

Question #11

Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new multicore CPU to replace the existing single core CPU.

After installation, is the administrator required to perform any additional tasks?

A . Go to clash-Run cpstop | Run cpstart
B . Go to clash-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot Security Gateway
C . Administrator does not need to perform any task. Check Point will make use of the newly installed CPU and Cores
D . Go to clash-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot Security Gateway | Install Security Policy

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway. Installing the Security Policy is not necessary because it does not affect the CoreXL configuration1.

Reference: Check Point R81 Security Management Administration Guide

Question #12

When installing a dedicated R80 SmartEvent server, what is the recommended size of the root partition?

A . Any size
B . Less than 20GB
C . More than 10GB and less than 20 GB
D . At least 20GB

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct answer is D because the recommended size of the root partition for a dedicated R80 SmartEvent server is at least 20GB2. Any size, less than 20GB, or more than 10GB and less than 20GB are not sufficient for the SmartEvent server.

Reference: Check Point R80.40 Installation and Upgrade Guide

Question #13

Which firewall daemon is responsible for the FW CLI commands?

A . fwd
B . fwm
C . cpm
D . cpd

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A because the fwd daemon is responsible for the FW CLI commands3. The fwm daemon handles the communication between the Security Management server and the GUI clients. The cpm daemon handles the communication between the Security Management server and SmartConsole. The cpd daemon monitors the status of critical processes on the Security Gateway.

Reference: Check Point Firewall Processes and Daemons

Question #14

If the Active Security Management Server fails or if it becomes necessary to change the Active to Standby, the following steps must be taken to prevent data loss. Providing the Active Security Management Server is responsible, which of these steps should NOT be performed:

A . Rename the hostname of the Standby member to match exactly the hostname of the Active member.
B . Change the Standby Security Management Server to Active.
C . Change the Active Security Management Server to Standby.
D . Manually synchronize the Active and Standby Security Management Servers.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A because renaming the hostname of the Standby member to match exactly the hostname of the Active member is not a recommended step to prevent data loss. The hostname of the Standby member should be different from the hostname of the Active member1. The other steps are necessary to ensure a smooth failover and synchronization between the Active and Standby Security Management Servers2.

Reference: Check Point R81.20 Administration Guide, 156-315.81 Checkpoint Exam Info and Free Practice Test

Question #15

Using R80 Smart Console, what does a “pencil icon” in a rule mean?

A . I have changed this rule
B . Someone else has changed this rule
C . This rule is managed by check point’s SOC
D . This rule can’t be changed as it’s an implied rule

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon.

Reference: Check Point Learning and Training Frequently Asked Questions (FAQs)

Question #16

Which method below is NOT one of the ways to communicate using the Management API’s?

A . Typing API commands using the “mgmt_cli” command
B . Typing API commands from a dialog box inside the SmartConsole GUI application
C . Typing API commands using Gaia’s secure shell (clash)19+
D . Sending API commands over an http connection using web-services

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3.

Reference: Check Point Learning and Training Frequently Asked Questions (FAQs)

Question #17

Session unique identifiers are passed to the web api using which http header option?

A . X-chkp-sid
B . Accept-Charset
C . Proxy-Authorization
D . Application

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A because session unique identifiers are passed to the web api using the X-chkp-sid http header option1. The X-chkp-sid header is used to authenticate and authorize API calls1. The other options are not related to session unique identifiers.

Reference: Check Point R81 Security Management Administration Guide

Question #18

What is the main difference between Threat Extraction and Threat Emulation?

A . Threat Emulation never delivers a file and takes more than 3 minutes to complete
B . Threat Extraction always delivers a file and takes less than a second to complete
C . Threat Emulation never delivers a file that takes less than a second to complete
D . Threat Extraction never delivers a file and takes more than 3 minutes to complete

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The correct answer is B because Threat Extraction always delivers a file and takes less than a second to complete2. Threat Extraction removes exploitable content from files and delivers a clean and safe file to the user2. Threat Emulation analyzes files in a sandbox environment and delivers a verdict of malicious or benign2. Threat Emulation can take more than 3 minutes to complete depending on the file size and complexity2.

Reference: Check Point R81 Threat Prevention Administration Guide

Question #19

Which one of these features is NOT associated with the Check Point URL Filtering and Application Control Blade?

A . Detects and blocks malware by correlating multiple detection engines before users are affected.
B . Configure rules to limit the available network bandwidth for specified users or groups.
C . Use UserCheck to help users understand that certain websites are against the company’s security policy.
D . Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A because detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature of the Check Point URL Filtering and Application Control Blade3. This feature is part of the Check Point Anti-Virus and Anti-Bot Blades3. The other options are features of the Check Point URL Filtering and Application Control Blade3.

Reference: Check Point R81 URL Filtering and Application Control Administration Guide

Question #20

You want to store the GAiA configuration in a file for later reference.

What command should you use?

A . write mem <filename>
B . show config -f <filename>
C . save config -o <filename>
D . save configuration <filename>

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct answer is D because the command save configuration <filename> stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1.

Reference: Gaia R81.10 Administration Guide

Question #21

Traffic from source 192.168.1.1 is going to www.google.com. The Application Control Blade on the gateway is inspecting the traffic.

Assuming acceleration is enable which path is handling the traffic?

A . Slow Path
B . Medium Path
C . Fast Path
D . Accelerated Path

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A because the traffic from source 192.168.1.1 to www.google.com is handled by the Slow Path if the Application Control Blade on the gateway is inspecting the traffic2. The Slow Path is used when traffic requires inspection by one or more Software Blades2. The other paths are used for different scenarios2.

Reference: Check Point R81 Performance Tuning Administration Guide

Question #22

From SecureXL perspective, what are the tree paths of traffic flow:

A . Initial Path; Medium Path; Accelerated Path
B . Layer Path; Blade Path; Rule Path
C . Firewall Path; Accept Path; Drop Path
D . Firewall Path; Accelerated Path; Medium Path

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct answer is D because from SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path3. The Firewall Path is used when SecureXL is disabled or traffic is not eligible for acceleration3. The Accelerated Path is used when SecureXL handles the entire connection and bypasses the Firewall kernel3. The Medium Path is used when SecureXL handles part of the connection and forwards packets to the Firewall kernel for further inspection3. The other options are not valid paths of traffic flow from SecureXL perspective3.

Reference: Check Point R81 Performance Tuning Administration Guide

Question #23

You are asked to check the status of several user-mode processes on the management server and gateway.

Which of the following processes can only be seen on a Management Server?

A . fwd
B . fwm
C . cpd
D . cpwd

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The fwm process is responsible for managing the communication between the SmartConsole and the Security Management Server. It can only be seen on a Management Server12.

Reference: Check Point Processes and Daemons, Check Point CCSA – R81: Practice Test & Explanation

Question #24

R80.10 management server can manage gateways with which versions installed?

A . Versions R77 and higher
B . Versions R76 and higher
C . Versions R75.20 and higher
D . Version R75 and higher

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The R80.10 management server can manage gateways with versions R76 and higher34. Versions lower than R76 are not supported by the R80.10 management server.

Reference: Check Point R80.10 Release Notes, Free Check Point CCSA Sample Questions and Study Guide

Question #25

You want to verify if there are unsaved changes in GAiA that will be lost with a reboot.

What command can be used?

A . show unsaved
B . show save-state
C . show configuration diff
D . show config-state

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The command show config-state can be used to verify if there are unsaved changes in GAiA that will be lost with a reboot. The other commands are not valid in GAiA.

Reference: [Check Point GAiA Administration Guide], [Check Point CCSA – R81: Practice Test & Explanation]

Question #26

In what way is Secure Network Distributor (SND) a relevant feature of the Security Gateway?

A . SND is a feature to accelerate multiple SSL VPN connections
B . SND is an alternative to IPSec Main Mode, using only 3 packets
C . SND is used to distribute packets among Firewall instances
D . SND is a feature of fw monitor to capture accelerated packets

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Secure Network Distributor (SND) is a feature of the Security Gateway that is used to distribute packets among Firewall instances. It improves the performance and scalability of the Firewall by utilizing multiple CPU cores. The other options are not related to SND.

Reference: [Check Point Security Gateway Architecture and Packet Flow], [Free Check Point CCSA Sample Questions and Study Guide]

Question #27

Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an Active-Active cluster.

A . Symmetric routing
B . Failovers
C . Asymmetric routing
D . Anti-Spoofing

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Sticky Decision Function (SDF) is required to prevent failovers in an Active-Active cluster. The SDF ensures that the same cluster member handles all connections that belong to a certain session. If the SDF is not enabled, different cluster members may handle different connections of the same session, which may cause a failover or a drop12.

Reference: ClusterXL Administration Guide R81, Check Point CCSA – R81: Practice Test & Explanation

Question #28

What are the steps to configure the HTTPS Inspection Policy?

A . Go to Manage&Settings > Blades > HTTPS Inspection > Configure in SmartDashboard
B . Go to Application&url filtering blade > Advanced > Https Inspection > Policy
C . Go to Manage&Settings > Blades > HTTPS Inspection > Policy
D . Go to Application&url filtering blade > Https Inspection > Policy

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The steps to configure the HTTPS Inspection Policy are as follows34:

Go to Manage & Settings > Blades > HTTPS Inspection > Policy.

Click on New HTTPS Inspection Rule or select an existing rule and click on Edit Rule.

Define the Source, Destination, and Action for the rule. The action can be either Inspect, Bypass, or Ask.

Click on OK and then on Install Policy to apply the changes.

Reference: HTTPS Inspection R81

Administration Guide, Check Point CCSA – R81: Practice Test & Explanation

Question #29

What is the difference between SSL VPN and IPSec VPN?

A . IPSec VPN does not require installation of a resident VPN client
B . SSL VPN requires installation of a resident VPN client
C . SSL VPN and IPSec VPN are the same
D . IPSec VPN requires installation of a resident VPN client and SSL VPN requires only an installed Browser

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The difference between SSL VPN and IPSec VPN is that IPSec VPN requires installation of a resident VPN client and SSL VPN requires only an installed browser5. IPSec VPN uses a pre-shared key or certificates to authenticate the endpoints and encrypts the data at the network layer. SSL VPN uses SSL/TLS protocols to authenticate the endpoints and encrypts the data at the application layer.

Reference: Check Point Remote Access VPN Administration Guide R81, [Free Check Point CCSA Sample Questions and Study Guide]

Question #30

Which statement is NOT TRUE about Delta synchronization?

A . Using UDP Multicast or Broadcast on port 8161
B . Using UDP Multicast or Broadcast on port 8116
C . Quicker than Full sync
D . Transfers changes in the Kernel tables between cluster members

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization.

Reference: ClusterXL Administration Guide R81, Check Point CCSA – R81: Practice Test & Explanation

Question #31

Under which file is the proxy arp configuration stored?

A . $FWDIR/state/proxy_arp.conf on the management server
B . $FWDIR/conf/local.arp on the management server
C . $FWDIR/state/_tmp/proxy.arp on the security gateway
D . $FWDIR/conf/local.arp on the gateway

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3. The other files are not related to proxy arp configuration.

Reference: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA – R81: Practice Test & Explanation]

Question #32

Customer’s R80 management server needs to be upgraded to R80.10.

What is the best upgrade method when the management server is not connected to the Internet?

A . Export R80 configuration, clean install R80.10 and import the configuration
B . CPUSE online upgrade
C . CPUSE offline upgrade
D . SmartUpdate upgrade

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The best upgrade method when the management server is not connected to the Internet is CPUSE offline upgrade. This method allows you to download the upgrade package from another source and install it manually on the management server. The other methods require Internet connection or are not supported for R80.10.

Reference: [R80.10 Upgrade Verification and FAQ], [Check Point CCSA – R81: Practice Test & Explanation]

Question #33

SmartEvent does NOT use which of the following procedures to identity events:

A . Matching a log against each event definition
B . Create an event candidate
C . Matching a log against local exclusions
D . Matching a log against global exclusions

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The procedure that SmartEvent does not use to identify events is matching a log against local exclusions. Local exclusions are used to filter out logs that are not relevant for SmartLog, not SmartEvent12. SmartEvent uses the other procedures to identify events based on event definitions, event candidates, and global exclusions3.

Reference: SmartLog R81 Administration Guide, Check Point CCSA – R81: Practice Test & Explanation, SmartEvent R81 Administration Guide, [Free Check

Point CCSA Sample Questions and Study Guide]

Question #34

John is using Management HA.

Which Smartcenter should be connected to for making changes?

A . secondary Smartcenter
B . active Smartcenter
C . connect virtual IP of Smartcenter HA
D . primary Smartcenter

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The SmartCenter that should be connected to for making changes is the active SmartCenter. The active SmartCenter is the one that is currently synchronizing its configuration with the secondary SmartCenter and handling the communication with the gateways. The primary SmartCenter is the one that was initially configured as the main server, but it may become inactive if a failover occurs. The virtual IP of SmartCenter HA is used to access the SmartConsole, not to make changes.

Reference: [Security Management Server High Availability (HA) R81 Administration Guide], [Check Point CCSA – R81: Practice Test & Explanation], [How to configure ClusterXL High Availability on Security Management Server]

Question #35

Which path below is available only when CoreXL is enabled?

A . Slow path
B . Firewall path
C . Medium path
D . Accelerated path

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The path that is available only when CoreXL is enabled is the medium path. The medium path is used to handle packets that require deeper inspection by the Firewall and IPS blades, but do not need to go through the slow path. The slow path is used to handle packets that require stateful or out-of-state inspection by other blades, such as Application Control or VPN. The firewall path and the accelerated path are available regardless of CoreXL status.

Reference: [CoreXL R81 Administration Guide], [Check Point CCSA – R81: Practice Test & Explanation], [Check Point Security Gateway Architecture and Packet Flow], [Free Check Point CCSA Sample Questions and Study Guide]

Question #36

Which of the following describes how Threat Extraction functions?

A . Detect threats and provides a detailed report of discovered threats
B . Proactively detects threats
C . Delivers file with original content
D . Delivers PDF versions of original files with active content removed

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Threat Extraction delivers PDF versions of original files with active content removed, such as macros, embedded objects, and scripts. This ensures that users receive clean and safe files in seconds12.

Reference: Check Point SandBlast Zero-Day Protection, Check Point Threat Extraction

Question #37

The SmartEvent R80 Web application for real-time event monitoring is called:

A . SmartView Monitor
B . SmartEventWeb
C . There is no Web application for SmartEvent
D . SmartView

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

SmartView is the web application for real-time event monitoring in SmartEvent R80 and above. It provides a unified view of security events across the network and allows for quick investigation and response34.

Reference: SmartEvent R80.40 Administration Guide, SmartView

Question #38

SandBlast offers flexibility in implementation based on their individual business needs.

What is an option for deployment of Check Point SandBlast Zero-Day Protection?

A . Smart Cloud Services
B . Load Sharing Mode Services
C . Threat Agent Solution
D . Public Cloud Services

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Smart Cloud Services is an option for deployment of Check Point SandBlast Zero-Day Protection. It is a cloud-based service that provides advanced threat prevention for files and URLs, without requiring any on-premise infrastructure or appliances.

Reference: [Check Point SandBlast Zero-Day Protection], [Smart Cloud Services]

Question #39

What SmartEvent component creates events?

A . Consolidation Policy
B . Correlation Unit
C . SmartEvent Policy
D . SmartEvent GUI

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Correlation Unit is the SmartEvent component that creates events. It analyzes logs received from Security Gateways and Servers, and generates security events according to the definitions in the Consolidation Policy.

Reference: [SmartEvent R80.40 Administration Guide], [Correlation Unit]

Question #40

Which Threat Prevention Profile is not included by default in R80 Management?

A . Basic C Provides reliable protection on a range of non-HTTP protocols for servers, with minimal impact on network performance
B . Optimized C Provides excellent protection for common network products and protocols against recent or popular attacks
C . Strict C Provides a wide coverage for all products and protocols, with impact on network performance
D . Recommended C Provides all protection for all common network products and servers, with impact on network performance

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The default Threat Prevention Profiles in R80 Management are Basic, Optimized, and Strict1. There is no Recommended profile by default. You can create a custom profile and name it Recommended, but it is not included by default.

Reference: Check Point R81 Threat Prevention Administration Guide

Question #41

When using Monitored circuit VRRP, what is a priority delta?

A . When an interface fails the priority changes to the priority delta
B . When an interface fails the delta claims the priority
C . When an interface fails the priority delta is subtracted from the priority
D . When an interface fails the priority delta decides if the other interfaces takes over

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

When using Monitored circuit VRRP, the priority delta is the value that is subtracted from the priority of a cluster member when one of its monitored interfaces fails2. For example, if the priority of a cluster member is 100 and the priority delta is 10, then when one of its monitored interfaces fails, its priority becomes 90.

Reference: Check Point R81 ClusterXL Administration Guide

Question #42

Which of the following is NOT an option to calculate the traffic direction?

A . Incoming
B . Internal
C . External
D . Outgoing

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The options to calculate the traffic direction are Incoming, Internal, and External3. Outgoing is not an option. Incoming traffic is traffic that enters the Security Gateway from an external network. Internal traffic is traffic that originates and terminates in networks that are directly connected to the Security Gateway. External traffic is traffic that originates or terminates in networks that are not directly connected to the Security Gateway.

Reference: Check Point R81 Security Management Administration Guide

Question #43

When an encrypted packet is decrypted, where does this happen?

A . Security policy
B . Inbound chain
C . Outbound chain
D . Decryption is not supported

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When an encrypted packet is decrypted, this happens in the security policy4. The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy.

Reference: Check Point R81 VPN Administration Guide

Question #44

Which of the following is NOT a component of Check Point Capsule?

A . Capsule Docs
B . Capsule Cloud
C . Capsule Enterprise
D . Capsule Workspace

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The components of Check Point Capsule are Capsule Docs, Capsule Cloud, and Capsule Workspace123. There is no Capsule Enterprise component. Capsule Docs protects business documents everywhere they go. Capsule Cloud protects mobile users outside the enterprise security perimeter. Capsule Workspace creates a secure business environment on mobile devices.

Reference: Check Point Capsule Datasheet, Check Point Capsule Workspace Datasheet, Mobile Secure Workspace with Capsule

Question #45

You have successfully backed up your Check Point configurations without the OS information.

What command would you use to restore this backup?

A . restore_backup
B . import backup
C . cp_merge
D . migrate import

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The command to restore a backup of Check Point configurations without the OS information is restore_backup4. This command restores the Gaia OS configuration and the firewall database from a compressed file. The other commands are not valid for this purpose. import backup is not a valid command. cp_merge is a command to merge policies or objects from different databases. migrate import is a command to import a previously exported database using migrate export.

Reference: System Backup and Restore feature in Gaia, [cp_merge], [migrate import]

Question #46

What is the best sync method in the ClusterXL deployment?

A . Use 1 cluster + 1st sync
B . Use 1 dedicated sync interface
C . Use 3 clusters + 1st sync + 2nd sync + 3rd sync
D . Use 2 clusters + 1st sync + 2nd sync

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The best sync method in the ClusterXL deployment is to use one dedicated sync interface56. This method provides optimal performance and reliability for synchronization traffic. Using multiple sync interfaces is not recommended as it increases CPU load and does not provide 100% sync redundancy5. Using multiple clusters is not a sync method, but a cluster topology.

Reference: Sync Redundancy in ClusterXL, Best Practice for HA sync interface

Question #47

Can multiple administrators connect to a Security Management Server at the same time?

A . No, only one can be connected
B . Yes, all administrators can modify a network object at the same time
C . Yes, every administrator has their own username, and works in a session that is independent of other administrators
D . Yes, but only one has the right to write

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Multiple administrators can connect to a Security Management Server at the same time, and each administrator has their own username and works in a session that is independent of other administrators1. This allows concurrent administration and prevents conflicts between different administrators. The other options are incorrect. Only one administrator can be connected is false. All administrators can modify a network object at the same time is false, as only one administrator can lock and edit an object at a time. Only one has the right to write is false, as all administrators have write permissions unless they are restricted by roles or permissions.

Reference: Security Management Server – Check Point Software

Question #48

What Identity Agent allows packet tagging and computer authentication?

A . Endpoint Security Client
B . Full Agent
C . Light Agent
D . System Agent

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Full Identity Agent allows packet tagging and computer authentication2. Packet tagging is a feature that enables the Security Gateway to identify the source user and machine of each packet, regardless of NAT or routing. Computer authentication is a feature that enables the Security Gateway to authenticate machines that are not associated with any user, such as servers or unattended workstations. The other options are incorrect. Endpoint Security Client is not an Identity Agent, but a software that provides endpoint security features such as firewall, antivirus, VPN, etc. Light Agent is an Identity Agent that does not require installation and runs on a web browser, but it does not support packet tagging or computer authentication. System Agent is not an Identity Agent, but a software that provides system information and health monitoring for endpoints.

Reference: Check Point Identity Agent for Microsoft Windows 10

Question #49

In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log.

Which of the following options can you add to each Log, Detailed Log and Extended Log?

A . Accounting
B . Suppression
C . Accounting/Suppression
D . Accounting/Extended

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. You can add Accounting and/or Suppression to each of these options1. Accounting enables you to track the amount of data that is sent or received by a specific rule. Suppression enables you to reduce the number of logs that are generated by a specific rule. Therefore, the correct answer is C. Accounting/Suppression.

Reference: Logging and Monitoring Administration Guide R80 – Check Point Software

Question #50

You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher.

How can you enable them?

A . fw ctl multik dynamic_dispatching on
B . fw ctl multik dynamic_dispatching set_mode 9
C . fw ctl multik set_mode 9
D . fw ctl miltik pq enable

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To optimize drops, you can use Priority Queues and fully enable Dynamic Dispatcher on the Security Gateway23. Priority Queues are a mechanism that prioritizes part of the traffic when the Security Gateway is stressed and needs to drop packets. Dynamic Dispatcher is a feature that dynamically assigns new connections to a CoreXL FW instance based on the utilization of CPU cores. To enable both features, you need to run the command fw ctl multik set_mode 9 on the Security Gateway4. Therefore, the correct answer is C. fw ctl multik set_mode 9.

Reference: CoreXL Dynamic Dispatcher – Check Point Software, Firewall Priority Queues in R80.x / R81.x – Check Point Software, Separate

Config for Dynamic Dispatcher and Priority Queues

Question #51

Which two of these Check Point Protocols are used by?

A . ELA and CPD
B . FWD and LEA
C . FWD and CPLOG
D . ELA and CPLOG

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The two Check Point Protocols that are used by are FWD and LEA567. FWD is the Firewall Daemon that handles communication between different Check Point components, such as Security Management Server, Security Gateway, SmartConsole, etc. LEA is the Log Export API that allows external applications to retrieve logs from the Security Gateway or Security Management Server. Therefore, the correct answer is B. FWD and LEA.

Reference: Border Gateway Protocol – Check Point Software, Check Point IPS Datasheet, List of valid protocols for services? – Check Point CheckMates

Question #52

To ensure that VMAC mode is enabled, which CLI command you should run on all cluster members? Choose the best answer.

A . fw ctl set int fwha vmac global param enabled
B . fw ctl get int fwha vmac global param enabled; result of command should return value 1
C . cphaprob Ca if
D . fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

To ensure that VMAC mode is enabled, you should run the command fw ctl get int fwha_vmac_global_param_enabled on all cluster members and check that the result of the command returns the value 11. This command shows the current value of the global kernel parameter fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled or disabled. VMAC mode is a feature that associates a Virtual MAC address with each Virtual IP address of the cluster, which reduces the need for Gratuitous ARP packets and improves failover performance1. The other options are incorrect. Option A is not a valid command. Option C is a command to show the status of cluster interfaces, not VMAC mode2. Option D is a command to show the value of a different global kernel parameter, fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled for all interfaces or only for non-VLAN interfaces1.

Reference: How to enable ClusterXL Virtual MAC (VMAC) mode, cphaprob

Question #53

What is the SOLR database for?

A . Used for full text search and enables powerful matching capabilities
B . Writes data to the database and full text search
C . Serves GUI responsible to transfer request to the DLE server
D . Enables powerful matching capabilities and writes data to the database

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The SOLR database is used for full text search and enables powerful matching capabilities3. SOLR is an open source enterprise search platform that provides fast and scalable indexing and searching of data. It supports advanced features such as faceting, highlighting, spell checking, synonyms, etc. The SOLR database is used by Check Point products such as SmartLog and SmartEvent to store and query logs and events3. The other options are incorrect. Option B is false, as SOLR does not write data to the database, but only reads data from it. Option C is false, as SOLR does not serve GUI, but only provides a RESTful API for queries. Option D is false, as SOLR does not enable powerful matching capabilities and write data to the database, but only enables powerful matching capabilities.

Reference: SOLR – Check Point Software, [Apache Solr]

Question #54

Which of the following commands is used to monitor cluster members?

A . cphaprob state
B . cphaprob status
C . cphaprob
D . cluster state

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The command that is used to monitor cluster members is cphaprob state. This command shows the state of each cluster member (Active, Standby, Down, etc.) and the reason for the state (OK, HA Failure, CCP Failure, etc.). It also shows the state synchronization status (Synchronized or Not Synchronized) and the uptime of each cluster member. The other options are incorrect. Option B is a command to show the status of cluster services, not cluster members. Option C is not a valid command by itself, as it requires an argument such as state, status, list, etc. Option D is not a valid command at all.

Reference: [cphaprob]

Question #55

Fill in the blank: Service blades must be attached to a ______________.

A . Security Gateway
B . Management container
C . Management server
D . Security Gateway container

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Service blades must be attached to a Security Gateway. A Security Gateway is a device that enforces security policies on traffic that passes through it. A service blade is a software module that provides a specific security function, such as firewall, VPN, IPS, etc. A Security Gateway can have one or more service blades attached to it, depending on the license and hardware capabilities. The other options are incorrect. A management container is a virtualized environment that hosts a Security Management Server or a Log Server. A management server is a device that manages security policies and distributes them to Security Gateways. A Security Gateway container is not a valid term in Check Point terminology.

Reference: [Check Point R81 Security Management Administration Guide], [Check Point R81 CloudGuard Administration Guide]

Question #56

Fill in the blank: An LDAP server holds one or more ______________.

A . Server Units
B . Administrator Units
C . Account Units
D . Account Servers

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

An LDAP server holds one or more Account Units. An Account Unit is a logical representation of an LDAP server in the Check Point database. It defines the connection parameters, authentication methods, and user and group information that are retrieved from the LDAP server. An Account Unit allows the Security Gateway to use the LDAP server for user authentication and identity awareness. The other options are incorrect. A Server Unit is a logical representation of a Check Point server in the Check Point database. An Administrator Unit is a logical representation of an administrator or an administrator group in the Check Point database. An Account Server is not a valid term in Check Point terminology.

Reference: [Check Point R81 Identity Awareness Administration Guide], [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

Question #57

Fill in the blank: In Security Gateways R75 and above, SIC uses ______________ for encryption.

A . AES-128
B . AES-256
C . DES
D . 3DES

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

In Security Gateways R75 and above, SIC uses AES-128 for encryption. SIC stands for Secure Internal Communication, which is a mechanism that establishes trust between Check Point components, such as Security Gateways, Security Management Servers, Log Servers, etc. SIC uses certificates to authenticate and encrypt the communication between the components. AES-128 is an encryption algorithm that uses a 128-bit key to encrypt and decrypt data. The other options are incorrect. AES-256 is an encryption algorithm that uses a 256-bit key, but it is not used by SIC. DES and 3DES are older encryption algorithms that use 56-bit and 168-bit keys respectively, but they are not used by SIC either.

Reference: [Secure Internal Communication (SIC) between Check Point components], AES – Wikipedia, DES – Wikipedia, Triple DES – Wikipedia

Question #58

What protocol is specifically used for clustered environments?

A . Clustered Protocol
B . Synchronized Cluster Protocol
C . Control Cluster Protocol
D . Cluster Control Protocol

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The protocol that is specifically used for clustered environments is Cluster Control Protocol (CCP). CCP is a proprietary Check Point protocol that is used for communication between cluster members and for cluster administration. CCP enables cluster members to exchange state information, synchronize connections, monitor interfaces, and perform failover operations. The other options are incorrect. Clustered Protocol, Synchronized Cluster Protocol, and Control Cluster Protocol are not valid terms in Check Point terminology.

Reference: [Cluster Control Protocol (CCP) – Check Point Software]

Question #59

Which of the following is NOT a tracking option? (Select three)

A . Partial log
B . Log
C . Network log
D . Full log

Reveal Solution Hide Solution

Correct Answer: A, C, D
A, C, D

Explanation:

The options that are not tracking options are Partial log, Network log, and Full log. Tracking options are settings that determine how the Security Gateway handles traffic that matches a rule in the security policy. The valid tracking options are Log, Detailed Log, Extended Log, Alert, Mail, SNMP trap, User Defined Alert, and None. The other options are incorrect. Log is a tracking option that records basic information about the traffic, such as source, destination, service, action, etc. Detailed Log is a tracking option that records additional information about the traffic, such as NAT details, data amount, etc. Extended Log is a tracking option that records even more information about the traffic, such as matched IPS protections, application details, etc.

Reference: [Logging and Monitoring Administration Guide R80 – Check Point Software]

Question #60

Which command shows the installed licenses?

A . cplic print
B . print cplic
C . fwlic print
D . show licenses

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The command that shows the installed licenses is cplic print. This command displays the license information on a Check Point server or Security Gateway. It shows the license type, expiration date, attached blades, etc. The other options are incorrect. print cplic is not a valid command. fwlic print is not a valid command. show licenses is not a valid command.

Reference: [How to check license status on SecurePlatform / Gaia from CLI]

Question #61

Of all the Check Point components in your network, which one changes most often and should be backed up most frequently?

A . SmartManager
B . SmartConsole
C . Security Gateway
D . Security Management Server

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

Reference: Check Point Security Management Administration Guide R81, p. 9

Question #62

Which option would allow you to make a backup copy of the OS and Check Point configuration, without stopping Check Point processes?

A . All options stop Check Point processes
B . backup
C . migrate export
D . snapshot

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The snapshot option would allow you to make a backup copy of the OS and Check Point configuration, without stopping Check Point processes. A snapshot is a full system backup, including network interfaces, routing tables, and Check Point products and configuration. The other options require stopping Check Point processes or do not backup the OS.

Reference: Check Point Security Management Administration Guide R81, p. 15-16

Question #63

What is the Transport layer of the TCP/IP model responsible for?

A . It transports packets as datagrams along different routes to reach their destination.
B . It manages the flow of data between two hosts to ensure that the packets are correctly assembled and delivered to the target application.
C . It defines the protocols that are used to exchange data between networks and how host programs interact with the Application layer.
D . It deals with all aspects of the physical components of network connectivity and connects with different network types.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Transport layer of the TCP/IP model is responsible for managing the flow of data between two hosts to ensure that the packets are correctly assembled and delivered to the target application. It also provides error detection and correction, flow control, and multiplexing. The Transport layer uses protocols such as TCP and UDP.

Reference: Check Point Security Engineering Study Guide, p. 10-11

Question #64

What needs to be configured if the NAT property ‘Translate destination on client side’ is not enabled in Global properties?

A . A host route to route to the destination IP
B . Use the file local.arp to add the ARP entries for NAT to work
C . Nothing, the Gateway takes care of all details necessary
D . Enabling ‘Allow bi-directional NAT’ for NAT to work correctly

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

If the NAT property ‘Translate destination on client side’ is not enabled in Global properties, nothing needs to be configured on the client side, because the Gateway takes care of all details necessary. The Gateway translates the destination IP address before sending the packet to the client, so the client does not need to know about the NAT rule or add any host route or ARP entry.

Reference: Check Point Security Engineering Study Guide, p. 136-137

Question #65

In the Check Point Security Management Architecture, which component(s) can store logs?

A . SmartConsole
B . Security Management Server and Security Gateway
C . Security Management Server
D . SmartConsole and Security Management Server

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Security Management Server and the Security Gateway are the components that can store logs in the Check Point Security Management Architecture. The Security Management Server stores logs in a database and can also forward them to external log servers. The Security Gateway can store logs locally in a buffer or a local log file, and can also send them to the Security Management Server or a log server.

Reference: Check Point Security Management Administration Guide R81, p. 11-12

Question #66

Fill in the blank: In order to install a license, it must first be added to the ____________.

A . User Center
B . Package repository
C . Download Center Web site
D . License and Contract repository

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

In order to install a license, it must first be added to the License and Contract repository. The License and Contract repository is a centralized database that stores all the licenses and contracts for Check Point products. It allows you to manage, activate, and attach licenses to your Check Point products.

Reference: Check Point Security Management Administration Guide R81, p. 19-20

Question #67

When logging in for the first time to a Security management Server through SmartConsole, a fingerprint is saved to the:

A . Security Management Server’s /home/.fgpt file and is available for future SmartConsole authentications.
B . Windows registry is available for future Security Management Server authentications.
C . There is no memory used for saving a fingerprint anyway.
D . SmartConsole cache is available for future Security Management Server authentications.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

When logging in for the first time to a Security Management Server through SmartConsole, a fingerprint is saved to the SmartConsole cache and is available for future Security Management Server authentications. The fingerprint is a unique identifier of the Security Management Server that is used to verify its identity and prevent man-in-the-middle attacks. The SmartConsole cache is a local folder on the client machine that stores temporary files and settings.

Reference: Check Point Security Management Administration Guide R81, p. 25-26

Question #68

Fill in the blank: By default, the SIC certificates issued by R80 Management Server are based on the ____________ algorithm.

A . SHA-256
B . SHA-200
C . MD5
D . SHA-128

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

By default, the SIC certificates issued by R80 Management Server are based on the SHA-256 algorithm1. SHA-256 is a secure hash algorithm that produces a 256-bit digest. SHA-200, MD5, and SHA-128 are not valid algorithms for SIC certificates.

Reference: SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)

Question #69

Which message indicates IKE Phase 2 has completed successfully?

A . Quick Mode Complete
B . Aggressive Mode Complete
C . Main Mode Complete
D . IKE Mode Complete

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Quick Mode Complete is the message that indicates IKE Phase 2 has completed successfully2. IKE Phase 2 is also known as Quick Mode or Child SA in IKEv1 and IKEv2 respectively. Aggressive Mode and Main Mode are part of IKE Phase 1, which establishes the IKE SA. IKE Mode is not a valid term for IKE negotiation.

Reference: How to Analyze IKE Phase 2 VPN Status Messages, IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges, Understand IPsec IKEv1 Protocol

Question #70

Administrator Dave logs into R80 Management Server to review and makes some rule changes. He notices that there is a padlock sign next to the DNS rule in the Rule Base.

What is the possible explanation for this?

A . DNS Rule is using one of the new feature of R80 where an administrator can mark a rule with the padlock icon to let other administrators know it is important.
B . Another administrator is logged into the Management and currently editing the DNS Rule.
C . DNS Rule is a placeholder rule for a rule that existed in the past but was deleted.
D . This is normal behavior in R80 when there are duplicate rules in the Rule Base.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The padlock sign next to the DNS rule in the Rule Base indicates that another administrator is logged into the Management and currently editing the DNS Rule1. This is a feature of R80 that allows multiple administrators to work on the same policy simultaneously. The padlock sign prevents other administrators from modifying the same rule until the editing administrator publishes or discards the changes2. The other options are not valid explanations for the padlock sign.

Reference: 156-215.80: Check Point Certified Security Administrator (CCSA R80) : Part 19, Multi-User Policy Editing

Question #71

Fill in the blank: When tunnel test packets no longer invoke a response, SmartView Monitor displays _____________ for the given VPN tunnel.

A . Down
B . No Response
C . Inactive
D . Failed

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When tunnel test packets no longer invoke a response, SmartView Monitor displays Down for the given VPN tunnel1. This means that the VPN tunnel is not operational and there is no IKE or IPsec traffic passing through it. No Response, Inactive, and Failed are not valid statuses for VPN tunnels in SmartView Monitor.

Reference: Smart View Monitor displays status for all S2S VPN tunnels – Phase1 UP

Question #72

Which of the following is the most secure means of authentication?

A . Password
B . Certificate
C . Token
D . Pre-shared secret

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Certificate is the most secure means of authentication among the given options2. A certificate is a digital document that contains information about the identity of a user or a device, and is signed by a trusted authority. A certificate can be used to prove the identity of a user or a device without revealing any sensitive information, such as passwords or tokens. Password, token, and pre-shared secret are less secure means of authentication because they can be easily compromised, stolen, or guessed by attackers.

Reference: Secure User Authentication Methods – freeCodeCamp.org, What is the Most Secure Authentication Method for Your Organization …

Question #73

What is the BEST command to view configuration details of all interfaces in Gaia CLISH?

A . ifconfig -a
B . show interfaces
C . show interfaces detail
D . show configuration interface

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The BEST command to view configuration details of all interfaces in Gaia CLISH is show configuration interface3. This command displays the interface name, IP address, netmask, state, MTU, and other parameters for each interface. ifconfig -a, show interfaces, and show interfaces detail are not valid commands in Gaia CLISH.

Reference: How to configure static routes in CLISH on Gaia OS and IPSO OS, GAIA CLISH Commands – Fir3net, Gaia Administration Guide R80 – Check Point Software, Gaia Clish commands including User Defined (Extended) commands

Question #74

Fill in the blank: Authentication rules are defined for ____________.

A . User groups
B . Users using UserCheck
C . Individual users
D . All users in the database

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Authentication rules are defined for user groups rather than individual users1. To define authentication rules, you must first define users and groups. You can define users with the Check Point user database, or with an external server, such as LDAP1. UserCheck is a feature that enables user interaction with security events2. Individual users and all users in the database are not valid options for defining authentication rules.

Reference: How to Configure Client Authentication, UserCheck

Question #75

Which tool provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed?

A . ThreatWiki
B . Whitelist Files
C . AppWiki
D . IPS Protections

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

ThreatWiki is a tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed3. ThreatWiki is a web-based service that collects information about files from various sources, such as Check Point customers, partners, and researchers. Administrators can use ThreatWiki to view file reputation, upload files for analysis, and download indicators of compromise3. Whitelist Files, AppWiki, and IPS Protections are not tools that provide a list of trusted files.

Reference: Threat Prevention R80.40 Administration Guide

Question #76

Which of the following is an authentication method used for Identity Awareness?

A . SSL
B . Captive Portal
C . PKI
D . RSA

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Captive Portal is an authentication method used for Identity Awareness4. Captive Portal is a web-based authentication method that redirects users to a browser-based login page when they try to access the network. Users must provide their credentials to access the network resources. Captive Portal can be used for guest users or users who are not identified by other methods4. SSL, PKI, and RSA are not authentication methods used for Identity Awareness, but rather encryption or certificate technologies.

Reference: Identity Awareness Reference Architecture and Best Practices

Question #77

The SIC Status “Unknown” means

A . There is connection between the gateway and Security Management Server but it is not trusted.
B . The secure communication is established.
C . There is no connection between the gateway and Security Management Server.
D . The Security Management Server can contact the gateway, but cannot establish SIC.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The SIC Status “Unknown” means that there is no connection between the gateway and Security Management Server. This can happen if the gateway is down, unreachable, or has not been initialized yet12.

Reference: Check Point R81 Security Management Administration Guide, Free Check Point CCSA Sample Questions and Study Guide

Question #78

What is a reason for manual creation of a NAT rule?

A . In R80 all Network Address Translation is done automatically and there is no need for manually defined NAT-rules.
B . Network Address Translation of RFC1918-compliant networks is needed to access the Internet.
C . Network Address Translation is desired for some services, but not for others.
D . The public IP-address is different from the gateway’s external IP

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A reason for manual creation of a NAT rule is when the public IP-address is different from the gateway’s external IP. This can happen when the gateway is behind another NAT device or firewall3.

Reference: Check Point R81 Security Gateway Administration Guide, Check Point CCSA – R81: Practice Test & Explanation

Question #79

Which of the following commands is used to verify license installation?

A . Cplic verify license
B . Cplic print
C . Cplic show
D . Cplic license

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The command cplic print is used to verify license installation. It displays the installed licenses and their expiration dates.

Reference: [Check Point R81 Command Line Interface Reference

Guide], Check Point :: Pearson VUE

Question #80

To enforce the Security Policy correctly, a Security Gateway requires:

A . a routing table
B . awareness of the network topology
C . a Demilitarized Zone
D . a Security Policy install

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

To enforce the Security Policy correctly, a Security Gateway requires awareness of the network topology. This means that the gateway knows which networks and interfaces are internal and external, and how to route packets between them.

Reference: [Check Point R81 Security Gateway Technical Administration Guide], Check Point CCSA – R81: Practice Test & Explanation

Question #81

Which configuration element determines which traffic should be encrypted into a VPN tunnel vs. sent in the clear?

A . The firewall topologies
B . NAT Rules
C . The Rule Base
D . The VPN Domains

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The VPN Domains configuration element determines which traffic should be encrypted into a VPN tunnel vs. sent in the clear. The VPN Domain is the set of hosts and networks that are allowed to communicate securely with the gateway12. The firewall topologies, NAT rules, and the rule base do not directly affect the VPN encryption decision.

Reference: Check Point R81 Security Gateway Technical Administration Guide, CCSA/CCSE Exam Tips & Content – R80.X vs. R81.X – Check Point CheckMates

Question #82

You have discovered suspicious activity in your network.

What is the BEST immediate action to take?

A . Create a policy rule to block the traffic.
B . Create a suspicious action rule to block that traffic.
C . Wait until traffic has been identified before making any changes.
D . Contact ISP to block the traffic.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The BEST immediate action to take when you have discovered suspicious activity in your network is to create a suspicious action rule to block that traffic. A suspicious action rule is a special type of rule that is triggered when a predefined condition is met, such as a malicious file download, a ransomware attack, or a data exfiltration attempt13. A suspicious action rule can block the traffic, quarantine the source, or send an alert to the administrator. Creating a policy rule to block the traffic may not be effective if the traffic does not match the rule criteria or if the policy installation is delayed. Waiting until traffic has been identified before making any changes may allow the threat to spread or cause more damage. Contacting ISP to block the traffic may not be feasible or timely, and may also affect legitimate traffic.

Reference: Check Point R81 Security Gateway Technical Administration Guide, Check Point CCSA – R81: Practice Test & Explanation | Udemy

Question #83

Tom has connected to the Management Server remotely using SmartConsole and is in the process of making some Rule Base changes, when he suddenly loses connectivity. Connectivity is restored shortly afterward.

What will happen to the changes already made?

A . Tom will have to reboot his SmartConsole computer, clear the cache, and restore changes.
B . Tom will have to reboot his SmartConsole computer, and access the Management cache store on that computer, which is only accessible after a reboot.
C . Tom’s changes will be lost since he lost connectivity and he will have to start again.
D . Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work. This is because SmartConsole uses a session mechanism that allows users to work offline and save their changes locally until they are ready to publish them to the Management13. If Tom loses connectivity, he can resume his session when he reconnects and continue working on his Rule Base changes. He does not need to reboot his SmartConsole computer, clear the cache, or restore changes. His changes will not be lost since he lost connectivity.

Reference: Check Point R81 Security Management Administration Guide, Check Point CCSA – R81: Practice Test & Explanation | Udemy

Question #84

Which GUI tool can be used to view and apply Check Point licenses?

A . cpconfig
B . Management Command Line
C . SmartConsole
D . SmartUpdate

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The GUI tool that can be used to view and apply Check Point licenses is SmartUpdate. SmartUpdate is a centralized tool that allows you to manage licenses, software packages, and hotfixes for multiple gateways and clusters12. cpconfig, Management Command Line, and SmartConsole are not tools for license management.

Reference: Check Point R81 SmartUpdate Administration Guide, Check Point CCSA – R81: Practice Test & Explanation | Udemy

Question #85

How would you determine the software version from the CLI?

A . fw ver
B . fw stat
C . fw monitor
D . cpinfo

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The command that can be used to determine the software version from the CLI is fw ver. This command displays the version of the firewall module and the build number3. fw stat, fw monitor, and cpinfo are not commands for software version identification.

Reference: Check Point R81 Command Line Interface Reference Guide, [156-315.81 Checkpoint Exam Info and Free Practice Test – ExamTopics]

Question #86

In R80 Management, apart from using SmartConsole, objects or rules can also be modified using:

A . 3rd Party integration of CLI and API for Gateways prior to R80.
B . A complete CLI and API interface using SSH and custom CPCode integration.
C . 3rd Party integration of CLI and API for Management prior to R80.
D . A complete CLI and API interface for Management with 3rd Party integration.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

In R80 Management, apart from using SmartConsole, objects or rules can also be modified using a complete CLI and API interface using SSH and custom CPCode integration. This allows you to automate tasks, integrate with third-party tools, and create custom scripts. 3rd Party integration of CLI and API for Gateways or Management prior to R80 is not relevant for R80 Management. A complete CLI and API interface for Management with 3rd Party integration is not a specific option.

Reference: [Check Point R81 Security Management Administration Guide], [Check Point Learning and Training Frequently Asked Questions (FAQs)]

Question #87

When connected to the Check Point R80 Management Server using the SmartConsole the first administrator to connect has a lock on:

A . Only the objects being modified in the Management Database and other administrators can connect to make changes using a special session as long as they all connect from the same LAN network.
B . The entire Management Database and other administrators can connect to make changes only if the first administrator switches to Read-only.
C . The entire Management Database and all sessions and other administrators can connect only as Read-only.
D . Only the objects being modified in his session of the Management Database and other administrators can connect to make changes using different sessions.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The answer is D because in R80 and above, the first administrator to connect to the Management Server using SmartConsole gets a lock on only the objects being modified in his session of the Management Database. Other administrators can connect to make changes using different sessions, but they cannot modify the same objects as the first administrator until he publishes his changes. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously12

Reference: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide

Question #88

Which is NOT an encryption algorithm that can be used in an IPSEC Security Association (Phase 2)?

A . AES-GCM-256
B . AES-CBC-256
C . AES-GCM-128

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The answer is B because AES-CBC-256 is not a supported encryption algorithm for IPsec Security Associations (Phase 2) in R81. The supported encryption algorithms are AES-GCM-128, AES-GCM-256, AES-CBC-128, 3DES, and NULL3

Reference: Check Point R81 VPN Administration Guide

Question #89

Fill in the blank: To create policy for traffic to or from a particular location, use the _____________.

A . DLP shared policy
B . Geo policy shared policy
C . Mobile Access software blade
D . HTTPS inspection

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The answer is B because Geo policy shared policy is used to create policy for traffic to or from a particular location based on the source or destination country. DLP shared policy is used to prevent data loss by inspecting files and data for sensitive information. Mobile Access software blade is used to provide secure remote access to corporate resources from various devices. HTTPS inspection is used to inspect encrypted web traffic for threats and compliance4

Reference: Check Point R81 Geo Policy Administration Guide, [Check Point R81 Data Loss Prevention Administration Guide], [Check Point R81 Mobile Access Administration Guide], [Check Point R81 HTTPS Inspection Administration Guide]

Question #90

After trust has been established between the Check Point components, what is TRUE about name and IP-address changes?

A . Security Gateway IP-address cannot be changed without re-establishing the trust
B . The Security Gateway name cannot be changed in command line without re-establishing trust
C . The Security Management Server name cannot be changed in SmartConsole without re-establishing trust
D . The Security Management Server IP-address cannot be changed without re-establishing the trust

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The answer is A because changing the Security Gateway IP-address requires re-establishing the trust with the Security Management Server by initializing the Secure Internal Communication (SIC). Changing the Security Gateway name in command line or changing the Security Management Server name or IP-address in SmartConsole does not require re-establishing the trust, but it may require updating the topology and pushing the policy.

Reference: [Check Point R81 Security Management Administration Guide], [Check Point R81 Security Gateway Administration Guide]

Question #91

Which two Identity Awareness commands are used to support identity sharing?

A . Policy Decision Point (PDP) and Policy Enforcement Point (PEP)
B . Policy Enforcement Point (PEP) and Policy Manipulation Point (PMP)
C . Policy Manipulation Point (PMP) and Policy Activation Point (PAP)
D . Policy Activation Point (PAP) and Policy Decision Point (PDP)

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The answer is A because Identity Awareness commands are used to support identity sharing between Security Gateways. Policy Decision Point (PDP) is the Security Gateway that collects identities from various sources and shares them with other gateways. Policy Enforcement Point (PEP) is the Security Gateway that enforces the policy based on the identities received from the

PDP12

Reference: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Security Management Administration Guide

Question #92

True or False: In R80, more than one administrator can login to the Security Management Server with write permission at the same time.

A . False, this feature has to be enabled in the Global Properties.
B . True, every administrator works in a session that is independent of the other administrators.
C . True, every administrator works on a different database that is independent of the other administrators.
D . False, only one administrator can login with write permission.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The answer is B because in R80 and above, more than one administrator can login to the Security Management Server with write permission at the same time. Every administrator works in a session that is independent of the other administrators. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously34

Reference: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide

Question #93

Which one of the following is TRUE?

A . Ordered policy is a sub-policy within another policy
B . One policy can be either inline or ordered, but not both
C . Inline layer can be defined as a rule action
D . Pre-R80 Gateways do not support ordered layers

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The answer is C because inline layer can be defined as a rule action in a policy layer. Inline layer is a sub-policy that contains additional rules that are applied only if the parent rule matches. Ordered layer is a policy layer that contains rules that are applied in order, from top to bottom. One policy can be either inline or ordered, but not both. Pre-R80 Gateways do support ordered layers, but not inline layers5

Reference: Check Point R81 Policy Layers and Sub-Policies, [Check Point R81 Security Gateway Administration Guide]

Question #94

Which deployment adds a Security Gateway to an existing environment without changing IP routing?

A . Distributed
B . Bridge Mode
C . Remote
D . Standalone

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The answer is B because bridge mode deployment adds a Security Gateway to an existing environment without changing IP routing. Bridge mode is a transparent mode that does not require assigning IP addresses to the Security Gateway interfaces. Distributed deployment is a deployment where the Security Management Server and the Security Gateway are installed on separate machines. Remote deployment is a deployment where the Security Gateway is installed on a remote site and connects to the Security Management Server over a VPN tunnel. Standalone deployment is a deployment where the Security Management Server and the Security Gateway are installed on the same machine.

Reference: [Check Point R81 Bridge Mode], [Check Point R81 Deployment Scenarios]

Question #95

Fill in the blank: An identity server uses a ___________ for user authentication.

A . Shared secret
B . Certificate
C . One-time password
D . Token

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The answer is A because an identity server uses a shared secret for user authentication. A shared secret is a passphrase that is known by both the identity server and the user. The identity server sends a challenge to the user, who encrypts it with the shared secret and sends it back. The identity server then verifies the response and authenticates the user12

Reference: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Identity Server

Question #96

You can see the following graphic:

What is presented on it?

A . Properties of personal. p12 certificate file issued for user John.
B . Shared secret properties of John’s password.
C . VPN certificate properties of the John’s gateway.
D . Expired. p12 certificate properties for user John.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The answer is A because the graphic shows the properties of a personal .p12 certificate file issued for user John. A .p12 file is a file format that contains a user’s private key and public key certificate. The graphic shows that the certificate file is valid and has an expiration date of 07-Apr-2018. The graphic also shows that the certificate file is issued by an internal CA, which is a Check Point component that manages certificates for users and gateways.

Reference: Check Point R81 Certificate Management, Check Point R81 Internal CA

Question #97

When configuring LDAP User Directory integration, Changes applied to a User Directory template are:

A . Reflected immediately for all users who are using template.
B . Not reflected for any users unless the local user template is changed.
C . Reflected for all users who are using that template and if the local user template is changed as well.
D . Not reflected for any users who are using that template.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The answer is A because changes applied to a User Directory template are reflected immediately for all users who are using that template. A User Directory template defines the settings for connecting to an LDAP server, such as the server name, port, base DN, user filter, and group filter. When a User Directory template is modified, all users who are using that template will inherit the changes without requiring any additional actions3

Reference: Check Point R81 Identity Awareness Administration Guide, [Check Point R81 User Directory Templates]

Question #98

Choose what BEST describes the reason why querying logs now is very fast.

A . New Smart-1 appliances double the physical memory install
B . Indexing Engine indexes logs for faster search results
C . SmartConsole now queries results directly from the Security Gateway
D . The amount of logs been store is less than the usual in older versions

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The answer is B because querying logs now is very fast because the Indexing Engine indexes logs for faster search results. The Indexing Engine is a component of the Smart-1 appliance that creates indexes for log fields and values, such as source, destination, action, and time. The indexes enable quick and efficient searches of large amounts of log data.

Reference: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point R81 Indexing Engine]

Question #99

Check Point ClusterXL Active/Active deployment is used when:

A . Only when there is Multicast solution set up
B . There is Load Sharing solution set up
C . Only when there is Unicast solution set up
D . There is High Availability solution set up

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Check Point ClusterXL Active/Active deployment is used when there is Load Sharing solution set up. Load Sharing enables multiple Security Gateways to share traffic and provide high availability12.

Reference: Check Point R81, Check Point R81 ClusterXL Administration Guide

Question #100

Which of the following methods can be used to update the trusted log server regarding the policy and configuration changes performed on the Security Management Server?

A . Save Policy
B . Install Database
C . Save session
D . Install Policy

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The method to update the trusted log server regarding the policy and configuration changes performed on the Security Management Server is Save Policy. Saving a policy updates the trusted log server with the latest policy and configuration changes3.

Reference: Check Point R81 Logging and Monitoring Administration Guide