Checkpoint 156-315.81 Dumps

To enable VMAC Mode in ClusterXL, you need to go to Cluster Object -> Edit -> ClusterXL and VRRP -> Use Virtual MAC. VMAC Mode is a feature that allows ClusterXL to use a virtual MAC address for cluster interfaces instead of physical MAC addresses. This simplifies the cluster configuration and avoids issues with MAC address flapping or spoofing on switches. References: [VMAC Mode]

Check Point Management uses MongoDB as its back-end database. MongoDB is a NoSQL database that offers high performance, high availability, and easy scalability, which are essential for managing the complex and dynamic nature of network security configurations and logs.

 To verify the CPUSE agent build, you can use either of these methods:

• In WebUI Status and Actions page
• By running the following command in CLISH: show installer status build The CPUSE agent build indicates the version of the CPUSE agent that is installed on the machine. The CPUSE agent is responsible for downloading, verifying, installing, and removing packages on Gaia OS. It is recommended to keep the CPUSE agent up-to-date to ensure a smooth installation and upgrade process. References: [CPUSE Agent]

You can disable the SecureXL mechanism temporarily for further diagnostic by running fwaccel off on the Security Gateway1. This command disables SecureXL, which is an acceleration solution that maximizes the performance of the Firewall by offloading CPU-intensive operations to the SecureXL device2. Disabling SecureXL can help you troubleshoot connectivity or policy issues, as it forces all traffic to go through the Firewall kernel and bypass the SecureXL device1. To run this command, you need to access the Security Gateway in expert mode and run fwaccel off1. To enable SecureXL again, you can run fwaccel on1. Note that disabling SecureXL may affect the performance of the Security Gateway, so use it with caution and only when necessary1.

References: How to enable/disable Check Point SecureXL via CLI - Check Point Software, SecureXL - Check Point Software

 Updatable Objects are a Threat Cloud Service that provides network objects that represent external services, such as Office 365, AWS, GEO locations, and more. These objects are updated automatically by Check Point and do not require policy installation for the changes to take effect. Dynamic Objects are created and maintained locally by the administrator and can be used to define temporary or changing network objects, such as IP addresses, ports, or ranges. Dynamic Objects also do not require policy installation for the changes to take effect. References: Updatable Objects, Updateable Objects and NAT, R80.20 Updatable Domain Objects and CLI Commands.

 The valid range for Virtual Router Identifier (VRID) value in a Virtual Routing Redundancy Protocol (VRRP) configuration is 1-255. The VRID is a unique number that identifies a virtual router in a VRRP group. It is used to associate routers and their virtual IP addresses. The VRID must be the same for all routers in the same VRRP group. References: [Configuring VRRP on Gaia]

 The Priority Queue is a feature that allows the firewall to prioritize certain types of traffic over others, such as control and routing traffic, when the CPU load is high. The Priority Queue has four levels of priority: Control, Routing, High Priority and Heavy Data Queue1. The Control level has the highest priority and is reserved for firewall control traffic, such as policy installation and synchronization. The Routing level has the second highest priority and is used for routing protocols, such as OSPF and BGP. The High Priority level has the third highest priority and is used for user-defined traffic that needs to be prioritized, such as VoIP or video conferencing. The Heavy Data Queue level has the lowest priority and is used for bulk data transfer, such as FTP or HTTP2. Therefore, the correct answer is C.

References: 1: Firewall Priority Queues 2: Firewall Priority Queues setting

The statement that only cluster members running on the same OS platform can be synchronized is false. Cluster members can be synchronized even if they run on different OS platforms, as long as they have the same Check Point version and hotfixes installed. The other statements are true. The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized. In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization. Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails. References: R81 ClusterXL Administration Guide, page 9-10; [R81 Security Gateway Architecture], page 23

The Check Point history feature in R81 provides the following functions:

• View install changes: This function allows you to view the changes that were made in each policy installation, such as added, modified, or deleted rules, objects, settings, etc. You can also compare the changes between different policy installations and filter them by various criteria.
• Install specific version: This function allows you to install a specific version of the policy from the history, which can be useful for reverting to a previous policy or testing different policies. You can also view the changes that will be applied by installing a specific version before installing it. References: R81 Security Management Administration Guide, page 85.

 The purpose of the CPCA process is to generate and modify certificates for Check Point products and features. CPCA stands for Check Point Certificate Authority and it is responsible for creating and managing certificates for internal communication between Check Point components, such as Security Gateways, Security Management Servers, SmartConsole clients, and OPSEC applications. CPCA also supports external certificate authorities and can import and export certificates from other sources. 

Which command is used to obtain the configuration lock in Gaia? The command that is used to obtain the configuration lock in Gaia is lock database override. This command allows a user to take over the configuration lock from another user who is currently logged in with read/write access. The other user will be forced to logout and will lose any unsaved changes. This command should be used with caution and only when necessary. References: Gaia Administration Guide R81, page 15.

 In the Check Point Security Management Architecture, both the Security Management Server and Security Gateway can store logs. The Security Management Server stores logs related to management activities, while the Security Gateway stores logs related to network traffic1. References: Check Point Resource Library, page 3.

 The NAT property ‘Translate destination or client side’ is used to determine whether the destination IP address of a packet should be translated on the client side or the server side of a connection. If this property is not enabled, then the destination IP address is translated on the server side, which means that the gateway takes care of all details necessary for NAT to work. The gateway will send an ARP request for the translated IP address and will reply to any ARP requests for that address. Therefore, there is no need to configure a host route, use the local.arp file, or enable bi-directional NAT for NAT to work correctly. References: R81 Security Management Administration Guide, page 1010.

The command that lists firewall chain is fw ctl chain1. This command displays the list of chain modules that are registered on the Security Gateway2. Chain modules are components of the Firewall kernel that inspect and process packets according to the security policy and other features3. The order of the chain modules determines the order of the packet inspection and processing3. The fw ctl chain command can help you troubleshoot connectivity or performance issues, or to verify that a feature is enabled or disabled on the Security Gateway2. To run this command, you need to access the Security Gateway in expert mode and run fw ctl chain1.

References: How to use fw ctl chain - Check Point Software, fw ctl chain - Check Point Software, R81.x Security Gateway Architecture (Logical Packet Flow) - Check Point CheckMates

 Packet filtering, stateful inspection, and application layer firewall are technologies used to deny or permit network traffic based on different criteria. Packet filtering is a basic firewall technology that examines the header of each packet and compares it to a set of rules to decide whether to allow or drop it. Stateful inspection is an advanced firewall technology that tracks the state and context of each connection and applies security rules based on the connection information. Application layer firewall is a firewall technology that inspects the content and behavior of applications and protocols at the application layer of the OSI model and enforces granular policies based on the application identity, user identity, and content type. References: Check Point R81 Firewall Administration Guide, page 9-10

The correct Check Point command to check if the API services are running for the GAIA operating system is gala_api status. The gala_api command is used to manage the API services in the GAIA operating system, and the status option is used to check the status of the API services.

The command to identify the NIC driver before considering about the employment of the Multi-Queue feature is ethtool -i eth0, where eth0 is the name of the network interface. This command displays the information about the driver and firmware version of the NIC, as well as other details such as bus-info and supported features1. The Multi-Queue feature requires a NIC driver that supports multiple transmit and receive queues2.

References: : ethtool(8) - Linux man page : How To Configure Multi-Queue NICs | Linode Docs

The command fw unloadlocal removes the current security policy from the local gateway and returns it to its initial state2. This command can be used as a last resort to restore traffic flow through the gateway if the policy is causing problems. The command fw unloadpolicy is not valid, and the commands fwm unload local and fwm unload policy are used to remove policies from remote gateways3. References: 2: Check Point Software, Getting Started, Unloading Security Policies; 3: Check Point Software, Getting Started, Unloading Security Policies from Remote Gateways.

 The traffic that the Anti-bot feature blocks is command and control traffic from hosts that have been identified as infected. Anti-bot is a blade that detects and prevents botnet attacks by using a cloud-based service that provides up-to-date threat intelligence. When Anti-bot detects a host that is communicating with a malicious command and control server, it blocks the traffic and generates an alert2. The other options are not the types of traffic that Anti-bot blocks. References: 2: Check Point Software, Getting Started, Anti-Bot.

 To override Bob’s configuration database lock, Alice can use the command lock database override in the clish shell. This command will transfer the lock from Bob to Alice and allow her to make the urgent configuration changes. However, this command should be used with caution, as it may cause conflicts or inconsistencies if Bob and Alice are working on the same objects or policies. It is recommended to communicate with other administrators before using this command and to release the lock as soon as possible after finishing the changes1. The other commands are not valid in clish and will result in an error message.

The state of the Management HA when both members have different policies/databases is Collision. This state indicates that there is a conflict between the members and they need to be synchronized manually. The other states are not applicable in this scenario. The Synchronized state indicates that both members have identical policies/databases and are ready for failover. The Never been synchronized state indicates that the members have never been synchronized since they were configured as HA pair. The Lagging state indicates that one member has a newer policy/database than the other member and needs to be synchronized automatically. References: [Management High Availability]

html_frameset.htm?topic=documents/R77/CP_R77_SecurityManagement_WebAdminGuide/98838

 Secure Configuration Verification (SCV) is a feature that allows the Mobile Access Gateway to check the compliance of remote access clients with the enterprise security policy before granting them access to internal resources. SCV checks can be defined in a file named local.scv, which is located in the $FWDIR/conf directory on the Mobile Access Gateway1. The file can be edited manually or using the SCV Editor tool2. Therefore, the correct answer is D.

References: 1: Secure Configuration Verification 2: SCV Editor

Check Point ClusterXL Active/Active deployment is used when there is Load Sharing solution set up. Load Sharing is a ClusterXL mode that allows distributing the network traffic between all cluster members, while still providing high availability in case of failures. Load Sharing can be configured as either Unicast or Multicast, depending on the network topology and switches support. References: R81 ClusterXL Administration Guide, page 9.

 SecureXL is a technology that improves the performance of the Security Gateway by offloading CPU-intensive operations to a dedicated hardware or software module. SecureXL uses templates to accelerate traffic processing based on predefined patterns and conditions. SecureXL supports three types of templates: Accept Templates, Drop Templates, and NAT Templates3.

• Accept Templates are used to accelerate traffic that matches an Accept rule in the Security Policy. Accept Templates bypass most of the inspection stages and send packets directly to the network interface.
• Drop Templates are used to accelerate traffic that matches a Drop rule in the Security Policy. Drop Templates drop packets without sending them to the firewall kernel for inspection.
• NAT Templates are used to accelerate traffic that requires Network Address Translation (NAT). NAT Templates perform NAT operations without sending packets to the firewall kernel.

Therefore, the correct answer is B.

References: 3: SecureXL for R80.20 and higher

QoS global properties are the settings that apply to all QoS rules and QoS interfaces on the Security Gateway. They include the following options12:

• Weight: This is the relative importance of a QoS rule compared to other QoS rules. A higher weight means a higher priority. The default weight is 1, and the maximum weight is 1000.
• Authenticated timeout: This is the time period in seconds that a connection remains in the QoS rule after the last packet is sent or received. The default timeout is 600 seconds, and the minimum timeout is 60 seconds.
• Schedule: This is the time period in which a QoS rule is active. You can define a schedule for each day of the week, or use the default schedule of always active.
• Rate: This is not a valid option for QoS global properties. Rate is an option for QoS rule action, which defines the maximum bandwidth allocated for a QoS rule. The rate can be specified in Kbps, Mbps, or percentage of interface speed.

References: 1: QoS R81.20 Administration Guide - Check Point Software 2: QoS R81 Administration Guide - Check Point Software

Multi-Version Cluster Upgrade (MVCLU) is a feature that allows you to upgrade a cluster of Security Gateways from one major version to another, without downtime1. MVCLU supports upgrading a cluster that runs on different versions, as long as the versions are compatible with the destination version1. The number of versions, besides the destination version, that are supported in a MVCLU depends on the destination version. For example, if the destination version is R81, then MVCLU supports up to three versions besides R81, which are R80.40, R80.30, and R80.202. Therefore, the correct answer is B, as three versions are supported in a MVCLU besides the destination version.

References: 1: ClusterXL upgrade methods and paths - Check Point Software 2: Check Point R81 - Check Point Software

From SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path. Firewall Path is the path that handles packets that are not processed by SecureXL and are sent to the Firewall kernel for inspection. Accelerated Path is the path that handles packets that are processed by SecureXL and bypass the Firewall kernel. Medium Path is the path that handles packets that are partially processed by SecureXL and partially by the Firewall kernel1. References: Check Point R81 Performance Tuning Administration Guide

 The Threat Prevention software components available on the Check Point Security Gateway are IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction. These components provide comprehensive protection against various types of cyber threats, such as network attacks, malware, ransomware, phishing, zero-day exploits, data leakage, and more. IPS is a network security component that detects and prevents malicious traffic based on signatures, behavioral patterns, and anomaly detection. Anti-Bot is a network security component that detects and blocks botnet communications and command-and-control servers. Anti-Virus is a network security component that scans files for known viruses, worms, and trojans. Threat Emulation is a network security component that emulates files in a sandbox environment to detect unknown malware and prevent zero-day attacks. Threat Extraction is a network security component that removes malicious content from files and delivers clean files to users. References: [Check Point R81 Threat Prevention Administration Guide], page 9-10

The correct answer is A. Network location, the identity of a user and the identity of a machine.

Identity Awareness allows you to easily configure network access and auditing based on three items: network location, the identity of a user and the identity of a machine1. This enables you to create granular and accurate identity-based policies that control who can access what, when and how. You can also monitor and log user and machine activities for compliance and auditing purposes.

Geographical location, the telephone number of a user and the UID of a machine are not the items that Identity Awareness uses to identify and authorize users and machines.

References:

• Identity Awareness - Check Point Software1

CoreXL is a performance-enhancing technology that enables the Security Gateway to utilize multiple CPU cores for processing traffic. CoreXL creates multiple instances of the Firewall kernel, each running on a separate CPU core. Each Firewall instance can handle traffic concurrently and independently, applying the same security policy to the packets that are assigned to it. CoreXL does not allow different policies per core, as this would create inconsistency and complexity in the security enforcement.

The references are:

• Best Practices - Security Gateway Performance
• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 16
• Check Point R81 Quantum Security Gateway Guide, page 42

 There are two R77.30 Security Gateways in the Firewall Cluster. They are named FW_A and FW_B. The cluster is configured to work as HA (High availability) with default cluster configuration. FW_A is configured to have higher priority than FW_B. FW_A was active and processing the traffic in the morning. FW_B was standby. Around 1100 am, its interfaces went down and this caused a failover. FW_B became active. After an hour, FW_A’s interface issues were resolved and it became operational.

When it re-joins the cluster, it will not become active automatically, since ‘maintain current active cluster member’ option on the cluster object properties is enabled by default. This option prevents a failback to the original active member after a failover, unless the current active member fails or is manually switched over. This option provides stability and avoids unnecessary failovers. References: R77 ClusterXL Administration Guide, page 23.

The WebUI can be used to manage user accounts and assign privileges to users. It can also add users to your Gaia system and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server1. References: Check Point Resource Library, page 3.

 A star VPN community is a type of VPN community that allows a central gateway to create VPN tunnels with multiple satellite gateways or hosts, but does not allow satellite gateways or hosts to create VPN tunnels with each other. This type of community is suitable for hub-and-spoke topologies, where the central gateway acts as the hub and the satellite gateways or hosts act as the spokes. The central gateway can initiate or terminate VPN traffic to any satellite member, but the satellite members can only initiate or terminate VPN traffic to the central gateway. 

Browser-Based Authentication is an identity awareness method that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Browser-Based Authentication redirects users to a web page where they can enter their credentials and be authenticated by an external server, such as LDAP or RADIUS. After authentication, users can access the Internet and corporate resources according to the security policy rules that apply to their identity.

Browser-Based Authentication is suitable for scenarios where users can use company issued or personal laptops, since it does not require any installation or configuration on the user’s device. It also supports various operating systems and browsers, and can be customized to match the company’s branding.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 9
• Configuring Browser-Based Authentication in SmartConsole
• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 13

A Distinguished Name (DN) is a unique identifier for an object in an LDAP directory, such as a user, a group, or an organization. A DN consists of a sequence of relative distinguished names (RDNs), which are attributes that describe the object. The most common RDNs are:

• Common Name (CN): The name of the object, such as a user’s full name or a group’s name
• Country ©: The two-letter ISO code of the country where the object is located, such as US or PK
• User container (UC): The name of the container that holds the user objects, such as Users or People
• Domain Component (DC): The name of the domain that the object belongs to, such as checkpoint.com or example.org

An Organizational Unit (OU) is not a component of a DN, but a type of object that can be used to organize other objects in a hierarchical structure. An OU can have its own DN, which includes the OU attribute as an RDN, such as OU=Sales,DC=checkpoint,DC=com.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 14
• LDAP Distinguished Names
• What is a Distinguished Name?

The command “ps aux | grep twd” is used to check the process ID and the processing time of the twd process on the Security Gateway. The ps command displays information about the active processes on the system. The aux option shows all processes for all users, including those without a controlling terminal. The grep command filters the output of the ps command by searching for the pattern “twd”, which is the name of the process that handles VPN traffic encryption and decryption1. The output of the command shows the process ID, CPU usage, memory usage, start time, and other details of the twd process2. Therefore, the correct answer is A.

References: 1: [Check Point Processes and Daemons] 2: [How to troubleshoot VPN issues with cpview utility]

The correct answer is B. R80.10 and later.

According to the Check Point documentation1, the Multi-Version Cluster Upgrade (MVC) is a new feature in R80.40 and higher that replaces the Connectivity Upgrade (CU) method. MVC allows you to upgrade a cluster to a newer version without a loss in connectivity and test the new version on some of the cluster members before you decide to upgrade the rest of the cluster members. The MVC feature supports the following destination versions2:

• R80.10
• R80.20
• R80.30
• R80.40
• R81
• R81.20

The other options are incorrect because they are either not supported by MVC or they are older than the source version (R80.40).

References:

• Multi-Version Cluster (MVC) replaces Connectivity Upgrade (CU) in R80.401
• ClusterXL upgrade methods and paths2

According to the Check Point R81.20 documentation, the central deployment feature allows you to install up to 10 packages simultaneously on multiple gateways1.

References

1: Check Point R81.20 Administration Guide, page 35.

 The error message “Error 404. The Management API server is not available. Please check that the Management API server is up and running.” indicates that the API is not running on the Management Server. The netstat command shows that there is no process listening on port 4434, which is the default port for the API. To start the API, the command ‘api start’ should be used. The other options are not relevant to this issue. References: Check Point R81 Installation and Upgrade Guide, page 18.

The FWD process provides logging services, such as forwarding logs from Gateway to Log Server, providing Log Export API (LEA) and Event Logging API (EL-A) services. The FWD process is responsible for sending logs from the Security Gateway to the Security Management Server or Log Server, and for fetching logs from the Security Management Server or Log Server to SmartConsole. The FWD process also handles the communication with external logging applications that use the LEA or EL-A protocols.

References:

• FWD process does not work after reboot - Check Point CheckMates, section “FWD process does not work after reboot”
• Check Point R81, section “Logging and Monitoring”
• CoreXL Dynamic Dispatcher - Check Point Software, section “Example of output”

The command fw ctl debug 0 will reset the kernel debug options to default settings. This command will disable all the debug flags and clear the debug buffer. It is recommended to use this command before and after performing a kernel debug, to avoid any interference or confusion with other debug outputs. The command fw ctl debug 0 is also equivalent to fw ctl debug -buf 0.

References:

• Best Practices - HTTPS Inspection - Check Point Software, section “How to perform a Kernel Debug”
• LOGGINGAND MONITORING R81 - Check Point Software, page 104

The ports that are required to be open for SmartEvent are 19009, 18190, and 443. TCP port 19009 is used by the CPM process for management communication. TCP port 18190 is used by the CPD process for inter-process communication. TCP port 443 is used by the HTTPS protocol for secure web access. SmartEvent uses these ports to communicate with other components, such as SmartConsole, Security Management Server, Log Server, Correlation Unit, etc. References: [SmartEvent Ports]

 Establishing SIC between gateways and the management server is a prerequisite for Central Deployment usage, as the CDT tool will not take care of this automatically1. The administrator must have write permission on SmartUpdate, the Security Gateway must have the latest CPUSE Deployment Agent, and the Security Gateway must have a policy installed2. These are the basic requirements for using the Central Deployment Tool (CDT), which is a utility that lets you manage a deployment of software packages from your Management Server to the multiple managed Security gateways and cluster members at the same time2. The CDT can perform various actions, such as installation of software packages, taking snapshots, running shell scripts, pushing/pulling files, and automating the RMA backup and restore process2. The CDT is supported on Check Point Appliances with R80.40 and higher versions2. References: How to keep your Security Gateways up to date - Check Point Software, Central Deployment Tool (CDT) - Check Point CheckMates.

 How many interfaces can you configure to use the Multi-Queue feature? You can configure up to 5 interfaces to use the Multi-Queue feature. Multi-Queue is a performance enhancement feature that allows distributing the network traffic among multiple CPU cores, instead of using a single core for all traffic. Multi-Queue can be enabled on interfaces that have high traffic load and support multiple receive/transmit queues. Multi-Queue can be configured via SmartConsole or via CLI with the command sim affinity -m. References: R81 Performance Tuning Administration Guide, page 18.

 The two high availability modes are New and Legacy. High availability (HA) is a feature that allows you to create a cluster of two or more Security Gateways that act as a single entity to provide redundancy and reliability for your network traffic. HA ensures that if one Security Gateway fails or becomes unavailable, another Security Gateway in the cluster takes over its role seamlessly and continues to process the traffic. HA also provides load balancing and synchronization of the cluster members. The New mode is the recommended mode for HA clusters, as it provides better performance, scalability, and stability than the Legacy mode. The New mode uses the ClusterXL mechanism to manage the cluster members and the state synchronization. The Legacy mode uses the High Availability Security Extension (HASE) mechanism to manage the cluster members and the state synchronization. The Legacy mode is supported for backward compatibility with older versions of Check Point products, but it has some limitations and disadvantages compared to the New mode. 

Capsule Connect is a full layer 3 VPN client that provides secure and seamless remote access to corporate networks from iOS and Android devices. It supports all VPN authentication methods, such as certificates, passwords, tokens, and challenge-response. It also supports split tunneling and seamless roaming. References: Capsule Connect Datasheet, Capsule Connect Administration Guide

For Management High Availability, the valid synchronization status options are:

A. Collision

B. Down

C. Lagging

D. Never been synchronized

In this context, "Down" indicates that the synchronization is not functioning correctly or that the standby management server is not reachable. This is a valid synchronization status, so the answer is not B.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

• A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.
• B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.
• D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

References: ClusterXL R81.20 Administration Guide, ClusterXL Administration Guide R80.40, sk25977 - Ports used by Check Point software

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

Automation and Orchestration differ in that automation relates to codifying tasks, whereas orchestration relates to codifying processes. Automation is the process of converting manual tasks into executable scripts or programs that can be run by machines or software agents. Orchestration is the process of coordinating multiple automated tasks into a coherent workflow that achieves a desired outcome or goal. Orchestration can also involve integrating different systems, tools, and services through web service interactions such as XML and JSON. References: Check Point Security Expert R81 Course, Automation & Orchestration Administration Guide

To use SmartConsole R81 for managing SmartEvent R81, you need to have the following ports open:

• Port 19009 for communication over HTTPS (443)
• Port 19009 for communication over HTTP (80)

These ports are necessary for the SmartConsole to communicate with SmartEvent for management and monitoring purposes.

References: Check Point Certified Security Expert R81 documentation and learning resources.

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality. According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

• Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.
• OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.
• Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

References: What is an API Gateway?, How to use Check Point API with Postman quick guide, Home - Check Point Developers, Introduction to RESTful APIs and JSON format, Checkpoint API tutorial, part 1 - getting started

The secure application for Mail/Calendar for mobile devices in Check Point is called "Capsule Workspace." Capsule Workspace provides secure access to email and calendar data on mobile devices while maintaining security policies and controls.

References: Check Point Certified Security Expert R81 documentation and learning resources.

 Security Checkup Summary can be easily conducted within Views. Views is a feature in SmartConsole that allows you to create customized dashboards and reports based on various security data sources, such as logs, events, audit trails, and more. You can use Views to perform a Security Checkup Summary, which is a comprehensive analysis of your network security posture and potential risks. You can use predefined templates or create your own views to generate the summary. References: Check Point Security Expert R81 Course, Views Administration Guide

The API command to create a new host with the name "New Host" and IP address "192.168.0.10" is:

This command adds a host object with the specified name and IP address to the Check Point configuration.

References: Check Point documentation or training materials related to API commands.

The Correlation Unit in Check Point Security Management performs several actions, but it does not assign a severity level to the event. The Correlation Unit is responsible for identifying patterns in logs, marking logs that are part of larger patterns, generating events based on the Event policy, and adding new log entries to ongoing events. However, assigning a severity level to an event is typically done through the Event policy configuration, not by the Correlation Unit.

References: Check Point Certified Security Expert R81 Study Guide

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

 The main stages of a policy installation are Verification & Compilation, Transfer and Commit. Verification & Compilation is the stage where the Security Management Server checks the validity and consistency of the policy and compiles it into a binary format. Transfer is the stage where the compiled policy is sent to the Security Gateways over a secure channel. Commit is the stage where the Security Gateways activate the new policy and update their connections table accordingly. References: Check Point Security Expert R81 Course, Policy Installation Process

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

Each instance of VRRP running on a supported interface may monitor the link state of other interfaces. The monitored interfaces do not have to be running VRRP.

If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has, then the backup platform will begin to send out its own HELLO packet.

Once the master sees this packet with a priority greater than its own, then it releases the VIP.

References:

 The Check Point R81 Identity Awareness Web API uses the REST web services protocol to communicate with external identity sources. REST stands for Representational State Transfer, and it is an architectural style for designing web services that use HTTP methods to access and manipulate resources. The Identity Awareness Web API allows external identity sources to send identity and session information to the Security Gateway, which can then use this information for policy enforcement. 

 The correct command to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI is mgmt: add host name emailserver1 ip-address 10.50.23.90. This command will create a new host object in the Security Management Server database, with the specified name and IP address. The mgmt: prefix indicates that the command is executed on the Security Management Server, and not on the local GAiA machine. The other commands are either missing the mgmt: prefix, or have incorrect syntax or parameters. 

When an encrypted packet is received by a Check Point Security Gateway, it is decrypted according to the security policy. The security policy defines the rules and settings for encryption and decryption of traffic, such as the encryption algorithm, the encryption domain, the pre-shared secret or certificate, etc. The security policy is enforced by the Firewall kernel, which is responsible for decrypting the packets before passing them to the inbound chain for further inspection. The inbound chain consists of various inspection modules that apply security checks and actions on the decrypted packets. The outbound chain is the reverse process, where the packets are inspected and then encrypted according to the security policy before being sent out.

References: Check Point Firewall Security Solution, Check Point R81 Cyber Security Platform, Check Point VPN Administration Guide R81

 The cpinfo command is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The cpinfo output can be used for troubleshooting or sent to Check Point support for analysis. The -x parameter is used to get information about the specified Virtual System on a VSX gateway. A Virtual System is a virtualized firewall instance that runs on a VSX gateway and has its own security policy and objects. References: Check Point Security Expert R81 Course, cpinfo Utility, VSX Administration Guide

The FWD daemon uses TCP port 256 to do a Full Synchronization between gateway cluster members. This port is also used for other synchronization types, such as Delta Synchronization and Accelerated Synchronization. The FWD daemon is responsible for synchronizing the connections table, NAT table, and VPN keys between cluster members. References: ClusterXL Administration Guide, SK25977 - Ports Used by Check Point Software

Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

The benefit of fw monitor over tcpdump is that with fw monitor, you can see the inspection points, which cannot be seen in tcpdump. Inspection points are the locations in the firewall kernel where packets are inspected by the security policy and other software blades. Fw monitor allows you to capture packets at different inspection points and see how they are processed by the firewall. Tcpdump, on the other hand, is a generic packet capture tool that only shows the packets as they enter or leave the network interface. References: Check Point Security Expert R81 Course, fw monitor, tcpdump

The command "fw tab -s" is used to display information about the state of various kernel tables in a Check Point firewall. It provides a perspective on the number and status of these tables, which can be helpful for troubleshooting and monitoring firewall performance.

Option B correctly identifies the command that gives a perspective of the number of kernel tables, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The Sticky Decision Function in ClusterXL is primarily used in Load Sharing implementations. In Load Sharing, the pivot member is responsible for determining the destination of new connections and ensures that traffic from the same source IP address is directed to the same cluster member. This ensures session stickiness for the same source IP, improving load sharing efficiency.

References: Check Point Certified Security Expert R81 documentation and learning resources.

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

The command used to display status information for various components is show sysenv all. This command provides comprehensive status information about the system's environment and various components, including hardware and software components. It can be useful for troubleshooting and monitoring the system's health.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.:

 The fwaccel stat command on the gateway shows the status of SecureXL acceleration, including the number of accelerated and non-accelerated connections, and the reason for non-acceleration. The reason for non-acceleration can be either a rule that disables templating, or a feature that is not supported by SecureXL. To determine which rule disables templating, the administrator can use the -s option to show the rule numbers and names. For example:

The correct command to store the GAIA configuration in a file is save configuration 1. This will create a file with the current system level configuration in the home directory of the current user1. The other commands are incorrect because they either do not exist or do not save the configuration to a file. References: 1: Backing up Gaia system level &solutionid=sk102234)

 CPUSE offline upgrade is the best upgrade method when the management server is not connected to the Internet. CPUSE (Check Point Upgrade Service Engine) is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the management server using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

Check Point Capsule is a suite of solutions designed to provide comprehensive mobile security and secure access. The components of Check Point Capsule include:

Capsule Docs (Option A): A component that secures document sharing and protects sensitive data.

Capsule Cloud (Option B): A component that provides cloud-based security services.

Capsule Workspace (Option D): A component that provides secure workspace on mobile devices.

Option C, "Capsule Enterprise," is not a recognized component of Check Point Capsule based on the available information. Therefore, it is the correct answer as the component that is NOT part of Check Point Capsule.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

When Dynamic Dispatcher is enabled, it dynamically assigns connections, but there are exceptions. The exception mentioned in the question is:

VoIP (Option D): VoIP connections are an exception when Dynamic Dispatcher is enabled. They are not assigned dynamically but follow a different rule set to ensure quality and reliability for VoIP traffic.

The other options, Threat Emulation (Option A), HTTPS (Option B), and QoS (Option C), are dynamically assigned when Dynamic Dispatcher is enabled.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

SmartEvent does not use matching a log against local exclusions to identify events. Local exclusions are filters that are applied to logs before they are sent to the SmartEvent server. They are used to reduce the amount of logs that are forwarded by the Security Gateways or Log Servers, and to avoid sending irrelevant or sensitive logs. Local exclusions do not affect the event detection process, which is performed by the SmartEvent Correlation Unit on the SmartEvent server. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide, SK120193 - How to configure Local Log Filtering on Security Gateway / Cluster / VSX

The command vpn tu tlist shows detailed information about VPN tunnels, such as the peer IP address, encryption domain, IKE phase 1 and phase 2 status, encryption algorithm, and tunnel uptime. The command vpn tu is an interactive tool that allows users to list, delete, or reconnect VPN tunnels. The command cpview is a real-time performance monitoring tool that shows various statistics about the system and network. References: VPN Administration Guide, SK97638 - What is cpview Utility and How to Use it

Check Point's SecureXL technology, which is responsible for acceleration, has certain limitations and conditions under which acceleration may not occur. In this context, the question is asking about factors that will NOT affect acceleration.

Option B, "A 5-tuple match," will not affect acceleration. A 5-tuple match refers to the matching of source IP, source port, destination IP, destination port, and protocol. SecureXL can accelerate traffic that matches these criteria, but it's not a factor that hinders acceleration.

Options A, C, and D can all affect acceleration:

Option A mentions "Connections destined to or originated from the Security gateway," which implies that SecureXL acceleration can apply to these connections.

Option C mentions "Multicast packets," and SecureXL may have limitations in handling multicast traffic efficiently.

Option D mentions "Connections that have a Handler (ICMP, FTP, H.323, etc.)," and certain protocols (such as FTP) may require special handling and might not be fully accelerated by SecureXL.

References: Check Point Certified Security Expert R81 Study Guide

 Mobile Access is not part of the SandBlast component. Mobile Access is a software blade that provides secure remote access to corporate resources from various devices, such as smartphones, tablets, and laptops. Mobile Access supports different connectivity methods, such as SSL VPN, IPsec VPN, and Mobile Enterprise Application Store (MEAS). Mobile Access also integrates with Mobile Threat Prevention (MTP) to protect mobile devices from malware and network attacks. References: Check Point Security Expert R81 Course, Mobile Access Administration Guide, SandBlast Mobile Datasheet

The Correlation Unit in SmartEvent architecture has the function of analyzing each log entry as it arrives at the log server according to the Event Policy. When it identifies a threat pattern, it forwards an event to the SmartEvent Server. This is an essential function in threat detection and analysis, as it helps in identifying and alerting about security threats based on the configured policies.

Option A correctly describes the function of the Correlation Unit, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 DES (Data Encryption Standard) is a symmetric block cipher that uses a 56-bit key to encrypt and decrypt 64-bit blocks of data. It was developed by IBM in 1975 and adopted by the US government as a standard for encryption. However, DES has been proven to be insecure and vulnerable to various attacks, such as brute force, differential cryptanalysis, and linear cryptanalysis. A brute force attack can break DES in a matter of hours using modern hardware. Differential cryptanalysis can reduce the number of keys to be searched by a factor of four, and linear cryptanalysis can reduce it by a factor of two. Therefore, DES is the least secure encryption algorithm among the options given.

References: Types of Encryption, Secure Organization’s Data With These Encryption Algorithms, Comparative study of symmetric cryptographic algorithms

In the context of Check Point remote access clients and Office Mode, the correct answer is:

A. SecuRemote: SecuRemote is a Check Point remote access client that does not provide an Office-Mode Address. Office Mode is a feature that assigns a unique IP address from a designated IP pool to remote users when they connect to the corporate network. SecuRemote does not support this feature.

B. Endpoint Security Suite, C. Endpoint Security VPN, and D. Check Point Mobile are remote access clients that support Office Mode and can provide an Office-Mode Address to remote users.

Therefore, option A is the correct answer as it correctly identifies a remote access client that does not provide an Office-Mode Address.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Management HA is a feature that allows the Security Management server to have one or more backup Standby Security Management servers that are ready to take over in case of failure1. The Active Security Management server is the one that handles all the management operations, such as policy installation, object creation, configuration backup, etc. The Standby Security Management servers are synchronized with the Active Security Management server and store the same data, such as databases, certificates, CRLs, etc. The Standby Security Management servers can also perform some operations, such as fetching a Security Policy or retrieving a CRL1.

To make changes to the system, such as editing objects or policies, the administrator needs to connect to the Active Security Management server. This is because the Active Security Management server is the only one that can modify the data and synchronize it with the Standby Security Management servers. The administrator can use SmartConsole to connect to the Active Security Management server by entering its IP address or hostname1. The administrator can also use SmartDashboard to connect to the Active Security Management server by selecting Policy > Management High Availability. This shows information about the Security Management server that includes its peers - displayed with the name, status and type of Security Management server1.

The other options are incorrect because:

• A. secondary Smartcenter: This is a synonym for a Standby Security Management server, which cannot be used to make changes to the system.
• C. connect virtual IP of Smartcenter HA: This is not a valid option because there is no virtual IP for Smartcenter HA. Each Security Management server has its own IP address and hostname.
• D. primary Smartcenter: This is a synonym for the Active Security Management server, but it is not the correct term to use. The term primary implies that there is only one Active Security Management server, which is not true. The administrator can put the Active Security Management server on standby and promote a Standby Security Management server to active at any time1.

References: How to Configure Management HA

The command cpinfo -y all can be used to have cpinfo display all installed hotfixes. Cpinfo is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The -y parameter is used to specify which sections of data to include in the cpinfo output. The value all means to include all sections, including the hotfixes section, which shows the list of hotfixes installed on the system. References: Check Point Security Expert R81 Course, cpinfo Utility

Threat Emulation is a software blade that takes minutes to complete (less than 3 minutes). Threat Emulation analyzes files for malicious behavior by running them in a virtual sandbox. Threat Emulation works on MS Office, PDF, executables, and archive files. Threat Emulation does not always deliver a file, but only if no threats are found or if the user chooses to download the original file after seeing a warning message. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

 The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them. It runs on the Log Server machine or on a dedicated machine1. To check the status of the SmartEvent Correlation Unit, you can use the command cpstat cpsead on the machine where it is installed. This command will show you information such as the number of logs processed, the number of events generated, the CPU and memory usage, and the status of the connection to the SmartEvent Server23.

References: SmartEvent Administration Guide R76, SmartEvent Administration Guide R75, SmartEvent Performance Tuning Guide

SecureXL is a technology that improves the performance of Security Gateway by offloading the processing of some packets from the Firewall kernel to the SecureXL device driver1. SecureXL can handle packets in three different paths, depending on the type and state of the packet2:

• Firewall Path: This is the slowest path, where packets are processed by the Firewall kernel and all the inspection blades. This path is used for packets that require full inspection, such as the first packet of a connection, packets that match a rule with a UTM blade, or packets that are not eligible for acceleration.
• Accelerated Path: This is the fastest path, where packets are processed by the SecureXL device driver and bypass the Firewall kernel. This path is used for packets that belong to an established connection that is marked for acceleration, and do not require any further inspection by the Firewall or other blades.
• Medium Path: This is a hybrid path, where packets are processed by both the SecureXL device driver and the Firewall kernel, but skip some inspection steps. This path is used for packets that belong to an established connection that is not marked for acceleration, but do not require full inspection by all the blades.

The other options are not correct because:

• A. Initial Path; Medium Path; Accelerated Path: There is no such thing as Initial Path in SecureXL terminology. The initial packet of a connection is always handled by the Firewall Path.
• B. Layer Path; Blade Path; Rule Path: These are not paths of traffic flow, but components of the unified policy in R80 and above versions. The Layer Path refers to the order of layers in the policy, the Blade Path refers to the order of blades within a layer, and the Rule Path refers to the order of rules within a blade3.
• C. Firewall Path; Accept Path; Drop Path: These are not paths of traffic flow, but possible actions that the Firewall can take on a packet. The Firewall Path is one of the paths of traffic flow, but the Accept Path and Drop Path are not. The Accept Path means that the packet is allowed to pass through the Firewall, and the Drop Path means that the packet is blocked by the Firewall4.

References: Part 3 - SecureXL, What is CoreXL & SecureXL, SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above, QUANTUM 7000 SECURITY GATEWAY

CPM stands for Check Point Management, which is a process that runs on the Security Management server and controls the management operations, such as policy installation, object creation, configuration backup, etc. CPM also controls other processes that are related to the management functions, such as:

• web_services: This process is responsible for providing web services for the communication between SmartConsole and the Security Management server. It handles requests from SmartConsole clients and forwards them to CPM or other processes.
• dle_server: This process is responsible for managing the log files and indexes. It handles queries from SmartLog and SmartEvent and provides log data to CPM or other processes.
• object_Store: This process is responsible for storing and retrieving objects from the database. It handles requests from CPM or other processes and provides object data.

Therefore, the correct answer is D.

The other options are incorrect because:

• A. Object-Store, Database changes, CPM Process and web-services: This option includes some processes that are controlled by CPM, such as Object-Store, CPM Process, and web-services, but it also includes Database changes, which is not a process but an action performed by CPM or other processes.
• B. web-services, CPMI process, DLEserver, CPM process: This option includes some processes that are controlled by CPM, such as web-services, DLEserver, and CPM process, but it also includes CPMI process, which is not a process but a protocol used by CPM or other processes to communicate with each other.
• C. DLEServer, Object-Store, CP Process and database changes: This option includes some processes that are controlled by CPM, such as DLEServer and Object-Store, but it also includes CP Process and database changes, which are not processes but a generic term for any Check Point process and an action performed by CPM or other processes respectively.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

At least 20GB is the recommended size of the root partition when installing a dedicated R81 SmartEvent server. The root partition is the primary partition that contains the operating system files and other essential files for booting and running the system. The SmartEvent server requires at least 20GB of free space on the root partition to install and operate properly. If the root partition size is less than 20GB, you may encounter errors or performance issues with SmartEvent. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

The cvpnd_restart command is used to restart the daemon after making modifications to the $CVPNDIR/conf/cvpnd.C file. The cvpnd daemon is responsible for managing the communication between the Check Point components and the Content Vectoring Protocol (CVP) server. The CVP server is an external server that provides content inspection and filtering services for Check Point gateways. The $CVPNDIR/conf/cvpnd.C file contains the configuration settings for the cvpnd daemon, such as the CVP server IP address, port number, timeout value, and debug level. References: Check Point Security Expert R81 Course, Content Inspection Using ICAP, cvpnd daemon debug file

The true statement about the API server on R81.20 is: By default, the API server is active on management servers with 4 GB of RAM (or more) and on stand-alone servers with 8GB of RAM (or more). The API server is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The API server is enabled by default on R81.20 management servers that have at least 4 GB of RAM, and on stand-alone servers that have at least 8 GB of RAM. The API server can also be manually enabled or disabled from the WebUI or the CLI. 

The kind of information that you would expect to see using the sim affinity command is network interfaces and core distribution used for CoreXL. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The sim affinity command can show which network interfaces and SecureXL instances are bound to which CPU cores, and allow administrators to change the affinity settings.

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

The Implicit Clean-up Rule is another name for the Clean-up Rule, which is the last rule in every policy layer. The Clean-up Rule defines the default action for traffic that does not match any of the preceding rules in the layer. The default action is to drop the traffic and log it, but it can be changed by the administrator. References: Training & Certification | Check Point Software, Check Point Resource Library

 SmartEvent automatically defines events based on IPS (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent. 

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address. Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

 The first thing that must be done if “fwm sic_reset” could not be completed is to change internal CA via cpconfig. Fwm sic_reset is a command that allows administrators to reset Secure Internal Communication (SIC) between Security Management Server and Security Gateways or other Check Point modules. SIC is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). If fwm sic_reset fails, it means that there is a problem with the ICA or the certificates that prevents SIC from being reset. To resolve this problem, administrators need to change internal CA via cpconfig, which is a command that allows administrators to configure various settings on Security Gateways or Management Servers, including the ICA. Changing internal CA via cpconfig will create a new ICA with a new certificate, and allow SIC to be reset with the new certificate.

 The TCP/IP model is a four-layer model that describes how data is transmitted over a network. The four layers are: Application, Transport, Internet, and Network Access. The Application layer provides services and protocols for applications to communicate with each other. The Transport layer provides reliable or unreliable data delivery between hosts. The Internet layer provides routing and addressing of packets across networks. The Network Access layer provides physical and logical access to the network media. References: Training & Certification | Check Point Software, Check Point Resource Library

The best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic is: Pamela should check SecureXL status on DMZ Security gateway and if it’s turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, this also means that some traffic might not be seen by fw monitor, which is a tool that captures packets at different inspection points in the Firewall kernel. Therefore, to ensure that fw monitor captures all traffic, SecureXL should be turned OFF before using fw monitor. The other suggestions are either incorrect or less effective in capturing traffic. 

After trust has been established between the Check Point components, the Security Gateway IP address cannot be changed without re-establishing the trust. This is because the trust is based on the Secure Internal Communication (SIC) mechanism, which uses certificates to authenticate and encrypt the communication. The certificates are issued by the Internal Certificate Authority (ICA) of the Security Management Server / Domain Management Server, and contain the name and IP address of the component. Therefore, if the IP address of a component is changed, the certificate will become invalid and the trust will be lost. To restore the trust, the certificate must be renewed or reissued by the ICA12.

However, there are some exceptions to this rule. The Security Gateway name can be changed in command line without re-establishing trust, as long as the IP address remains the same. This is because the SIC mechanism does not rely on the hostname, but on the IP address and the SIC name (which is usually derived from the hostname, but can be manually changed). The Security Management Server name can be changed in SmartConsole without re-establishing trust, as long as the IP address remains the same. This is because SmartConsole uses a different mechanism to connect to the Security Management Server, which does not depend on the SIC certificate. The Security Management Server IP address can be changed without re-establishing trust, as long as some steps are followed to update the Check Point Registry file on the managed Security Gateways / Cluster Members / VSX Virtual Devices. This is because the Registry file contains the IP address of the ICA, which is used for certificate renewal. If the Registry file is not updated, then the certificate renewal will fail and the trust will be lost3.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 162 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162 3: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk103356

The responsibility of SOLR process on R81.20 management server is to generate indexes of data written to the database. SOLR is an open source search platform that provides fast and scalable indexing and querying capabilities. SOLR is used by the R81.20 management server to index data such as logs, objects, policies, tasks, and events, and to enable quick and efficient searches on this data by SmartConsole and SmartView applications. 

According to the Check Point website, SmartUpdate is the application that should be used to install a contract file. A contract file contains information about the licenses and services that are purchased from Check Point. SmartUpdate can also be used to install software packages and patches on Security Gateways and Management Servers. The other applications are either not relevant or not capable of installing a contract file. References: SmartUpdate

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. The option that can be added to each Log, Detailed Log and Extended Log is Accounting/Suppression. Accounting/Suppression is a feature that allows administrators to control how often logs are generated for certain rules or connections. Accounting means that logs are generated periodically based on a specified interval or volume. Suppression means that logs are generated only for the first and last packet of a connection or session. Accounting/Suppression can be added to any tracking option to reduce the number of logs and save disk space.

The way SSL VPN and IPSec VPN are different is that IPSec VPN uses an additional virtual adapter; SSL VPN uses the client network adapter only. SSL VPN and IPSec VPN are two types of VPN technologies that provide secure remote access to network resources over the internet. SSL VPN uses SSL/TLS protocol to establish an encrypted tunnel between the client and the server, and does not require any additional software or hardware on the client side. IPSec VPN uses IPSec protocol to establish an encrypted tunnel between the client and the server, and requires a dedicated virtual adapter on the client side to handle the IPSec traffic. The other options are either incorrect or not relevant to SSL VPN and IPSec VPN.

The error “no proposal chosen” indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error “no proposal chosen” 1.

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

• The same pre-shared secret or certificate
• The same encryption algorithm (e.g., AES-256)
• The same hash algorithm (e.g., SHA-256)
• The same Diffie-Hellman group (e.g., Group 14)
• The same lifetime (e.g., 86400 seconds)

One can use the command vpn tu on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer. Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings 2.

References: 1: Troubleshooting the “no proposal chosen” error - Check Point Software 2: Support, Support Requests, Training … - Check Point Software

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions. Security Gateway is the device that inspects and filters network traffic according to the security policies. 

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

The valid range for VRID value in VRRP configuration is 1 - 255. VRID stands for Virtual Router ID, and it is a number that identifies a virtual router in a VRRP cluster. A VRRP cluster consists of one or more routers that share a virtual IP address and provide redundancy and load balancing for network traffic. Each router in the cluster must have a unique VRID value, and the VRID value must match the VRID value configured on the interface that connects to the VRRP cluster. The VRID value can be any number from 1 to 255, inclusive. 

 The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”.cap"number of captures". This is a feature of CPView that allows the user to capture the current page for later analysis or troubleshooting. The file is saved in the /var/log directory on the Security Gateway. References: Check Point Resource Library, page 3.

Gateway API is NOT an example of a Check Point API. Check Point API is a general term that refers to various application programming interfaces (APIs) that allow external applications to interact with Check Point products and services using standard methods such as HTTP(S) requests and JSON objects. There are several types of Check Point APIs, such as Management API, Threat Prevention API, OPSEC SDK, etc. Management API is an API that allows external applications to configure, manage, and monitor Check Point management server using web services. Threat Prevention API is an API that allows external applications to send files or URLs to Check Point Threat Prevention products for scanning and analysis using web services. OPSEC SDK is an API that allows external applications to integrate with Check Point OPSEC products using C/C++ libraries and protocols. Gateway API is not a valid or existing type of Check Point API.

 For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

Secure Network Distributor (SND) is a relevant feature of the Security Gateway because it is used to distribute packets among Firewall instances. SND is a technology that improves the performance and scalability of the Security Gateway by using multiple cores to handle concurrent connections. SND consists of two components: SND driver and Firewall instances. SND driver is responsible for receiving packets from network interfaces and distributing them to Firewall instances based on a load balancing algorithm. Firewall instances are responsible for inspecting packets according to security policies and forwarding them to their destinations. The other options are either incorrect or not related to SND.

The SmartEvent R81 Web application for real-time event monitoring is called SmartEventWeb. SmartEventWeb is a web-based interface that allows administrators to view and analyze security events from various sources, such as logs, reports, incidents, and indicators. SmartEventWeb provides dashboards, widgets, filters, and drill-down options to help administrators gain insights into their security posture. The other options are either incorrect or refer to different applications.

 The deployment of Check Point API does not have the purpose of creating a customized GUI Client for manipulating the objects database. The Check Point API is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The Check Point API can be used to execute an automated script to perform common tasks, create products that use and enhance the Check Point solution, and integrate Check Point products with 3rd party solutions. However, creating a customized GUI Client for manipulating the objects database is not a supported or intended use case of the Check Point API. 

 In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources. 

Once a certificate is revoked from the Security Gateway by the Security Management Server, the certificate information is stored on the Certificate Revocation List (CRL). The CRL is a list of certificates that have been revoked by the Internal Certificate Authority (ICA) and are no longer valid for Secure Internal Communication (SIC). The CRL is signed by the ICA and issued to all the managed Security Gateways the next time a SIC connection is made12. The CRL helps to prevent unauthorized access to the Security Management Server by revoked Security Gateways.

References: 1: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk43784 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162

 Identity Awareness AD-Query is using the Microsoft WMI API to learn users from AD. WMI stands for Windows Management Instrumentation, and it is an API that allows remote management and monitoring of Windows systems. Identity Awareness AD-Query is a feature that enables the Security Gateway to query Active Directory servers for user and computer information, such as login events, group membership, and IP addresses. By using the WMI API, Identity Awareness AD-Query can receive real-time notifications from Active Directory servers without installing any agents or scripts on them. 

 To enable MTA (Mail Transfer Agent) functionality in the Security Gateway, the Threat Prevention Software Blade Package is required. The Threat Prevention Software Blade Package includes the Anti-Virus, Anti-Bot, and Threat Emulation blades, which can scan and hold external email with potentially malicious attachments. The MTA functionality allows the Security Gateway to act as an SMTP relay between the mail server and the Internet, and apply Threat Prevention policies to the email traffic. The other options are either not related or not sufficient to enable MTA functionality. R

The SandBlast Agent is designed to prevent malware from spreading within the network if it enters an end user’s system. SandBlast Agent is a lightweight endpoint security solution that protects devices from advanced threats such as ransomware, phishing, zero-day attacks, and data exfiltration. SandBlast Agent uses various technologies such as behavioral analysis, anti-exploitation, anti-ransomware, threat emulation, threat extraction, and forensics to detect and block malware before it can harm the device or the network. The other options are either not the main purpose or not the functionality of SandBlast Agent. 

 The statement that is most correct regarding about “CoreXL Dynamic Dispatcher” is: The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores. CoreXL Dynamic Dispatcher is a feature that allows the Security Gateway to dynamically assign connections to the most available CoreXL FW instance, based on the CPU core utilization. This improves the performance and load balancing of the Security Gateway, especially when handling connections with different processing requirements. The other statements are either incorrect or describe the CoreXL Static Dispatcher mechanism, which assigns connections based on a hash function of the Source IP, Destination IP, and IP Protocol type.

According to the Check Point website, GAiA Software update packages can be imported and installed offline in situation where the Security Gateway with GAiA does not have access to Internet. This allows you to manually download the packages from another device and transfer them to the Security Gateway using a USB drive or other media. The other situations are either not relevant or not possible. References: Offline Software Updates

 The number of cores that can be used in a Cluster for Firewall-kernel on the new device with 4 cores is 4. Cluster is a feature that allows two or more Security Gateways to provide high availability and load balancing for network traffic. Firewall-kernel is a component of the Security Gateway that performs packet inspection according to security policies. The number of cores that can be used for Firewall-kernel in a Cluster depends on the number of cores available on each device in the Cluster. The Cluster will use the lowest common denominator of cores among all devices in the Cluster for Firewall-kernel. Therefore, if one device has 2 cores and another device has 4 cores, the Cluster will use 2 cores for Firewall-kernel on each device. However, if both devices have 4 cores, the Cluster will use 4 cores for Firewall-kernel on each device.

The Access Control policy supports two policy layers. These are the Network layer and the Application & URL Filtering layer. The Network layer contains rules that control the network traffic based on the source, destination, service, and action. The Application & URL Filtering layer contains rules that control the application and web access based on the application, site category, and user identity12.

The Access Control policy can also use inline layers, which are sub-policies that are embedded within a rule. Inline layers allow more granular control over specific traffic or scenarios, such as VPN, Mobile Access, or different user groups13. However, inline layers are not considered as separate policy layers, but rather as extensions of the parent rule4.

Therefore, the correct answer is A. The Access Control policy supports two policy layers.

References:

• 1, Policy Layers in R80.x - Check Point CheckMates
• 2, Access Control policies, layers, and rules | Check Point Firewall …
• 3, Chapter 8: Introduction to Policies, Layers, and Rules - Check Point …
• 4, Creating an Access Control Policy - Check Point Software

 The most ideal Synchronization Status for Security Management Server High Availability deployment is Synchronized. Security Management Server High Availability deployment is a feature that allows two or more Security Management Servers to provide redundancy and load balancing for managing security policies and logs. Synchronization Status is a parameter that indicates how up-to-date the databases of the Security Management Servers are with each other. Synchronization Status can have one of the following values: Synchronized, Lagging, Never been synchronized, or Collision. Synchronized means that the databases of all Security Management Servers are identical and have no conflicts. This is the most ideal status as it ensures consistency and reliability of security management. Lagging means that one or more Security Management Servers have not received all the updates from other Security Management Servers, and their databases are outdated. Never been synchronized means that one or more Security Management Servers have never synchronized their databases with other Security Management Servers, and their databases are independent. Collision means that one or more Security Management Servers have received conflicting updates from other Security Management Servers, and their databases have discrepancies. 

According to the Check Point R81 training course, the Proxy ARP feature for Manual NAT in R81.20 requires the configuration of the local.arp file on the Security Gateway. This file contains the mapping of IP addresses to MAC addresses for NATed hosts. The other options are either incorrect or irrelevant. References: Certified Security Expert (CCSE) R81.20 Course Overview

According to the Check Point R81 release notes, acceleration is not supported for connections that require a Security server, such as HTTPS Inspection, Content Awareness, or Anti-Virus. The Security server performs deep inspection and modification of the traffic, which prevents acceleration. The other options are either false or not the most likely reason. References: Check Point R81

 Log Consolidator is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

According to the Check Point Resource Library, the minimum amount of RAM needed for a Threat Prevention Appliance is 4 GB. This applies to both physical and virtual appliances. The other options are either incorrect or irrelevant. References: Check Point Resource Library

 The file that contains the host address to be published, the MAC address that needs to be associated with the IP address, and the unique IP of the interface that responds to ARP request is $FWDIR/conf/local.arp. Local.arp is a configuration file that defines static ARP entries for hosts behind NAT devices. This file allows the Security Gateway to respond to ARP requests for NATed hosts with the correct MAC address, and to publish the NATed IP address instead of the real IP address. The other files are either not related or not valid. 

The process that handles connection from SmartConsole R81 is cpm. Cpm stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. Cpm is responsible for managing policies, objects, logs, tasks, and other management functions. The other processes are either obsolete or irrelevant for SmartConsole connection.

 One of the requirements for Joey’s success in upgrading from R75.40 to R81 version of Security management using Advanced Upgrade with Database Migration method is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. Advanced Upgrade with Database Migration method is a procedure that allows administrators to upgrade their Security Management Server to a newer version by migrating their database from an older version to a new machine with a fresh installation of the newer version. One of the steps in this procedure is to copy the /var/log folder from the source machine to the target machine, which contains important log files and configuration files. To ensure that there is enough disk space on the target machine for this operation, it is required that the size of the /var/log folder on the target machine must be at least 25% of the size of the /var/log folder on the source machine. 

Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services. You can use an API to:

• Use an automated script to perform common tasks

• Integrate Check Point products with 3rd party solutions

• Create products that use and enhance the Check Point solution

References:

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

• 1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”
• 2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1
• 3, Check Point Certified Security Expert R81, page 5
• 5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”

 The command that would be used to set the network interfaces’ affinity in Manual mode is sim affinity -s. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. Core affinity is a feature that binds network interfaces and SecureXL instances to specific CPU cores, which improves the performance and load balancing of the Security Gateway. Sim affinity -s sets the network interfaces’ affinity in Manual mode, which means that administrators can manually assign network interfaces to CPU cores. The other options are either invalid or perform different functions. 

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is three. One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members. This configuration provides optimal performance and security for Mobile Access traffic. 

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction. 

One of the major features in R81 SmartConsole is concurrent administration. This feature allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent administration improves the efficiency and productivity of security management operations1.

However, not all of the options given are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. The correct answer is B. AdminA and AdminB are editing the same rule at the same time. This is not possible because concurrent administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Therefore, the other options are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. Option A is possible because a lock icon shows that a rule or an object is locked and will be available when the administrator who locked it finishes working on it or logs out of SmartConsole12. Option C is possible because a lock icon next to a rule informs that any administrator is working on this particular rule, and hovering over the lock icon will show the name of that administrator12. Option D is possible because AdminA, AdminB and AdminC are editing three different rules at the same time, which does not create any conflicts or blockages12.

The correct command to show actual allowed connections in the state table is option B: fw tab –t connections. This command displays the contents of the "connections" table, which contains information about the active connections being tracked by the firewall.

Option A (fw tab –t StateTable) is incorrect as there is no "StateTable" table; it should be "connections."

Option C (fw tab –t connection) is also incorrect, as it should be "connections."

Option D (fw tab connections) is not the correct syntax for the command.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Check Point’s FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark.

References:

SmartEvent Processes use two Check Point Protocols: ELA (Event Log Agent) and CPLOG (Check Point Log). ELA collects logs from Security Gateways and forwards them to the Log Server. CPLOG is used by the Log Server to communicate with the SmartEvent Server. References: [SmartEvent Architecture]

The statement that is correct about the Sticky Decision Function is It is not supported with either the Performance pack of a hardware based accelerator card. The Sticky Decision Function (SDF) is a feature that ensures that packets from the same connection are handled by the same cluster member in a Load Sharing configuration. However, SDF is not compatible with SecureXL acceleration, which is enabled by default or by using a Performance pack or a hardware based accelerator card4. The other statements are either incorrect or outdated about SDF. References: Check Point R81 ClusterXL Administration Guide, Sticky Decision Function - Check Point CheckMates

On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.

References:

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer's configuration and environment settings.

References:

 Sticky Decision Function (SDF) is required to prevent asymmetric routing in an Active-Active cluster. Asymmetric routing occurs when packets from a source to a destination follow a different path than packets from the destination to the source. This can cause problems with stateful inspection and NAT. SDF ensures that packets from the same connection are handled by the same cluster member1. References: Check Point R81 ClusterXL Administration Guide

CoreXL is supported when one of the following features is enabled: IPS. CoreXL does not support Check Point Suite with these features: Route-based VPN, IPv6, Overlapping NAT, QoS, Content Awareness, Application Control, URL Filtering, Identity Awareness, HTTPS Inspection, DLP, Anti-Bot, Anti-Virus, Threat Emulation. References: CoreXL

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References: R81 Mobile Access Administration Guide

The API server is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. You can verify that the API server is responding by using the following command in Expert mode:

This command will display the current status of the API server, such as running, stopped, or initializing. It will also show the API version, port number, and SSL certificate information. References: Check Point R81 REST API Reference Guide

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts. References: Anti-Bot Software Blade

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

References: VPN Administration Guide

 Tom will need two machines to install Check Point R81 in a distributed deployment, if he does not include a SmartConsole machine in his calculations. A distributed deployment consists of a Security Management Server that manages one or more Security Gateways. Therefore, Tom will need one machine for the Security Management Server and another machine for the Security Gateway. The other options are either too few or too many machines for a distributed deployment. References: Check Point R81 Installation and Upgrade Guide

 A management plug-in is a software component that interacts with a Security Management Server to provide new features and support for new products. A management plug-in can extend the functionality of SmartConsole, SmartDashboard, SmartView Monitor, SmartView Tracker, SmartEvent, SmartReporter, SmartProvisioning, SmartUpdate, and other management tools. A management plug-in can also add new objects, policies, rules, actions, reports, views, and wizards to the management system. Some examples of management plug-ins are CloudGuard Controller, SandBlast Agent, Endpoint Security Server, Threat Extraction for Web, etc. 

Sticky Decision Function (SDF) is a feature that ensures that VPN traffic is handled by the same core on a Security Gateway with multiple CPU cores. This improves the performance and stability of VPN tunnels by avoiding out-of-order packets and reducing encryption overhead. However, the limitation of employing SDF is that acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF. This means that SDF may reduce the overall throughput and scalability of the Security Gateway. Therefore, SDF should be used only when necessary and only on gateways that are dedicated to VPN traffic. References: R81 Performance Tuning Administration Guide

An event is a notification that something significant has occurred on a Check Point product or network. Events are generated by various sources, such as blades, gateways, servers, SmartEvent, etc. You can view and manage events in SmartConsole by using the Events tab in the Logs & Monitor view. Selecting an event displays its configurable properties in the Detail pane and a description of the event in the Description pane. The configurable properties include:

• Severity: The level of importance or urgency of the event. You can change the severity of an event by selecting a different value from the drop-down list.
• Automatic reactions: The actions that are triggered when an event occurs. You can add, edit, or delete automatic reactions for an event by clicking on the + icon or the pencil icon.
• Threshold: The minimum number or frequency of occurrences of an event that triggers an automatic reaction. You can change the threshold of an event by entering a different value in the text box.

The policy is not an option to adjust or configure for an event. The policy is a set of rules that define how to handle events based on their source, type, severity, etc. You can create and manage policies in SmartEvent by using the Policies tab in the Logs & Monitor view. References: R81 Logging and Monitoring Administration Guide

To help SmartEvent determine whether events originated internally or externally, you must define the traffic direction using the Initial Settings under General Settings in the Policy Tab. There are four options available to calculate the traffic direction: Incoming, Outgoing, Internal, and Other. Incoming means the source is external and the destination is internal. Outgoing means the source is internal and the destination is external. Internal means both the source and the destination are internal. Other means both the source and the destination are external. References: SmartEvent R81 Administration Guide

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution. References: SandBlast Mobile Architecture

The fw tab -s command lists all tables in Gaia. The fw tab command displays information about the firewall tables, such as connections, NAT translations, SAM rules, etc. The -s option shows a summary of all tables. References: fw tab - Check Point Support Center

 You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types. The Inspect action means that the file will be sent to the Threat Emulation engine for analysis, and the Bypass action means that the file will not be sent and will be allowed or blocked based on other Threat Prevention blades1. The other options are not valid actions for file types in Threat Prevention profiles. References: Check Point R81 Threat Prevention Administration Guide

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

 Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances. References: SecureXL Mechanism

The correct command to observe the Sync traffic in a VRRP environment is fw monitor –e “accept dst=224.0.0.18;”. This command captures the packets that have the destination IP address of 224.0.0.18, which is the multicast address used by VRRP for synchronization. The other commands are either not valid or not specific to VRRP Sync traffic. References: [Check Point R81 ClusterXL Administration Guide], Check Point R81 Performance Tuning Administration Guide

Session unique identifiers are passed to the web API using the X-chkp-sid HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations. References: Check Point R81 REST API Reference Guide

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network. References: Security Gateway R81 Administration Guide:

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

 When doing a Stand-Alone Installation, you would install the Security Management Server with the Security Gateway as the other Check Point architecture component. A Stand-Alone Installation is where the Security Management Server and the Security Gateway are installed on the same machine2. The other options are either not Check Point architecture components, or not suitable for a Stand-Alone Installation. References: Check Point R81 Installation and Upgrade Guide

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

To simplify security administration when working with multiple Security Gateways enforcing an extensive number of rules, you would choose to create a separate Security Policy package for each remote Security Gateway. A Security Policy package is a set of rules and objects that can be assigned to one or more Security Gateways. This allows you to manage different policies for different gateways from the same Management Server1. The other options are either not effective or not feasible for simplifying security administration. References: Check Point R81 Security Management Administration Guide

 Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more), rather than determining their maliciousness. By cleaning the file before it enters the organization, Threat Extraction preemptively prevents both known and unknown threats, providing better protection against zero-day attacks1. Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast2. The other options are either incorrect or irrelevant to the mechanism behind Threat Extraction. References: Threat Extraction (CDR) - Check Point Software, Check Point Document Threat Extraction Technology

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation. References: CPD process

 The inspection point Big l is the first point immediately following the tables and rule base check of a packet coming from outside of the network. It is also the last point before the packet leaves the Security Gateway to the internal network1. The other inspection points are either before or after the rule base check, or in a different direction of traffic flow2. References: Check Point R81 Security Gateway Architecture and Packet Flow, 156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics

 CPM process stores objects, policies, users, administrators, licenses and management data in a Postgres SQL database. This database is located in $FWDIR/conf and can be accessed using the pg_client command2. The other options are not the correct database type for CPM. References: Check Point R81 Security Management Administration Guide

 Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions . References: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

The least amount of CPU cores required to enable CoreXL is 2. CoreXL is a technology that improves the performance of Security Gateways by using multiple CPU cores to process traffic in parallel. CoreXL requires at least two CPU cores, one for SND (Secure Network Distributor) and one for a Firewall instance. The other options are either too few or too many CPU cores for enabling CoreXL. References: [Check Point R81 SecureXL Administration Guide], [Check Point R81 Performance Tuning Administration Guide]

To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. You can enable them by using the command fw ctl multik set_mode 9. This command sets the SecureXL mode to 9, which means that Priority Queues are enabled and Dynamic Dispatcher is fully enabled. References: SecureXL Mechanism

The clusterXL_admin down -p command disables a Cluster Member permanently, meaning that it will not rejoin the cluster even after a reboot. The other commands either disable a Cluster Member temporarily or are invalid. References: [ClusterXL Administration Guide]

The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2. References: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet – LazyAdmins

 The process that pulls application monitoring status is cpd. cpd is a daemon that runs on Check Point products and performs various tasks related to management communication, policy installation, license verification, logging, etc. cpd also monitors the status of other processes and applications on the system and reports it to the management server. cpd uses SNMP to collect information from various sources, such as blades, gateways, servers, etc. You can view the application monitoring status in SmartConsole by using the Gateways & Servers tab in the Logs & Monitor view. References: Check Point Processes and Daemons

Check Point currently supports four types of APIs: R81 Management API, Identity Awareness Web Services API, OPSEC SDK, and Gaia REST API. The Open REST API is not a valid option. References: Check Point APIs

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

 Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits. To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features. References: R81 Performance Tuning Administration Guide