Exam4Training

Check Point 156-315.81.20 Check Point Certified Security Expert – R81.20 Online Training

Question #1

Identify the API that is not supported by Check Point currently.

  • A . R81 Management API-
  • B . Identity Awareness Web Services API
  • C . Open REST API
  • D . OPSEC SDK

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Check Point currently supports four types of APIs: R81 Management API, Identity Awareness Web Services API, OPSEC SDK, and Gaia REST API. The Open REST API is not a valid option.

Reference: Check Point APIs

Question #2

SandBlast Mobile identifies threats in mobile devices by using on-device, network, and cloud-based algorithms and has four dedicated components that constantly work together to protect mobile devices and their data.

Which component is NOT part of the SandBlast Mobile solution?

  • A . Management Dashboard
  • B . Gateway
  • C . Personal User Storage
  • D . Behavior Risk Engine

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution.

Reference: SandBlast Mobile Architecture

Question #3

What are the different command sources that allow you to communicate with the API server?

  • A . SmartView Monitor, API_cli Tool, Gaia CLI, Web Services
  • B . SmartConsole GUI Console, mgmt_cli Tool, Gaia CLI, Web Services
  • C . SmartConsole GUI Console, API_cli Tool, Gaia CLI, Web Services
  • D . API_cli Tool, Gaia CLI, Web Services

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

You can communicate with the API server using three command sources: SmartConsole GUI Console, mgmt_cli Tool, and Gaia CLI. Web Services are not a command source, but a way to access the API server using HTTP requests.

Reference: Check Point Management APIs

Question #4

What makes Anti-Bot unique compared to other Threat Prevention mechanisms, such as URL Filtering, Anti-Virus, IPS, and Threat Emulation?

  • A . Anti-Bot is the only countermeasure against unknown malware
  • B . Anti-Bot is the only protection mechanism which starts a counter-attack against known Command & Control Centers
  • C . Anti-Bot is the only signature-based method of malware protection.
  • D . Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection to a Command & Control Center.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts.

Reference: Anti-Bot Software Blade

Question #5

Which TCP-port does CPM process listen to?

  • A . 18191
  • B . 18190
  • C . 8983
  • D . 19009

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The CPM process is the core process of the Security Management Server that handles all management operations. It listens to TCP-port 19009 by default.

Reference: CPM process

Question #6

Which method below is NOT one of the ways to communicate using the Management API’s?

  • A . Typing API commands using the “mgmt_cli” command
  • B . Typing API commands from a dialog box inside the SmartConsole GUI application
  • C . Typing API commands using Gaia’s secure shell(clish)19+
  • D . Sending API commands over an http connection using web-services

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Management API supports three methods of communication: mgmt_cli command, SmartConsole GUI dialog box, and Gaia CLI. Sending API commands over an http connection using web-services is not a supported method.

Reference: Check Point Management APIs

Question #7

Your manager asked you to check the status of SecureXL, and its enabled templates and features.

What command will you use to provide such information to manager?

  • A . fw accel stat
  • B . fwaccel stat
  • C . fw acces stats
  • D . fwaccel stats

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The fwaccel stat command displays the status of SecureXL, and its enabled templates and features. The other commands are either incorrect or incomplete.

Reference: [SecureXL Commands]

Question #8

SSL Network Extender (SNX) is a thin SSL VPN on-demand client that is installed on the remote user’s machine via the web browser.

What are the two modes of SNX?

  • A . Application and Client Service
  • B . Network and Application
  • C . Network and Layers
  • D . Virtual Adapter and Mobile App

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network.

Reference: [SSL Network Extender]

Question #9

Which command would disable a Cluster Member permanently?

  • A . clusterXL_admin down
  • B . cphaprob_admin down
  • C . clusterXL_admin down-p
  • D . set clusterXL down-p

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The clusterXL_admin down -p command disables a Cluster Member permanently, meaning that it will not rejoin the cluster even after a reboot. The other commands either disable a Cluster Member temporarily or are invalid.

Reference: [ClusterXL Administration Guide]

Question #10

Which two of these Check Point Protocols are used by SmartEvent Processes?

  • A . ELA and CPD
  • B . FWD and LEA
  • C . FWD and CPLOG
  • D . ELA and CPLOG

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

SmartEvent Processes use two Check Point Protocols: ELA (Event Log Agent) and CPLOG (Check Point Log). ELA collects logs from Security Gateways and forwards them to the Log Server. CPLOG is used by the Log Server to communicate with the SmartEvent Server.

Reference: [SmartEvent Architecture]

Question #11

Fill in the blank: The tool _____ generates a R81 Security Gateway configuration report.

  • A . infoCP
  • B . infoview
  • C . cpinfo
  • D . fw cpinfo

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The cpinfo tool generates a R81 Security Gateway configuration report that includes information about the hardware, operating system, product version, patches, and configuration settings.

Reference: cpinfo – Check Point Support Center

Question #12

Which of these statements describes the Check Point ThreatCloud?

  • A . Blocks or limits usage of web applications
  • B . Prevents or controls access to web sites based on category
  • C . Prevents Cloud vulnerability exploits
  • D . A worldwide collaborative security network

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Check Point ThreatCloud is a worldwide collaborative security network that collects and analyzes threat data from millions of sensors, security gateways, and other sources, and delivers real-time threat intelligence and protection to Check Point products.

Reference: Check Point ThreatCloud

Question #13

Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically

reset every

  • A . 15 sec
  • B . 60 sec
  • C . 5 sec
  • D . 30 sec

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances.

Reference: SecureXL Mechanism

Question #14

Which command will allow you to see the interface status?

  • A . cphaprob interface
  • B . cphaprob CI interface
  • C . cphaprob Ca if
  • D . cphaprob stat

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The cphaprob -a if command displays the interface status of all cluster members, including the interface name, IP address, state, monitor mode, and sync status.

Reference: cphaprob – Check Point Support Center

Question #15

Which command can you use to enable or disable multi-queue per interface?

  • A . cpmq set
  • B . Cpmqueue set
  • C . Cpmq config
  • D . St cpmq enable

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The cpmq set command enables or disables multi-queue per interface. Multi-queue is a feature that allows distributing the network traffic among several CPU cores, improving the throughput and performance of the Security Gateway.

Reference: Multi-Queue

Question #16

To help SmartEvent determine whether events originated internally or externally you must define using the Initial Settings under General Settings in the Policy Tab.

How many options are available to calculate the traffic direction?

  • A . 5 Network; Host; Objects; Services; API
  • B . 3 Incoming; Outgoing; Network
  • C . 2 Internal; External
  • D . 4 Incoming; Outgoing; Internal; Other

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

To help SmartEvent determine whether events originated internally or externally, you must define the traffic direction using the Initial Settings under General Settings in the Policy Tab. There are four options available to calculate the traffic direction: Incoming, Outgoing, Internal, and Other. Incoming means the source is external and the destination is internal. Outgoing means the source is internal and the destination is external. Internal means both the source and the destination are internal. Other means both the source and the destination are external.

Reference: SmartEvent R81 Administration Guide

Question #17

There are 4 ways to use the Management API for creating host object with R81 Management API.

Which one is NOT correct?

  • A . Using Web Services
  • B . Using Mgmt_cli tool
  • C . Using CLISH
  • D . Using SmartConsole GUI console
  • E . Events are collected with SmartWorkflow from Trouble Ticket systems

Reveal Solution Hide Solution

Correct Answer: E
E

Explanation:

There are four ways to use the Management API for creating host object with R81 Management API: Using Web Services, Using mgmt_cli tool, Using CLISH, and Using SmartConsole GUI console. Events are collected with SmartWorkflow from Trouble Ticket systems is not a correct option.

Reference: Check Point Management APIs

Question #18

CoreXL is supported when one of the following features is enabled:

  • A . Route-based VPN
  • B . IPS
  • C . IPv6
  • D . Overlapping NAT

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

CoreXL is supported when one of the following features is enabled: IPS. CoreXL does not support Check Point Suite with these features: Route-based VPN, IPv6, Overlapping NAT, QoS, Content Awareness, Application Control, URL Filtering, Identity Awareness, HTTPS Inspection, DLP, Anti-Bot, Anti-Virus, Threat Emulation.

Reference: CoreXL

Question #19

You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher.

How can you enable them?

  • A . fw ctl multik dynamic_dispatching on
  • B . fw ctl multik dynamic_dispatching set_mode 9
  • C . fw ctl multik set_mode 9
  • D . fw ctl multik pq enable

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. You can enable them by using the command fw ctl multik set_mode 9. This command sets the SecureXL mode to 9, which means that Priority Queues are enabled and Dynamic Dispatcher is fully enabled.

Reference: SecureXL Mechanism

Question #20

Check Point Management (cpm) is the main management process in that it provides the architecture for a consolidates management console. CPM allows the GUI client and management server to communicate via web services using ___________.

  • A . TCP port 19009
  • B . TCP Port 18190
  • C . TCP Port 18191
  • D . TCP Port 18209

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default.

Reference: CPM process

Question #21

Which command is used to set the CCP protocol to Multicast?

  • A . cphaprob set_ccp multicast
  • B . cphaconf set_ccp multicast
  • C . cphaconf set_ccp no_broadcast
  • D . cphaprob set_ccp no_broadcast

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The cphaconf set_ccp multicast command is used to set the Cluster Control Protocol (CCP) to Multicast mode. This mode allows cluster members to communicate with each other using multicast packets. The other commands are either incorrect or set the CCP to Broadcast mode.

Reference: ClusterXL Administration Guide

Question #22

Which packet info is ignored with Session Rate Acceleration?

  • A . source port ranges
  • B . source ip
  • C . source port
  • D . same info from Packet Acceleration is used

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Session Rate Acceleration is a SecureXL feature that accelerates the establishment of new connections by bypassing the inspection of the first packet of each session. Session Rate Acceleration ignores the source port information of the packet, as well as the destination port ranges, protocol type, and VPN information. The other packet info is used by Packet Acceleration, which is another SecureXL feature that accelerates the forwarding of subsequent packets of an established connection.

Reference: SecureXL Mechanism

Question #23

Which is the least ideal Synchronization Status for Security Management Server High Availability deployment?

  • A . Synchronized
  • B . Never been synchronized
  • C . Lagging
  • D . Collision

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The least ideal Synchronization Status for Security Management Server High Availability deployment is Collision. This status indicates that both members have modified the same object independently, resulting in a conflict that needs to be resolved manually. The other statuses are either normal or indicate a temporary delay in synchronization.

Reference: High Availability Administration Guide

Question #24

During inspection of your Threat Prevention logs you find four different computers having one event each with a Critical Severity.

Which of those hosts should you try to remediate first?

  • A . Host having a Critical event found by Threat Emulation
  • B . Host having a Critical event found by IPS
  • C . Host having a Critical event found by Antivirus
  • D . Host having a Critical event found by Anti-Bot

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The host having a Critical event found by Anti-Bot should be remediated first, as it indicates that the host is infected by a botnet malware that is communicating with a Command and Control server. This poses a serious threat to the network security and data integrity. The other events may indicate potential malware infection or attack attempts, but not necessarily successful ones.

Reference: Threat Prevention Administration Guide

Question #25

In R81 spoofing is defined as a method of:

  • A . Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
  • B . Hiding your firewall from unauthorized users.
  • C . Detecting people using false or wrong authentication logins
  • D . Making packets appear as if they come from an authorized IP address.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network.

Reference: Security Gateway R81 Administration Guide:

Question #26

Connections to the Check Point R81 Web API use what protocol?

  • A . HTTPS
  • B . RPC
  • C . VPN
  • D . SIC

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Connections to the Check Point R81 Web API use the HTTPS protocol. The Web API is a RESTful web service that allows you to perform management tasks on the Security Management Server using HTTP requests.

Reference: Check Point Management APIs

Question #27

Which command lists all tables in Gaia?

  • A . fw tab Ct
  • B . fw tab Clist
  • C . fw-tab Cs
  • D . fw tab -1

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The fw tab -s command lists all tables in Gaia. The fw tab command displays information about the firewall tables, such as connections, NAT translations, SAM rules, etc. The -s option shows a summary of all tables.

Reference: fw tab – Check Point Support Center

Question #28

What is true about the IPS-Blade?

  • A . In R81, IPS is managed by the Threat Prevention Policy
  • B . In R81, in the IPS Layer, the only three possible actions are Basic, Optimized and Strict
  • C . In R81, IPS Exceptions cannot be attached to “all rules”
  • D . In R81, the GeoPolicy Exceptions and the Threat Prevention Exceptions are the same

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

In R81, IPS is managed by the Threat Prevention Policy. The Threat Prevention Policy is a unified policy that allows you to configure and enforce IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction settings in one place.

Reference: Threat Prevention Administration Guide

Question #29

Which one of these features is NOT associated with the Check Point URL Filtering and Application Control Blade?

  • A . Detects and blocks malware by correlating multiple detection engines before users are affected.
  • B . Configure rules to limit the available network bandwidth for specified users or groups.
  • C . Use UserCheck to help users understand that certain websites are against the company’s security policy.
  • D . Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature associated with the Check Point URL Filtering and Application Control Blade. This feature is part of the Check Point SandBlast Network solution, which uses Threat Emulation and Threat Extraction technologies to prevent zero-day attacks. The other features are part of the URL Filtering and Application Control Blade, which allows you to control access to web applications and sites based on various criteria.

Reference: URL Filtering and Application Control Administration Guide

Question #30

What is a feature that enables VPN connections to successfully maintain a private and secure VPN session without employing Stateful Inspection?

  • A . Stateful Mode
  • B . VPN Routing Mode
  • C . Wire Mode
  • D . Stateless Mode

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

Reference: VPN Administration Guide

Question #31

What Factor preclude Secure XL Templating?

  • A . Source Port Ranges/Encrypted Connections
  • B . IPS
  • C . ClusterXL in load sharing Mode
  • D . CoreXL

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

SecureXL Templating is a feature that accelerates the processing of packets that belong to the same connection or session by creating a template for the first packet and applying it to the subsequent packets. SecureXL Templating is precluded by factors that prevent the creation of a template, such as source port ranges, encrypted connections, NAT, QoS, etc.

Reference: SecureXL Mechanism

Question #32

In order to get info about assignment (FW, SND) of all CPUs in your SGW, what is the most accurate CLI command?

  • A . fw ctl sdstat
  • B . fw ctl affinity Cl Ca Cr Cv
  • C . fw ctl multik stat
  • D . cpinfo

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The fw ctl affinity -l -a -r -v command is the most accurate CLI command to get info about assignment (FW, SND) of all CPUs in your SGW. This command displays the affinity settings of all interfaces and processes in a verbose mode, including the Firewall (FW) and Secure Network Distributor (SND) instances.

Reference: CoreXL Administration Guide

Question #33

Check Pont Central Deployment Tool (CDT) communicates with the Security Gateway / Cluster Members over Check Point SIC _______.

  • A . TCP Port 18190
  • B . TCP Port 18209
  • C . TCP Port 19009
  • D . TCP Port 18191

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Check Point Central Deployment Tool (CDT) communicates with the Security Gateway / Cluster Members over Check Point SIC using TCP port 18191 by default. CDT is a tool that allows you to perform simultaneous configuration changes on multiple gateways or clusters using predefined commands or scripts.

Reference: Check Point Central Deployment Tool (CDT)

Question #34

The CPD daemon is a Firewall Kernel Process that does NOT do which of the following?

  • A . Secure Internal Communication (SIC)
  • B . Restart Daemons if they fail
  • C . Transfers messages between Firewall processes
  • D . Pulls application monitoring status

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation.

Reference: CPD process

Question #35

What is not a component of Check Point SandBlast?

  • A . Threat Emulation
  • B . Threat Simulator
  • C . Threat Extraction
  • D . Threat Cloud

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Threat Simulator is not a component of Check Point SandBlast. Check Point SandBlast is a solution that provides advanced protection against zero-day threats using four components: Threat Emulation, Threat Extraction, Threat Cloud, and Threat Prevention.

Reference: Check Point SandBlast Network

Question #36

Full synchronization between cluster members is handled by Firewall Kernel.

Which port is used for this?

  • A . UDP port 265
  • B . TCP port 265
  • C . UDP port 256
  • D . TCP port 256

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member.

Reference: [ClusterXL Administration Guide]

Question #37

Fill in the blank: The command ___________________ provides the most complete restoration of a R81 configuration.

  • A . upgrade_import
  • B . cpconfig
  • C . fwm dbimport -p <export file>
  • D . cpinfo Crecover

Reveal Solution Hide Solution

Correct Answer: A
Question #38

Check Point Management (cpm) is the main management process in that it provides the architecture for a consolidated management console. It empowers the migration from legacy Client-side logic to Server-side logic.

The cpm process:

  • A . Allow GUI Client and management server to communicate via TCP Port 19001
  • B . Allow GUI Client and management server to communicate via TCP Port 18191
  • C . Performs database tasks such as creating, deleting, and modifying objects and compiling policy.
  • D . Performs database tasks such as creating, deleting, and modifying objects and compiling as well as policy code generation.

Reveal Solution Hide Solution

Correct Answer: C
Question #39

Which of the following type of authentication on Mobile Access can NOT be used as the first authentication method?

  • A . Dynamic ID
  • B . RADIUS
  • C . Username and Password
  • D . Certificate

Reveal Solution Hide Solution

Correct Answer: A
Question #40

Which of the SecureXL templates are enabled by default on Security Gateway?

  • A . Accept
  • B . Drop
  • C . NAT
  • D . None

Reveal Solution Hide Solution

Correct Answer: D

Question #41

What happen when IPS profile is set in Detect Only Mode for troubleshooting?

  • A . It will generate Geo-Protection traffic
  • B . Automatically uploads debugging logs to Check Point Support Center
  • C . It will not block malicious traffic
  • D . Bypass licenses requirement for Geo-Protection control

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

Question #42

What is true about VRRP implementations?

  • A . VRRP membership is enabled in cpconfig
  • B . VRRP can be used together with ClusterXL, but with degraded performance
  • C . You cannot have a standalone deployment
  • D . You cannot have different VRIDs in the same physical network

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Question #43

The Security Gateway is installed on GAIA R81. The default port for the Web User Interface is ______.

  • A . TCP 18211
  • B . TCP 257
  • C . TCP 4433
  • D . TCP 443

Reveal Solution Hide Solution

Correct Answer: D
Question #44

Fill in the blank: The R81 feature _____ permits blocking specific IP addresses for a specified time period.

  • A . Block Port Overflow
  • B . Local Interface Spoofing
  • C . Suspicious Activity Monitoring
  • D . Adaptive Threat Prevention

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Suspicious Activity Rules Solution

Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).

The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity rules are Firewall rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation.

Question #45

In a Client to Server scenario, which inspection point is the first point immediately following the tables and rule base check of a packet coming from outside of the network?

  • A . Big l
  • B . Little o
  • C . Little i
  • D . Big O

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The inspection point Big l is the first point immediately following the tables and rule base check of a packet coming from outside of the network. It is also the last point before the packet leaves the Security Gateway to the internal network1. The other inspection points are either before or after the rule base check, or in a different direction of traffic flow2.

Reference: Check Point R81 Security Gateway Architecture and Packet Flow, 156-315.81 Checkpoint Exam Info and Free Practice Test – ExamTopics

Question #46

What is the mechanism behind Threat Extraction?

  • A . This a new mechanism which extracts malicious files from a document to use it as a counter-attack against its sender.
  • B . This is a new mechanism which is able to collect malicious files out of any kind of file types to destroy it prior to sending it to the intended recipient.
  • C . This is a new mechanism to identify the IP address of the sender of malicious codes and put it into the SAM database (Suspicious Activity Monitoring).
  • D . Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more), rather than determining their maliciousness. By cleaning the file before it enters the organization, Threat Extraction preemptively prevents both known and unknown threats, providing better protection against zero-day attacks1. Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast2.

The other options are either incorrect or irrelevant to the mechanism behind Threat Extraction.

Reference: Threat Extraction (CDR) – Check Point Software, Check Point Document Threat Extraction Technology

Question #47

You want to gather and analyze threats to your mobile device. It has to be a lightweight app.

Which application would you use?

  • A . SmartEvent Client Info
  • B . SecuRemote
  • C . Check Point Protect
  • D . Check Point Capsule Cloud

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Check Point Protect is a lightweight app that can be used to gather and analyze threats to your mobile device. It provides real-time threat intelligence, device posture assessment, and secure browsing protection3. The other applications are either not designed for mobile devices, or do not offer threat analysis features.

Reference: R81 CCSA & CCSE exams released featuring Promo for… –

Check Point …, Check Point Protect – Apps on Google Play

Question #48

Which view is NOT a valid CPVIEW view?

  • A . IDA
  • B . RAD
  • C . PDP
  • D . VPN

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

PDP is not a valid CPVIEW view. CPVIEW is a command-line tool that shows the status of different system parameters, such as CPU, memory, disk, network, and firewall. The valid views are IDA, RAD, VPN, FW, QoS, and others. PDP is a process that handles identity awareness and authentication.

Reference: Check Point R81 Gaia Administration Guide, Check Point Identity Awareness Administration Guide R81

Question #49

Which of the following is a new R81 Gateway feature that had not been available in R77.X and older?

  • A . The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence.
  • B . Limits the upload and download throughput for streaming media in the company to 1 Gbps.
  • C . Time object to a rule to make the rule active only during specified times.
  • D . Sub Policies ae sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions.

Reference: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

Question #50

fwssd is a child process of which of the following Check Point daemons?

  • A . fwd
  • B . cpwd
  • C . fwm
  • D . cpd

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

fwssd is a child process of fwd, which is the firewall daemon that handles policy installation, logging, and state synchronization. cpwd is the watchdog process that monitors and restarts other processes. fwm is the management server process that handles communication with GUI clients. cpd is the infrastructure daemon that handles SIC, licensing, and policy code generation.

Reference: Check Point Processes Cheat Sheet C LazyAdmins, Check Point R81 Gaia Administration Guide, Certified Security Expert (CCSE) R81.20 Course Overview

Question #51

Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an Active-Active cluster.

  • A . Symmetric routing
  • B . Failovers
  • C . Asymmetric routing
  • D . Anti-Spoofing

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Sticky Decision Function (SDF) is required to prevent asymmetric routing in an Active-Active cluster. Asymmetric routing occurs when packets from a source to a destination follow a different path than packets from the destination to the source. This can cause problems with stateful inspection and NAT. SDF ensures that packets from the same connection are handled by the same cluster member1.

Reference: Check Point R81 ClusterXL Administration Guide

Question #52

CPM process stores objects, policies, users, administrators, licenses and management data in a database. The database is:

  • A . MySQL
  • B . Postgres SQL
  • C . MarisDB
  • D . SOLR

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

CPM process stores objects, policies, users, administrators, licenses and management data in a Postgres SQL database. This database is located in $FWDIR/conf and can be accessed using the pg_client command2. The other options are not the correct database type for CPM.

Reference: Check Point R81 Security Management Administration Guide

Question #53

If you needed the Multicast MAC address of a cluster, what command would you run?

  • A . cphaprob Ca if
  • B . cphaconf ccp multicast
  • C . cphaconf debug data
  • D . cphaprob igmp

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The command cphaprob igmp can be used to display the Multicast MAC address of a cluster. This command shows the IGMP (Internet Group Management Protocol) information for each cluster interface, including the VRID (Virtual Router ID), the Multicast IP address, and the Multicast MAC address3. The other commands do not show the Multicast MAC address information.

Reference: Check Point R81 ClusterXL Administration Guide

Question #54

Which is NOT an example of a Check Point API?

  • A . Gateway API
  • B . Management API
  • C . OPSC SDK
  • D . Threat Prevention API

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Gateway API is not an example of a Check Point API. Check Point APIs are interfaces that enable interactions with Check Point products using automation scripts or external applications. The examples of Check Point APIs are Management API, OPSEC SDK, Threat Prevention API, Identity Awareness Web Services API, and others4. Gateway API is not a valid Check Point API name.

Reference: Check Point R81 Security Management Administration Guide, Check Point APIs

Question #55

What are the three components for Check Point Capsule?

  • A . Capsule Docs, Capsule Cloud, Capsule Connect
  • B . Capsule Workspace, Capsule Cloud, Capsule Connect
  • C . Capsule Workspace, Capsule Docs, Capsule Connect
  • D . Capsule Workspace, Capsule Docs, Capsule Cloud

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud. Capsule Workspace is a secure container app that allows users to access corporate data and applications from their mobile devices. Capsule Docs is a solution that protects documents with encryption and granular access control. Capsule Cloud is a cloud-based security service that enforces security policies on devices that are outside the corporate network.

Reference: Check Point Capsule

Question #56

Which of the following Check Point processes within the Security Management Server is responsible for the receiving of log records from Security Gateway?

  • A . logd
  • B . fwd
  • C . fwm
  • D . cpd

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2.

Reference: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet C LazyAdmins

Question #57

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via which 2 processes?

  • A . fwd via cpm
  • B . fwm via fwd
  • C . cpm via cpd
  • D . fwd via cpd

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via the cpm process. The cpm process is the main management process that handles database operations, policy installation, and communication with GUI clients via TCP port 190093. The other options are either incorrect or irrelevant to the log flow.

Reference: Certified Security Expert (CCSE) R81.20 Course Overview, Check Point Ports Used for Communication by Various Check Point Modules

Question #58

You have successfully backed up Check Point configurations without the OS information.

What command would you use to restore this backup?

  • A . restore_backup
  • B . import backup
  • C . cp_merge
  • D . migrate import

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information.

Reference: Check Point R81 Installation and Upgrade Guide

Question #59

The Firewall Administrator is required to create 100 new host objects with different IP addresses.

What API command can he use in the script to achieve the requirement?

  • A . add host name <New HostName> ip-address <ip address>
  • B . add hostname <New HostName> ip-address <ip address>
  • C . set host name <New HostName> ip-address <ip address>
  • D . set hostname <New HostName> ip-address <ip address>

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The API command add host name <New HostName> ip-address <ip address> can be used in a script to create 100 new host objects with different IP addresses. This command adds a new host object with the specified name and IP address to the database. The other commands are either not valid or not suitable for creating new host objects.

Reference: Check Point – Management API reference

Question #60

Tom has been tasked to install Check Point R81 in a distributed deployment.

Before Tom installs the systems this way, how many machines will he need if he does NOT include a SmartConsole machine in his calculations?

  • A . One machine, but it needs to be installed using SecurePlatform for compatibility purposes.
  • B . One machine
  • C . Two machines
  • D . Three machines

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Tom will need two machines to install Check Point R81 in a distributed deployment, if he does not include a SmartConsole machine in his calculations. A distributed deployment consists of a Security Management Server that manages one or more Security Gateways. Therefore, Tom will need one machine for the Security Management Server and another machine for the Security Gateway. The other options are either too few or too many machines for a distributed deployment.

Reference: Check Point R81 Installation and Upgrade Guide

Question #61

You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines a(n) _____ or _____ action for the file types.

  • A . Inspect/Bypass
  • B . Inspect/Prevent
  • C . Prevent/Bypass
  • D . Detect/Bypass

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types. The Inspect action means that the file will be sent to the Threat Emulation engine for analysis, and the Bypass action means that the file will not be sent and will be allowed or blocked based on other Threat Prevention blades1. The other options are not valid actions for file types in Threat Prevention profiles.

Reference: Check Point R81 Threat Prevention Administration Guide

Question #62

When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?

  • A . None, Security Management Server would be installed by itself.
  • B . SmartConsole
  • C . SecureClient
  • D . Security Gateway
  • E . SmartEvent

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

When doing a Stand-Alone Installation, you would install the Security Management Server with the Security Gateway as the other Check Point architecture component. A Stand-Alone Installation is where the Security Management Server and the Security Gateway are installed on the same machine2. The other options are either not Check Point architecture components, or not suitable for a Stand-Alone Installation.

Reference: Check Point R81 Installation and Upgrade Guide

Question #63

On R81.20 when configuring Third-Party devices to read the logs using the LEA (Log Export API) the default Log Server uses port:

  • A . 18210
  • B . 18184
  • C . 257
  • D . 18191

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC.

Reference: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

Question #64

How many images are included with Check Point TE appliance in Recommended Mode?

  • A . 2(OS) images
  • B . images are chosen by administrator during installation
  • C . as many as licensed for
  • D . the newest image

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Check Point TE appliance in Recommended Mode includes 2(OS) images. One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version.

Reference: [Check Point R81 Threat Emulation Administration Guide]

Question #65

What is the least amount of CPU cores required to enable CoreXL?

  • A . 2
  • B . 1
  • C . 4
  • D . 6

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The least amount of CPU cores required to enable CoreXL is 2. CoreXL is a technology that improves the performance of Security Gateways by using multiple CPU cores to process traffic in parallel. CoreXL requires at least two CPU cores, one for SND (Secure Network Distributor) and one for a Firewall instance. The other options are either too few or too many CPU cores for enabling CoreXL.

Reference: [Check Point R81 SecureXL Administration Guide], [Check Point R81 Performance Tuning Administration Guide]

Question #66

You are working with multiple Security Gateways enforcing an extensive number of rules.

To simplify security administration, which action would you choose?

  • A . Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
  • B . Create a separate Security Policy package for each remote Security Gateway.
  • C . Create network objects that restricts all applicable rules to only certain networks.
  • D . Run separate SmartConsole instances to login and configure each Security Gateway directly.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

To simplify security administration when working with multiple Security Gateways enforcing an extensive number of rules, you would choose to create a separate Security Policy package for each remote Security Gateway. A Security Policy package is a set of rules and objects that can be assigned to one or more Security Gateways. This allows you to manage different policies for different gateways from the same Management Server1. The other options are either not effective or not feasible for simplifying security administration.

Reference: Check Point R81 Security Management Administration Guide

Question #67

Which of the following authentication methods ARE NOT used for Mobile Access?

  • A . RADIUS server
  • B . Username and password (internal, LDAP)
  • C . SecurID
  • D . TACACS+

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

TACACS+ is not an authentication method that is used for Mobile Access. Mobile Access supports the following authentication methods: username and password (internal, LDAP, or RADIUS), certificate, SecurID, DynamicID, and SMS2. TACACS+ is a protocol that provides access control for routers, network access servers, and other network devices, but it is not supported by Mobile Access3.

Reference: Check Point R81 Mobile Access Administration Guide, TACACS+ – Wikipedia

Question #68

What is the correct command to observe the Sync traffic in a VRRP environment?

  • A . fw monitor Ce “accept[12:4,b]=224.0.0.18;”
  • B . fw monitor Ce “accept port(6118;”
  • C . fw monitor Ce “accept proto=mcVRRP;”
  • D . fw monitor Ce “accept dst=224.0.0.18;”

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct command to observe the Sync traffic in a VRRP environment is fw monitor Ce “accept dst=224.0.0.18;”. This command captures the packets that have the destination IP address of 224.0.0.18, which is the multicast address used by VRRP for synchronization. The other commands are either not valid or not specific to VRRP Sync traffic.

Reference: [Check Point R81 ClusterXL Administration Guide], Check Point R81 Performance Tuning Administration Guide

Question #69

What has to be taken into consideration when configuring Management HA?

  • A . The Database revisions will not be synchronized between the management servers
  • B . SmartConsole must be closed prior to synchronized changes in the objects database
  • C . If you wanted to use Full Connectivity Upgrade, you must change the Implied Rules to allow FW1_cpredundant to pass before the Firewall Control Connections.
  • D . For Management Server synchronization, only External Virtual Switches are supported. So, if you wanted to employ Virtual Routers instead, you have to reconsider your design.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When configuring Management HA, you have to take into consideration that the Database revisions will not be synchronized between the management servers. Database revisions are snapshots of the database that are created manually or automatically when installing a policy or saving changes. They are stored locally on each management server and are not replicated by Management HA. The other options are either not true or not relevant to Management HA.

Reference: Check Point R81 Installation and Upgrade Guide

Question #70

What is the difference between an event and a log?

  • A . Events are generated at gateway according to Event Policy
  • B . A log entry becomes an event when it matches any rule defined in Event Policy
  • C . Events are collected with SmartWorkflow form Trouble Ticket systems
  • D . Log and Events are synonyms

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs.

Reference: Check Point R81 Logging and Monitoring Administration Guide

Question #71

What are the attributes that SecureXL will check after the connection is allowed by Security Policy?

  • A . Source address, Destination address, Source port, Destination port, Protocol
  • B . Source MAC address, Destination MAC address, Source port, Destination port, Protocol
  • C . Source address, Destination address, Source port, Destination port
  • D . Source address, Destination address, Destination port, Protocol

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The attributes that SecureXL will check after the connection is allowed by Security Policy are Source address, Destination address, Source port, Destination port, Protocol. These are the five tuple parameters that define a connection and are used by SecureXL to accelerate the traffic. The other options are either missing some of the parameters or include irrelevant ones, such as MAC addresses1.

Reference: Check Point R81 SecureXL Administration Guide

Question #72

Which statement is NOT TRUE about Delta synchronization?

  • A . Using UDP Multicast or Broadcast on port 8161
  • B . Using UDP Multicast or Broadcast on port 8116
  • C . Quicker than Full sync
  • D . Transfers changes in the Kernel tables between cluster members.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The statement that is not true about Delta synchronization is Using UDP Multicast or Broadcast on port 8161. Delta synchronization is a mechanism that transfers only the changes in the kernel tables between cluster members, instead of sending the entire tables. It uses UDP Multicast or Broadcast on port 8116, not 81612. The other statements are true about Delta synchronization.

Reference: Check Point R81 ClusterXL Administration Guide

Question #73

The Event List within the Event tab contains:

  • A . a list of options available for running a query.
  • B . the top events, destinations, sources, and users of the query results, either as a chart or in a tallied list.
  • C . events generated by a query.
  • D . the details of a selected event.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Event List within the Event tab contains events generated by a query. The Event List shows the events that match the query criteria, such as time range, filter, and aggregation. The events can be sorted by different columns, such as severity, time, action, and source3. The other options are either not part of the Event tab or not related to the Event List.

Reference: Check Point R81 Logging and Monitoring Administration Guide

Question #74

Which statement is correct about the Sticky Decision Function?

  • A . It is not supported with either the Performance pack of a hardware based accelerator card
  • B . Does not support SPI’s when configured for Load Sharing
  • C . It is automatically disabled if the Mobile Access Software Blade is enabled on the cluster
  • D . It is not required L2TP traffic

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The statement that is correct about the Sticky Decision Function is It is not supported with either the Performance pack of a hardware based accelerator card. The Sticky Decision Function (SDF) is a feature that ensures that packets from the same connection are handled by the same cluster member in a Load Sharing configuration. However, SDF is not compatible with SecureXL acceleration, which is enabled by default or by using a Performance pack or a hardware based accelerator card4. The other statements are either incorrect or outdated about SDF.

Reference: Check Point R81 ClusterXL Administration Guide, Sticky Decision Function – Check Point CheckMates

Question #75

Which statement is true regarding redundancy?

  • A . System Administrators know when their cluster has failed over and can also see why it failed over by using the cphaprob Cf if command.
  • B . ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
  • C . Machines in a ClusterXL High Availability configuration must be synchronized.
  • D . Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy.

Reference: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

Question #75

Which statement is true regarding redundancy?

  • A . System Administrators know when their cluster has failed over and can also see why it failed over by using the cphaprob Cf if command.
  • B . ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
  • C . Machines in a ClusterXL High Availability configuration must be synchronized.
  • D . Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy.

Reference: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

Question #75

Which statement is true regarding redundancy?

  • A . System Administrators know when their cluster has failed over and can also see why it failed over by using the cphaprob Cf if command.
  • B . ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
  • C . Machines in a ClusterXL High Availability configuration must be synchronized.
  • D . Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy.

Reference: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

Question #75

Which statement is true regarding redundancy?

  • A . System Administrators know when their cluster has failed over and can also see why it failed over by using the cphaprob Cf if command.
  • B . ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
  • C . Machines in a ClusterXL High Availability configuration must be synchronized.
  • D . Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy.

Reference: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

Question #75

Which statement is true regarding redundancy?

  • A . System Administrators know when their cluster has failed over and can also see why it failed over by using the cphaprob Cf if command.
  • B . ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
  • C . Machines in a ClusterXL High Availability configuration must be synchronized.
  • D . Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy.

Reference: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

Question #80

Post-Automatic/Manual NAT rules

  • A . 1,2,3,4
  • B . 1,4,2,3
  • C . 3,1,2,4
  • D . 4,3,1,2

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

NAT rules are prioritized in the following order:

Automatic Static NAT: This is the highest priority NAT rule and it translates the source or destination IP address to a different IP address without changing the port number. It is configured in the network object properties.

Automatic Hide NAT: This is the second highest priority NAT rule and it translates the source IP address and port number to a different IP address and port number. It is configured in the network object properties.

Manual/Pre-Automatic NAT: This is the third highest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase before the automatic NAT rules.

Post-Automatic/Manual NAT rules: This is the lowest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase after the automatic NAT rules.

Question #81

In R81, how do you manage your Mobile Access Policy?

  • A . Through the Unified Policy
  • B . Through the Mobile Console
  • C . From SmartDashboard
  • D . From the Dedicated Mobility Tab

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

Question #82

R81.20 management server can manage gateways with which versions installed?

  • A . Versions R77 and higher
  • B . Versions R76 and higher
  • C . Versions R75.20 and higher
  • D . Versions R75 and higher

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

R81.20 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81.

Question #83

Which command can you use to verify the number of active concurrent connections?

  • A . fw conn all
  • B . fw ctl pstat
  • C . show all connections
  • D . show connections

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot.

For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345.


Question #84

Which of the following statements is TRUE about R81 management plug-ins?

  • A . The plug-in is a package installed on the Security Gateway.
  • B . Installing a management plug-in requires a Snapshot, just like any upgrade process.
  • C . A management plug-in interacts with a Security Management Server to provide new features and support for new products.
  • D . Using a plug-in offers full central management only if special licensing is applied to specific features of the plug-in.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A management plug-in is a software component that interacts with a Security Management Server to provide new features and support for new products. A management plug-in can extend the functionality of SmartConsole, SmartDashboard, SmartView Monitor, SmartView Tracker, SmartEvent, SmartReporter, SmartProvisioning, SmartUpdate, and other management tools. A management plug-in can also add new objects, policies, rules, actions, reports, views, and wizards to the management system. Some examples of management plug-ins are CloudGuard Controller, SandBlast Agent, Endpoint Security Server, Threat Extraction for Web, etc.

Question #85

How can SmartView application accessed?

  • A . http://<Security Management IP Address>/smartview
  • B . http://<Security Management IP Address>:4434/smartview/
  • C . https://<Security Management IP Address>/smartview/
  • D . https://<Security Management host name>:4434/smartview/

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

SmartView is a web-based application that allows you to view and analyze logs, reports, and events from multiple Check Point products. You can access SmartView by using the following URL:

You need to use HTTPS protocol and the default port 443. You also need to enter the IP address of

the Security Management Server that hosts the SmartView application. You cannot use the host name of the Security Management Server or a different port number.

Reference: SmartView R81 Administration Guide


Question #86

What command verifies that the API server is responding?

  • A . api stat
  • B . api status
  • C . show api_status
  • D . app_get_status

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The API server is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. You can verify that the API server is responding by using the following command in Expert mode:

This command will display the current status of the API server, such as running, stopped, or initializing. It will also show the API version, port number, and SSL certificate information.

Reference: Check Point R81 REST API Reference Guide


Question #87

Where you can see and search records of action done by R81 SmartConsole administrators?

  • A . In SmartView Tracker, open active log
  • B . In the Logs & Monitor view, select “Open Audit Log View”
  • C . In SmartAuditLog View
  • D . In Smartlog, all logs

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Audit Log is a feature that records all the actions performed by R81 SmartConsole administrators, such as logging in, logging out, publishing, installing policy, creating objects, modifying rules, etc. You can see and search records of action done by R81 SmartConsole administrators by following these steps:

In SmartConsole, go to Logs & Monitor view.

In the left pane, select Open Audit Log View.

In the right pane, you will see a table that shows all the audit log records. You can filter, sort, group,

or search the records by using the toolbar options.

You can also double-click on a record to see more details in a pop-up window.

Reference: R81 Logging and Monitoring Administration Guide

Question #88

Fill in the blank: The R81 utility fw monitor is used to troubleshoot ______________________.

  • A . User data base corruption
  • B . LDAP conflicts
  • C . Traffic issues
  • D . Phase two key negotiations

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Check Point’s FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark.

Question #89

The Firewall kernel is replicated multiple times, therefore:

  • A . The Firewall kernel only touches the packet if the connection is accelerated
  • B . The Firewall can run different policies per core
  • C . The Firewall kernel is replicated only with new connections and deletes itself once the connection times out
  • D . The Firewall can run the same policy on all cores.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.

Question #90

Selecting an event displays its configurable properties in the Detail pane and a description of the event in the Description pane.

Which is NOT an option to adjust or configure?

  • A . Severity
  • B . Automatic reactions
  • C . Policy
  • D . Threshold

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

An event is a notification that something significant has occurred on a Check Point product or network. Events are generated by various sources, such as blades, gateways, servers, SmartEvent, etc. You can view and manage events in SmartConsole by using the Events tab in the Logs & Monitor view. Selecting an event displays its configurable properties in the Detail pane and a description of the event in the Description pane. The configurable properties include:

Severity: The level of importance or urgency of the event. You can change the severity of an event by selecting a different value from the drop-down list.

Automatic reactions: The actions that are triggered when an event occurs. You can add, edit, or delete automatic reactions for an event by clicking on the + icon or the pencil icon.

Threshold: The minimum number or frequency of occurrences of an event that triggers an automatic reaction. You can change the threshold of an event by entering a different value in the text box.

The policy is not an option to adjust or configure for an event. The policy is a set of rules that define how to handle events based on their source, type, severity, etc. You can create and manage policies in SmartEvent by using the Policies tab in the Logs & Monitor view.

Reference: R81 Logging and Monitoring Administration Guide

Question #91

To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, run the following command in Expert mode then reboot:

  • A . fw ctl multik set_mode 1
  • B . fw ctl Dynamic_Priority_Queue on
  • C . fw ctl Dynamic_Priority_Queue enable
  • D . fw ctl multik set_mode 9

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits.

To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features.

Reference: R81 Performance Tuning Administration Guide


Question #92

Advanced Security Checkups can be easily conducted within:

  • A . Reports
  • B . Advanced
  • C . Checkups
  • D . Views
  • E . Summary

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Advanced Security Checkups can be easily conducted within the Reports tab in the Logs & Monitor view in SmartConsole. The Reports tab allows you to generate and view various reports that provide insights into the security status and performance of your network. You can use predefined reports or create custom reports based on your needs. You can also schedule reports to run automatically and send them by email.

Some of the predefined reports that can help you conduct advanced security checkups are:

Security Overview: This report provides a summary of the security posture of your network, including the number and severity of incidents, the top attacked hosts and services, the top attackers and attack methods, the top detected threats and vulnerabilities, etc.

Security Best Practices: This report evaluates your security configuration and policy against the Check Point best practices and provides recommendations for improvement. It covers areas such as firewall policy, NAT policy, VPN policy, identity awareness, threat prevention, etc.

Compliance Status: This report assesses your compliance level with various regulations and standards, such as PCI DSS, ISO 27001, NIST 800-53, etc. It shows the compliance score, the compliance status of each requirement, the compliance status of each gateway and blade, etc. Network Activity: This report shows the network activity and traffic patterns on your network, including the top sources and destinations of traffic, the top protocols and applications used, the top bandwidth consumers, etc.

System Health: This report monitors the health and performance of your management server and gateways, including the CPU utilization, memory usage, disk space, network interfaces, etc.

Reference: R81 Logging and Monitoring Administration Guide

Question #93

What is the limitation of employing Sticky Decision Function?

  • A . With SDF enabled, the involved VPN Gateways only supports IKEv1
  • B . Acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF
  • C . With SDF enabled, only ClusterXL in legacy mode is supported
  • D . With SDF enabled, you can only have three Sync interfaces at most

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Sticky Decision Function (SDF) is a feature that ensures that VPN traffic is handled by the same core on a Security Gateway with multiple CPU cores. This improves the performance and stability of VPN tunnels by avoiding out-of-order packets and reducing encryption overhead. However, the limitation of employing SDF is that acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF. This means that SDF may reduce the overall throughput and scalability of the Security Gateway. Therefore, SDF should be used only when necessary and only on gateways that are dedicated to VPN traffic.

Reference: R81 Performance Tuning Administration Guide

Question #94

Which Mobile Access Application allows a secure container on Mobile devices to give users access to internal website, file share and emails?

  • A . Check Point Remote User
  • B . Check Point Capsule Workspace
  • C . Check Point Mobile Web Portal
  • D . Check Point Capsule Remote

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc.

Reference: R81 Mobile Access Administration Guide

Question #95

Which of the following process pulls application monitoring status?

  • A . fwd
  • B . fwm
  • C . cpwd
  • D . cpd

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The process that pulls application monitoring status is cpd. cpd is a daemon that runs on Check Point products and performs various tasks related to management communication, policy installation, license verification, logging, etc. cpd also monitors the status of other processes and applications on the system and reports it to the management server. cpd uses SNMP to collect information from various sources, such as blades, gateways, servers, etc. You can view the application monitoring status in SmartConsole by using the Gateways & Servers tab in the Logs & Monitor view.

Reference: Check Point Processes and Daemons

Question #96

To fully enable Dynamic Dispatcher on a Security Gateway:

  • A . run fw ctl multik set_mode 9 in Expert mode and then Reboot.
  • B . Using cpconfig, update the Dynamic Dispatcher value to “full” under the CoreXL menu.
  • C . Edit/proc/interrupts to include multik set_mode 1 at the bottom of the file, save, and reboot.
  • D . run fw multik set_mode 1 in Expert mode and then reboot.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

To fully enable Dynamic Dispatcher on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled without Firewall Priority Queues. Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Dynamic Dispatcher can improve the throughput and scalability of the Security Gateway, especially for traffic that is not accelerated by SecureXL. The other commands are not valid or do not enable Dynamic Dispatcher.

Reference: R81 Performance Tuning Administration Guide


Question #97

Session unique identifiers are passed to the web api using which http header option?

  • A . X-chkp-sid
  • B . Accept-Charset
  • C . Proxy-Authorization
  • D . Application

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Session unique identifiers are passed to the web API using the X-chkp-sid HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations.

Reference: Check Point R81 REST API Reference Guide

Question #98

Which command shows actual allowed connections in state table?

  • A . fw tab Ct StateTable
  • B . fw tab Ct connections
  • C . fw tab Ct connection
  • D . fw tab connections

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The correct command to show actual allowed connections in the state table is option B: fw tab Ct connections. This command displays the contents of the "connections" table, which contains information about the active connections being tracked by the firewall.

Option A (fw tab Ct StateTable) is incorrect as there is no "StateTable" table; it should be "connections."

Option C (fw tab Ct connection) is also incorrect, as it should be "connections."

Option D (fw tab connections) is not the correct syntax for the command.

Reference: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Question #99

What SmartEvent component creates events?

  • A . Consolidation Policy
  • B . Correlation Unit
  • C . SmartEvent Policy
  • D . SmartEvent GUI

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The SmartEvent component that creates events is the Correlation Unit, which is responsible for correlating and analyzing security events to identify patterns and potential threats.

Option A, "Consolidation Policy," does not create events but is used to configure policies for event consolidation.

Option C, "SmartEvent Policy," is not responsible for creating events but is used to configure policies related to SmartEvent.

Option D, "SmartEvent GUI," is the graphical user interface for managing SmartEvent but does not create events itself.

Reference: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Question #100

Which command collects diagnostic data for analyzing customer setup remotely?

  • A . cpinfo
  • B . migrate export
  • C . sysinfo
  • D . cpview

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

CPInfo is an auto-updatable utility that collects diagnostics data on a customer’s machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer’s configuration and environment settings.

Question #101

Which features are only supported with R81.20 Gateways but not R77.x?

  • A . Access Control policy unifies the Firewall, Application Control & URL Filtering, Data Awareness, and Mobile Access Software Blade policies.
  • B . Limits the upload and download throughput for streaming media in the company to 1 Gbps.
  • C . The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence.
  • D . Time object to a rule to make the rule active only during specified times.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The features that are only supported with R81.20 Gateways and not with R77.x are described in option C:

"C. The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence."

This feature, known as Rule Base Layers, allows for greater flexibility and control in organizing and prioritizing security rules within the rule base.

Options A, B, and D do not specifically pertain to features introduced in R81.20 and are available in earlier versions as well.

Reference: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Question #102

Which CLI command will reset the IPS pattern matcher statistics?

  • A . ips reset pmstat
  • B . ips pstats reset
  • C . ips pmstats refresh
  • D . ips pmstats reset

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The CLI command to reset the IPS (Intrusion Prevention System) pattern matcher statistics is option D: ips pmstats reset. This command will reset the statistics related to the IPS pattern matcher. Options A, B, and C are not the correct syntax for resetting the IPS pattern matcher statistics.

Reference: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Question #103

When requiring certificates for mobile devices, make sure the authentication method is set to one of the following, Username and Password, RADIUS or ________.

  • A . SecureID
  • B . SecurID
  • C . Complexity
  • D . TacAcs

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, "SecurID."

Options A, C, and D are not standard authentication methods for mobile devices in this context.

Reference: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Question #104

Check Point recommends configuring Disk Space Management parameters to delete old log entries when available disk space is less than or equal to?

  • A . 50%
  • B . 75%
  • C . 80%
  • D . 15%

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Check Point recommends configuring Disk Space Management parameters to delete old log entries when available disk space is less than or equal to a certain threshold. In this case, the correct threshold is specified as option D: 15%.

So, when the available disk space reaches or falls below 15%, old log entries should be deleted to free up space.

Options A, B, and C do not represent the recommended threshold for deleting old log entries according to Check Point’s best practices.

Reference: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Exit mobile version