Checkpoint 156-315.81 Check Point Certified Security Expert R81 Exam Practice Test

The fwaccel stat command displays the status of SecureXL, and its enabled templates and features. The other commands are either incorrect or incomplete. References: [SecureXL Commands]

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

References:

 You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types. The Inspect action means that the file will be sent to the Threat Emulation engine for analysis, and the Bypass action means that the file will not be sent and will be allowed or blocked based on other Threat Prevention blades1. The other options are not valid actions for file types in Threat Prevention profiles. References: Check Point R81 Threat Prevention Administration Guide

SmartView is a web-based application that allows you to view and analyze logs, reports, and events from multiple Check Point products. You can access SmartView by using the following URL:

You need to use HTTPS protocol and the default port 443. You also need to enter the IP address of the Security Management Server that hosts the SmartView application. You cannot use the host name of the Security Management Server or a different port number. References: SmartView R81 Administration Guide

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy. References: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

The correct command to show actual allowed connections in the state table is option B: fw tab –t connections. This command displays the contents of the "connections" table, which contains information about the active connections being tracked by the firewall.

Option A (fw tab –t StateTable) is incorrect as there is no "StateTable" table; it should be "connections."

Option C (fw tab –t connection) is also incorrect, as it should be "connections."

Option D (fw tab connections) is not the correct syntax for the command.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The cpinfo tool generates a R81 Security Gateway configuration report that includes information about the hardware, operating system, product version, patches, and configuration settings. References: cpinfo - Check Point Support Center

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References: R81 Mobile Access Administration Guide

 You can communicate with the API server using three command sources: SmartConsole GUI Console, mgmt_cli Tool, and Gaia CLI. Web Services are not a command source, but a way to access the API server using HTTP requests. References: Check Point Management APIs

 The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345. 

 R81.20 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81. 

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts. References: Anti-Bot Software Blade

An event is a notification that something significant has occurred on a Check Point product or network. Events are generated by various sources, such as blades, gateways, servers, SmartEvent, etc. You can view and manage events in SmartConsole by using the Events tab in the Logs & Monitor view. Selecting an event displays its configurable properties in the Detail pane and a description of the event in the Description pane. The configurable properties include:

• Severity: The level of importance or urgency of the event. You can change the severity of an event by selecting a different value from the drop-down list.
• Automatic reactions: The actions that are triggered when an event occurs. You can add, edit, or delete automatic reactions for an event by clicking on the + icon or the pencil icon.
• Threshold: The minimum number or frequency of occurrences of an event that triggers an automatic reaction. You can change the threshold of an event by entering a different value in the text box.

The policy is not an option to adjust or configure for an event. The policy is a set of rules that define how to handle events based on their source, type, severity, etc. You can create and manage policies in SmartEvent by using the Policies tab in the Logs & Monitor view. References: R81 Logging and Monitoring Administration Guide

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

There are four ways to use the Management API for creating host object with R81 Management API: Using Web Services, Using mgmt_cli tool, Using CLISH, and Using SmartConsole GUI console. Events are collected with SmartWorkflow from Trouble Ticket systems is not a correct option. References: Check Point Management APIs

The Check Point TE appliance in Recommended Mode includes 2(OS) images. One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version. References: [Check Point R81 Threat Emulation Administration Guide]

The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2. References: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet – LazyAdmins

The CLI command to reset the IPS (Intrusion Prevention System) pattern matcher statistics is option D: ips pmstats reset. This command will reset the statistics related to the IPS pattern matcher.

Options A, B, and C are not the correct syntax for resetting the IPS pattern matcher statistics.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The least amount of CPU cores required to enable CoreXL is 2. CoreXL is a technology that improves the performance of Security Gateways by using multiple CPU cores to process traffic in parallel. CoreXL requires at least two CPU cores, one for SND (Secure Network Distributor) and one for a Firewall instance. The other options are either too few or too many CPU cores for enabling CoreXL. References: [Check Point R81 SecureXL Administration Guide], [Check Point R81 Performance Tuning Administration Guide]

The cphaconf set_ccp multicast command is used to set the Cluster Control Protocol (CCP) to Multicast mode. This mode allows cluster members to communicate with each other using multicast packets. The other commands are either incorrect or set the CCP to Broadcast mode. References: ClusterXL Administration Guide

 Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default. References: CPM process

The least ideal Synchronization Status for Security Management Server High Availability deployment is Collision. This status indicates that both members have modified the same object independently, resulting in a conflict that needs to be resolved manually. The other statuses are either normal or indicate a temporary delay in synchronization. References: High Availability Administration Guide

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network. References: Security Gateway R81 Administration Guide:

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

 fwssd is a child process of fwd, which is the firewall daemon that handles policy installation, logging, and state synchronization. cpwd is the watchdog process that monitors and restarts other processes. fwm is the management server process that handles communication with GUI clients. cpd is the infrastructure daemon that handles SIC, licensing, and policy code generation. References: Check Point Processes Cheat Sheet – LazyAdmins, Check Point R81 Gaia Administration Guide, Certified Security Expert (CCSE) R81.20 Course Overview

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, "SecurID."

Options A, C, and D are not standard authentication methods for mobile devices in this context.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 Tom will need two machines to install Check Point R81 in a distributed deployment, if he does not include a SmartConsole machine in his calculations. A distributed deployment consists of a Security Management Server that manages one or more Security Gateways. Therefore, Tom will need one machine for the Security Management Server and another machine for the Security Gateway. The other options are either too few or too many machines for a distributed deployment. References: Check Point R81 Installation and Upgrade Guide

The cpmq set command enables or disables multi-queue per interface. Multi-queue is a feature that allows distributing the network traffic among several CPU cores, improving the throughput and performance of the Security Gateway. References: Multi-Queue

The SmartEvent component that creates events is the Correlation Unit, which is responsible for correlating and analyzing security events to identify patterns and potential threats.

Option A, "Consolidation Policy," does not create events but is used to configure policies for event consolidation.

Option C, "SmartEvent Policy," is not responsible for creating events but is used to configure policies related to SmartEvent.

Option D, "SmartEvent GUI," is the graphical user interface for managing SmartEvent but does not create events itself.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The features that are only supported with R81.20 Gateways and not with R77.x are described in option C:

"C. The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence."

This feature, known as Rule Base Layers, allows for greater flexibility and control in organizing and prioritizing security rules within the rule base.

Options A, B, and D do not specifically pertain to features introduced in R81.20 and are available in earlier versions as well.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 The API command add host name ip-address  can be used in a script to create 100 new host objects with different IP addresses. This command adds a new host object with the specified name and IP address to the database. The other commands are either not valid or not suitable for creating new host objects. References: Check Point - Management API reference

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer's configuration and environment settings.

References:

When configuring Management HA, you have to take into consideration that the Database revisions will not be synchronized between the management servers. Database revisions are snapshots of the database that are created manually or automatically when installing a policy or saving changes. They are stored locally on each management server and are not replicated by Management HA. The other options are either not true or not relevant to Management HA. References: Check Point R81 Installation and Upgrade Guide

The fw tab -s command lists all tables in Gaia. The fw tab command displays information about the firewall tables, such as connections, NAT translations, SAM rules, etc. The -s option shows a summary of all tables. References: fw tab - Check Point Support Center

Session unique identifiers are passed to the web API using the X-chkp-sid HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations. References: Check Point R81 REST API Reference Guide

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

 Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances. References: SecureXL Mechanism

The Audit Log is a feature that records all the actions performed by R81 SmartConsole administrators, such as logging in, logging out, publishing, installing policy, creating objects, modifying rules, etc. You can see and search records of action done by R81 SmartConsole administrators by following these steps:

• In SmartConsole, go to Logs & Monitor view.
• In the left pane, select Open Audit Log View.
• In the right pane, you will see a table that shows all the audit log records. You can filter, sort, group, or search the records by using the toolbar options.
• You can also double-click on a record to see more details in a pop-up window. References: R81 Logging and Monitoring Administration Guide

Check Point Protect is a lightweight app that can be used to gather and analyze threats to your mobile device. It provides real-time threat intelligence, device posture assessment, and secure browsing protection3. The other applications are either not designed for mobile devices, or do not offer threat analysis features. References: R81 CCSA & CCSE exams released featuring Promo for… - Check Point …, Check Point Protect - Apps on Google Play

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via the cpm process. The cpm process is the main management process that handles database operations, policy installation, and communication with GUI clients via TCP port 190093. The other options are either incorrect or irrelevant to the log flow. References: Certified Security Expert (CCSE) R81.20 Course Overview, Check Point Ports Used for Communication by Various Check Point Modules

 Detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature associated with the Check Point URL Filtering and Application Control Blade. This feature is part of the Check Point SandBlast Network solution, which uses Threat Emulation and Threat Extraction technologies to prevent zero-day attacks. The other features are part of the URL Filtering and Application Control Blade, which allows you to control access to web applications and sites based on various criteria. References: URL Filtering and Application Control Administration Guide

 Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits. To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features. References: R81 Performance Tuning Administration Guide

The directory /opt/CPsuite-R81/fw1/log contains the log files for the Security Gateway, such as firewall, VPN, IPS, and anti-virus logs1. These log files can be viewed and analyzed using SmartConsole or SmartView2. The other directories are not correct because:

• A. The directory /opt/CPSmartlog-R81/log contains the log files for the SmartLog server, which is a separate component that indexes and searches the logs from multiple Security Gateways3.
• B. The directory /opt/CPshrd-R81/log contains the log files for the shared components of the Check Point suite, such as cpwd, cpca, cpd, and cpwatchdog4.
• D. The directory /opt/CPsuite-R81/log does not exist by default and is not used for logging purposes.

References: Logging and Monitoring R81 Administration Guide, SmartConsole R81 Help, SmartLog R81 Help, Check Point Processes and Daemons

Mobile Access encrypts all traffic using HTTPS for web-based applications and 3DES or RC4 algorithm for native applications. For end users to access the native applications, they need to install the SSL Network Extender, which is a lightweight VPN client that creates a secure SSL tunnel to the Mobile Access gateway. The SSL Network Extender supports various types of native applications, such as email clients, file sharing, and remote desktop. References: Mobile Access Administration Guide, SSL Network Extender

Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

Multiple administrators can connect to a Security Management Server at the same time. Each administrator has their own username and works in a session that is independent of other administrators. This allows for collaboration and simultaneous management tasks by different administrators.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

 The extended master key extension/session hash is a feature introduced in TLS 1.3 to prevent a Man-in-the-Middle attack/disclosure of the client-server communication. It works by generating a unique session hash for each connection, which is derived from the master key and other parameters. This session hash is then used to authenticate the application data and the end-of-handshake messages, ensuring that no one can tamper with or eavesdrop on the communication. References: Check Point Security Expert R81 Course, TLS 1.3 RFC

SandBlast appliances can be deployed in the following modes:

C. Inline/prevent or detect

SandBlast appliances can be deployed in an inline mode where they actively inspect and prevent or detect malicious traffic. In this mode, the appliance sits in the network traffic path and can take actions to block or detect threats in real-time.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on SandBlast.

 SecureXL templates are a mechanism to accelerate the rate of connection establishment by grouping connections that match a particular service and whose sole differentiating element is the source port. SecureXL templates enable even the very first packets of a TCP handshake to be accelerated, without waiting for the Firewall kernel to create a connection entry. The first packets of the first connection on the same service will be forwarded to the Firewall kernel, which will then create a template of the connection. The template will contain all the relevant information for the connection, such as source and destination IP addresses, destination port, NAT information, policy decision, etc. The template will be used by SecureXL to handle subsequent connections on the same service, without involving the Firewall kernel. This reduces the CPU load and increases the throughput.

There are three types of SecureXL templates: Accept, Drop, and NAT. Accept templates are used for connections that are allowed by the Firewall policy. Drop templates are used for connections that are blocked by the Firewall policy. NAT templates are used for connections that require NAT translation. Deny templates are not a valid type of SecureXL template.

References: SecureXL NAT Templates in R80.20 and lower, Part 3 - SecureXL, Security Gateway Performance Optimization - Part 5 - SecureXL

SecureXL is a performance-enhancing technology used in Check Point firewalls. It improves the throughput of both non-encrypted firewall traffic and encrypted VPN traffic. The statement in option C is true because SecureXL does improve both types of traffic by offloading processing to dedicated hardware acceleration, optimizing firewall and VPN operations.

Option C correctly states that SecureXL improves this traffic, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

When Dynamic Dispatcher is enabled, it dynamically assigns connections, but there are exceptions. The exception mentioned in the question is:

VoIP (Option D): VoIP connections are an exception when Dynamic Dispatcher is enabled. They are not assigned dynamically but follow a different rule set to ensure quality and reliability for VoIP traffic.

The other options, Threat Emulation (Option A), HTTPS (Option B), and QoS (Option C), are dynamically assigned when Dynamic Dispatcher is enabled.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

Threat Emulation downloads packages by default once per day. The packages contain updates for the Threat Emulation engine, signatures, and images. The download frequency can be changed in the Threat Prevention policy settings. References: Threat Emulation Administration Guide, Threat Prevention R81 Release Notes

To deploy a TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway, you can utilize Check Point Cloud Services. In this scenario, you can leverage cloud-based email security services provided by Check Point without the need for an on-premises Security Gateway.

Option C correctly states that you can use only Check Point Cloud Services for this scenario, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality. According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

• Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.
• OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.
• Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

References: What is an API Gateway?, How to use Check Point API with Postman quick guide, Home - Check Point Developers, Introduction to RESTful APIs and JSON format, Checkpoint API tutorial, part 1 - getting started

SecureXL is a technology that improves the performance of Security Gateway by offloading the processing of some packets from the Firewall kernel to the SecureXL device driver1. SecureXL can handle packets in three different paths, depending on the type and state of the packet2:

• Firewall Path: This is the slowest path, where packets are processed by the Firewall kernel and all the inspection blades. This path is used for packets that require full inspection, such as the first packet of a connection, packets that match a rule with a UTM blade, or packets that are not eligible for acceleration.
• Accelerated Path: This is the fastest path, where packets are processed by the SecureXL device driver and bypass the Firewall kernel. This path is used for packets that belong to an established connection that is marked for acceleration, and do not require any further inspection by the Firewall or other blades.
• Medium Path: This is a hybrid path, where packets are processed by both the SecureXL device driver and the Firewall kernel, but skip some inspection steps. This path is used for packets that belong to an established connection that is not marked for acceleration, but do not require full inspection by all the blades.

The other options are not correct because:

• A. Initial Path; Medium Path; Accelerated Path: There is no such thing as Initial Path in SecureXL terminology. The initial packet of a connection is always handled by the Firewall Path.
• B. Layer Path; Blade Path; Rule Path: These are not paths of traffic flow, but components of the unified policy in R80 and above versions. The Layer Path refers to the order of layers in the policy, the Blade Path refers to the order of blades within a layer, and the Rule Path refers to the order of rules within a blade3.
• C. Firewall Path; Accept Path; Drop Path: These are not paths of traffic flow, but possible actions that the Firewall can take on a packet. The Firewall Path is one of the paths of traffic flow, but the Accept Path and Drop Path are not. The Accept Path means that the packet is allowed to pass through the Firewall, and the Drop Path means that the packet is blocked by the Firewall4.

References: Part 3 - SecureXL, What is CoreXL & SecureXL, SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above, QUANTUM 7000 SECURITY GATEWAY

 For ClusterXL to work properly, one of the mandatory requirements is that the Magic MAC number must be unique per cluster node. The Magic MAC number is a MAC address that is used by ClusterXL to hide the physical MAC addresses of the cluster members from the network. This way, the cluster can present a single virtual MAC address to the network, and avoid ARP issues when a failover occurs. The Magic MAC number is derived from the Cluster Virtual IP address, which must also be unique per cluster. 

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

 DES (Data Encryption Standard) is a symmetric block cipher that uses a 56-bit key to encrypt and decrypt 64-bit blocks of data. It was developed by IBM in 1975 and adopted by the US government as a standard for encryption. However, DES has been proven to be insecure and vulnerable to various attacks, such as brute force, differential cryptanalysis, and linear cryptanalysis. A brute force attack can break DES in a matter of hours using modern hardware. Differential cryptanalysis can reduce the number of keys to be searched by a factor of four, and linear cryptanalysis can reduce it by a factor of two. Therefore, DES is the least secure encryption algorithm among the options given.

References: Types of Encryption, Secure Organization’s Data With These Encryption Algorithms, Comparative study of symmetric cryptographic algorithms

To determine the cause of a cluster gateway showing "Down" despite running "clusterXL_admin up" on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

References: Check Point documentation or training materials related to High Availability and ClusterXL.

The blades of Threat Prevention in Check Point include:

Intrusion Prevention System (IPS)

AntiVirus

AntiBot

SandBlast Threat Emulation/Extraction

So, the correct answer is D, which includes all the mentioned blades.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

When John detects a high load on the sync interface, the recommended solution is to implement a delay in the sync process for short-lived connections like HTTP. Here's an explanation of each option:

A. Delaying the sync for 2 seconds for short connections like HTTP services is a common practice to reduce the load on the sync interface. This allows the interface to handle the incoming connections more effectively.

B. Adding a second interface to handle sync traffic might be a viable solution, but it can be more complex and costly compared to implementing a delay for short connections.

C. Not syncing short connections like HTTP services is not a recommended approach because it may lead to synchronization issues and potential data inconsistencies between cluster members.

D. Delaying the sync for ICMP (ping) services is not a common practice and may not effectively address the high load issue on the sync interface.

Therefore, option A is the most recommended solution as it addresses the issue by introducing a delay for short-lived connections, optimizing the sync process without causing synchronization problems.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Capsule Connect and Capsule Workspace are both components of Check Point's remote access solution, but they serve different purposes and have distinct features:

A. Capsule Connect provides a Layer 3 VPN, which allows remote users to connect securely to their corporate network. It typically provides network-level access, allowing users to access resources on the corporate network. On the other hand, Capsule Workspace provides a secure workspace environment, including a virtual desktop with usable applications. It is more focused on providing application-level access to users in a secure manner.

B. This statement is partially true. Capsule Workspace is designed to provide secure access to a wide range of applications and resources, not limited to specific applications.

C. Capsule Connect does provide business data isolation by creating a secure VPN tunnel for remote users, ensuring that their network traffic is isolated from the public internet.

D. Capsule Connect usually requires an installed application or VPN client on the client device to establish a secure connection to the corporate network. This statement is not entirely accurate because an installed application or client is typically required.

Therefore, option A is the correct answer as it accurately distinguishes between Capsule Connect and Capsule Workspace based on their primary functionalities.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The most recommended way to install patches and hotfixes is CPUSE (Check Point Update Service Engine). CPUSE is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the target device using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

Firewall Management (fwm) is available on any management product, including Multi-Domain and on products that requite direct GUI access, such as SmartEvent, It provides the following:

– GUI Client communication

– Database manipulation

– Policy Compilation

– Management HA sync

When an encrypted packet is received by a Check Point Security Gateway, it is decrypted according to the security policy. The security policy defines the rules and settings for encryption and decryption of traffic, such as the encryption algorithm, the encryption domain, the pre-shared secret or certificate, etc. The security policy is enforced by the Firewall kernel, which is responsible for decrypting the packets before passing them to the inbound chain for further inspection. The inbound chain consists of various inspection modules that apply security checks and actions on the decrypted packets. The outbound chain is the reverse process, where the packets are inspected and then encrypted according to the security policy before being sent out.

References: Check Point Firewall Security Solution, Check Point R81 Cyber Security Platform, Check Point VPN Administration Guide R81

The purpose of a SmartEvent Correlation Unit is to evaluate logs from the log server component to identify patterns/threats and convert them to events. The SmartEvent Correlation Unit is a software module that runs on the SmartEvent server or on a dedicated server. It applies correlation rules and logic to the logs received from various sources, such as security gateways, endpoints, or third-party devices. It then generates events that represent security incidents or trends that require attention or action. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

 Security Checkup Summary can be easily conducted within Views. Views is a feature in SmartConsole that allows you to create customized dashboards and reports based on various security data sources, such as logs, events, audit trails, and more. You can use Views to perform a Security Checkup Summary, which is a comprehensive analysis of your network security posture and potential risks. You can use predefined templates or create your own views to generate the summary. References: Check Point Security Expert R81 Course, Views Administration Guide

 Mobile Access is not part of the SandBlast component. Mobile Access is a software blade that provides secure remote access to corporate resources from various devices, such as smartphones, tablets, and laptops. Mobile Access supports different connectivity methods, such as SSL VPN, IPsec VPN, and Mobile Enterprise Application Store (MEAS). Mobile Access also integrates with Mobile Threat Prevention (MTP) to protect mobile devices from malware and network attacks. References: Check Point Security Expert R81 Course, Mobile Access Administration Guide, SandBlast Mobile Datasheet

The configuration file that contains the structure of the Security Server showing the port numbers, corresponding protocol name, and status is $FWDIR/conf/fwauthd.conf. This file is used for configuring authentication services in Check Point Security Servers.

References: Check Point documentation or training materials related to Security Server configuration.

In the context of Check Point remote access clients and Office Mode, the correct answer is:

A. SecuRemote: SecuRemote is a Check Point remote access client that does not provide an Office-Mode Address. Office Mode is a feature that assigns a unique IP address from a designated IP pool to remote users when they connect to the corporate network. SecuRemote does not support this feature.

B. Endpoint Security Suite, C. Endpoint Security VPN, and D. Check Point Mobile are remote access clients that support Office Mode and can provide an Office-Mode Address to remote users.

Therefore, option A is the correct answer as it correctly identifies a remote access client that does not provide an Office-Mode Address.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

To use SmartConsole R81 for managing SmartEvent R81, you need to have the following ports open:

• Port 19009 for communication over HTTPS (443)
• Port 19009 for communication over HTTP (80)

These ports are necessary for the SmartConsole to communicate with SmartEvent for management and monitoring purposes.

References: Check Point Certified Security Expert R81 documentation and learning resources.

Each instance of VRRP running on a supported interface may monitor the link state of other interfaces. The monitored interfaces do not have to be running VRRP.

If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has, then the backup platform will begin to send out its own HELLO packet.

Once the master sees this packet with a priority greater than its own, then it releases the VIP.

References:

In SmartEvent, the administrator can configure different types of automatic reactions, which include:

• Mail notifications
• Blocking the source of the event
• Blocking the event activity
• Running an external script
• Sending an SNMP trap

So, the correct answer is "Mail, Block Source, Block Event Activity, External Script, SNMP Trap."

References: Check Point documentation or training materials related to SmartEvent configuration and automatic reactions.

Management HA is a feature that allows the Security Management server to have one or more backup Standby Security Management servers that are ready to take over in case of failure1. The Active Security Management server is the one that handles all the management operations, such as policy installation, object creation, configuration backup, etc. The Standby Security Management servers are synchronized with the Active Security Management server and store the same data, such as databases, certificates, CRLs, etc. The Standby Security Management servers can also perform some operations, such as fetching a Security Policy or retrieving a CRL1.

To make changes to the system, such as editing objects or policies, the administrator needs to connect to the Active Security Management server. This is because the Active Security Management server is the only one that can modify the data and synchronize it with the Standby Security Management servers. The administrator can use SmartConsole to connect to the Active Security Management server by entering its IP address or hostname1. The administrator can also use SmartDashboard to connect to the Active Security Management server by selecting Policy > Management High Availability. This shows information about the Security Management server that includes its peers - displayed with the name, status and type of Security Management server1.

The other options are incorrect because:

• A. secondary Smartcenter: This is a synonym for a Standby Security Management server, which cannot be used to make changes to the system.
• C. connect virtual IP of Smartcenter HA: This is not a valid option because there is no virtual IP for Smartcenter HA. Each Security Management server has its own IP address and hostname.
• D. primary Smartcenter: This is a synonym for the Active Security Management server, but it is not the correct term to use. The term primary implies that there is only one Active Security Management server, which is not true. The administrator can put the Active Security Management server on standby and promote a Standby Security Management server to active at any time1.

References: How to Configure Management HA

Check Point Capsule is a suite of solutions designed to provide comprehensive mobile security and secure access. The components of Check Point Capsule include:

Capsule Docs (Option A): A component that secures document sharing and protects sensitive data.

Capsule Cloud (Option B): A component that provides cloud-based security services.

Capsule Workspace (Option D): A component that provides secure workspace on mobile devices.

Option C, "Capsule Enterprise," is not a recognized component of Check Point Capsule based on the available information. Therefore, it is the correct answer as the component that is NOT part of Check Point Capsule.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

 To add the company logo to reports, you would save the logo as a PNG file with the name ‘cover-company-logo.png’ and then copy that image file to the $RTDIR/smartview/conf directory on the SmartEvent server. The $RTDIR is an environment variable that points to the runtime directory of the SmartEvent server, which is usually /opt/CPrt-R81. The smartview/conf directory contains the configuration files for SmartView, which is a web-based interface for viewing reports and dashboards generated by SmartEvent. References: SmartEvent Administration Guide, SK120193 - How to add a company logo to SmartView reports

In SmartDashboard, Threat Prevention profiles can be assigned to one or more rules. This means that you can have multiple profiles assigned to a single gateway, and each of these profiles can be associated with one or more rules. This allows for granular control over threat prevention settings for different rules or scenarios.

References: Check Point Certified Security Expert R81 documentation and learning resources.

 The port used for SmartConsole to connect to the Security Management Server is CPMI port 18191/TCP. CPMI stands for Check Point Management Interface, which is a proprietary protocol that enables secure communication between the SmartConsole and the Security Management Server. CPMI uses SSL encryption and authentication to protect the data exchange. References: Check Point Security Expert R81 Course, SK52421 - Ports used by Check Point software

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

 The best way to block .exe and .bat file types using Threat Emulation technologies is to enable DLP and select .exe and .bat file type. DLP stands for Data Loss Prevention, and it is a feature that allows administrators to define rules and actions to protect sensitive data from unauthorized access or transfer. One of the DLP rule conditions is File Type, which can be used to block or alert on specific file types, such as .exe and .bat, that may contain malicious code or scripts. The other options are either not related to Threat Emulation technologies, or not effective in blocking .exe and .bat file types. 

 CPUSE offline upgrade is the best upgrade method when the management server is not connected to the Internet. CPUSE (Check Point Upgrade Service Engine) is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the management server using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

The proxy ARP configuration is stored under the following file:

D. $FWDIR/conf/local.arp on the gateway

This file, local.arp, contains the proxy ARP configuration for the Security Gateway. It is used to configure ARP (Address Resolution Protocol) settings for network communication.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on proxy ARP.

 SecureXL is a technology that accelerates the performance of the Check Point Security Gateway by offloading CPU-intensive operations from the Firewall kernel to the SecureXL device. SecureXL can handle various types of traffic, such as TCP, UDP, ICMP, non-IP, VPN, NAT, etc. SecureXL can also work with various features, such as CoreXL, ClusterXL, QoS, etc.

One way to indicate that SecureXL is enabled is to use the fwaccel commands in clish. Clish is a command-line shell that provides a user-friendly interface for configuring and managing Check Point products. The fwaccel commands are used to control and monitor SecureXL operations, such as enabling or disabling SecureXL, viewing SecureXL statistics, managing SecureXL templates, etc. For example, the command fwaccel stat shows the status of SecureXL, such as whether it is on or off, how many packets are accelerated or not accelerated, etc.

The other options are not valid indicators of SecureXL being enabled:

• A. Dynamic objects are available in the Object Explorer: Dynamic objects are objects that represent IP addresses that change over time, such as VPN clients, DHCP clients, etc. Dynamic objects are available in the Object Explorer regardless of whether SecureXL is enabled or not.
• B. SecureXL can be disabled in cpconfig: Cpconfig is a command-line tool that allows you to configure various settings of Check Point products, such as administrator password, GUI clients, SNMP extension, etc. SecureXL can be disabled in cpconfig only if it was enabled before. Therefore, this option does not indicate that SecureXL is enabled.
• D. Only one packet in a stream is seen in a fw monitor packet capture: Fw monitor is a command-line tool that allows you to capture and analyze network traffic passing through the Security Gateway. Fw monitor shows the traffic at different inspection points in the Firewall kernel. If SecureXL is enabled, some packets may be accelerated by SecureXL and bypass the Firewall kernel inspection. Therefore, fw monitor may not see all packets in a stream. However, this does not mean that only one packet in a stream will be seen by fw monitor. Some packets may still go through the Firewall kernel inspection and be seen by fw monitor. Therefore, this option does not indicate that SecureXL is enabled.

Therefore, the correct answer is C.

References: How to enable/disable Check Point SecureXL via CLI, Part 3 - SecureXL, What is SecureXL?, Clish - Command Line Interface Shell, sk30583: What is FW Monitor?

In a Cpinfo (Checkpoint information) command, various information is collected from a Security Gateway. However, firewall logs are NOT collected from a Security Gateway in a Cpinfo.

A. Firewall logs

The Cpinfo command typically collects information such as configuration and database files, system message logs, OS and network statistics, but it does not include firewall logs. Firewall logs are usually obtained separately using other methods or tools.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on Cpinfo.

The command used to display status information for various components is show sysenv all. This command provides comprehensive status information about the system's environment and various components, including hardware and software components. It can be useful for troubleshooting and monitoring the system's health.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.:

SmartEvent does not use matching a log against local exclusions to identify events. Local exclusions are filters that are applied to logs before they are sent to the SmartEvent server. They are used to reduce the amount of logs that are forwarded by the Security Gateways or Log Servers, and to avoid sending irrelevant or sensitive logs. Local exclusions do not affect the event detection process, which is performed by the SmartEvent Correlation Unit on the SmartEvent server. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide, SK120193 - How to configure Local Log Filtering on Security Gateway / Cluster / VSX

ClusterXL supports Dynamic Routing for both Unicast and Multicast traffic. Dynamic Routing protocols, such as OSPF, BGP, or PIM, can be configured on cluster members to exchange routing information with other routers. ClusterXL supports two modes of operation for Dynamic Routing: New Mode and Legacy Mode. References: ClusterXL Administration Guide, SK98226 - ClusterXL New Mode Overview

The kind of information that you would expect to see using the sim affinity command is network interfaces and core distribution used for CoreXL. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The sim affinity command can show which network interfaces and SecureXL instances are bound to which CPU cores, and allow administrators to change the affinity settings.

References:

The Software Container is a logical component in the Software Blade Architecture. There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security. The container enables the server functionality, and defines its purpose – e.g, management or gateway. https://downloads.checkpoint.com/dc/download.htm?ID=11608

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red exclamation mark indicates that one or more blades on the gateway have an issue that needs attention. The issue could be related to configuration, license, policy, or other factors. Deyra can hover over the icon to see more details about the problem. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work.

This is because SmartConsole has a feature called Concurrent Administration, which allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent Administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Concurrent Administration also has a feature called Session Persistence, which preserves the changes made by an administrator in case of a network failure or a SmartConsole crash. When an administrator reconnects to the Management Server after a network failure or a SmartConsole crash, they can resume their work from where they left off, without losing any changes. The changes are stored locally on the administrator’s machine until they are published to the Management Server13.

Therefore, if Tom has connected to the R81 Management Server remotely using SmartConsole and is in the process of making some Rule Base changes, when he suddenly loses connectivity, his changes will not be lost. They will be stored locally on his machine and he can resume his work when he reconnects to the Management Server.

 Application Control is the software blade that provides Application Security and identity control. It allows administrators to define granular policies based on users or groups to identify, block or limit the usage of web applications and widgets. Application Control also integrates with Identity Awareness to provide user-level visibility and control. References: Training & Certification | Check Point Software, Check Point Resource Library

The tool that is used to enable ClusterXL is cpconfig. ClusterXL is a software-based Load Sharing and High Availability solution that distributes network traffic between clusters of redundant Security Gateways1. ClusterXL can be enabled on Check Point Security Gateways running on Gaia OS, SecurePlatform OS, IPSO OS, or X-Series XOS2.

To enable ClusterXL, the administrator must run the cpconfig command on each cluster member and select the option to enable ClusterXL. This will prompt the administrator to choose the ClusterXL mode (High Availability or Load Sharing) and the Cluster Control Protocol (CCP) mode (Broadcast or Multicast). After enabling ClusterXL, the administrator must reboot the cluster members for the changes to take effect34.

Therefore, the correct answer is B. The tool that is used to enable ClusterXL is cpconfig.

References:

• 1, Introduction to ClusterXL - Check Point Software
• 2, ClusterXL Requirements and Compatibility - Check Point Software
• 3, Configuring ClusterXL - Check Point Software
• 4, How to configure ClusterXL - Check Point Software Technologies

Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services. You can use an API to:

• Use an automated script to perform common tasks

• Integrate Check Point products with 3rd party solutions

• Create products that use and enhance the Check Point solution

References:

Running the command fw unloadlocal on the Security Management Server will remove the installed Security Policy from the local firewall module. This command is useful for troubleshooting purposes when there is a problem with the policy installation or enforcement. However, it will also expose the Security Management Server to potential attacks, so it should be used with caution. References: Training & Certification | Check Point Software, R81 CCSA & CCSE exams released featuring Promo for… - Check Point …

 In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources. 

According to the Check Point website, SmartUpdate is the application that should be used to install a contract file. A contract file contains information about the licenses and services that are purchased from Check Point. SmartUpdate can also be used to install software packages and patches on Security Gateways and Management Servers. The other applications are either not relevant or not capable of installing a contract file. References: SmartUpdate

The “fw monitor” tool can be best used to troubleshoot network traffic issues. Fw monitor is a tool that allows administrators to capture packets at different inspection points in the Firewall kernel, and apply filters and flags to analyze the traffic. Fw monitor can help troubleshoot network connectivity problems, packet drops, NAT issues, VPN issues, and more. The other options are either not related or less suitable for fw monitor.

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address. Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

According to the Check Point website, INSPECT Engine is the technology that extracts detailed information from packets and stores that information in state tables. INSPECT Engine is the core of Check Point’s Stateful Inspection technology, which enables Security Gateways to inspect traffic at multiple layers and enforce security policies. The other technologies are either not related or not specific enough. References: INSPECT Engine

The way SSL VPN and IPSec VPN are different is that IPSec VPN uses an additional virtual adapter; SSL VPN uses the client network adapter only. SSL VPN and IPSec VPN are two types of VPN technologies that provide secure remote access to network resources over the internet. SSL VPN uses SSL/TLS protocol to establish an encrypted tunnel between the client and the server, and does not require any additional software or hardware on the client side. IPSec VPN uses IPSec protocol to establish an encrypted tunnel between the client and the server, and requires a dedicated virtual adapter on the client side to handle the IPSec traffic. The other options are either incorrect or not relevant to SSL VPN and IPSec VPN.

The R81 SmartConsole, SmartEvent GUI client, and SmartView Web Application consolidate billions of logs and show them as prioritized security events. The SmartView Web Application is a web-based interface that allows you to access the SmartEvent Server from any browser. You can use the SmartView Web Application to view and analyze security events, generate reports, and configure SmartEvent settings12.

References: 1: Check Point R81 SmartConsole User Guide - Check Point Software, page 10 2: Check Point R81 SmartEvent Administration Guide - Check Point Software, page 9

The formats in which Threat Emulation forensics reports can be viewed in are PDF, HTML, and XML. Threat Emulation is a feature that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior. Threat Emulation generates forensics reports that provide detailed information about the emulated files, such as verdict, severity, activity summary, screenshots, network activity, registry activity, file activity, and process activity. These reports can be viewed in PDF, HTML, or XML formats from SmartConsole or SmartView.

The process that handles connection from SmartConsole R81 is cpm. Cpm stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. Cpm is responsible for managing policies, objects, logs, tasks, and other management functions. The other processes are either obsolete or irrelevant for SmartConsole connection.

 One of the requirements for Joey’s success in upgrading from R75.40 to R81 version of Security management using Advanced Upgrade with Database Migration method is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. Advanced Upgrade with Database Migration method is a procedure that allows administrators to upgrade their Security Management Server to a newer version by migrating their database from an older version to a new machine with a fresh installation of the newer version. One of the steps in this procedure is to copy the /var/log folder from the source machine to the target machine, which contains important log files and configuration files. To ensure that there is enough disk space on the target machine for this operation, it is required that the size of the /var/log folder on the target machine must be at least 25% of the size of the /var/log folder on the source machine. 

Once a certificate is revoked from the Security Gateway by the Security Management Server, the certificate information is stored on the Certificate Revocation List (CRL). The CRL is a list of certificates that have been revoked by the Internal Certificate Authority (ICA) and are no longer valid for Secure Internal Communication (SIC). The CRL is signed by the ICA and issued to all the managed Security Gateways the next time a SIC connection is made12. The CRL helps to prevent unauthorized access to the Security Management Server by revoked Security Gateways.

References: 1: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk43784 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

ThreatCloud is a collaboration platform for all the Check Point customers to share information about malicious and benign files that all of the customers can benefit from as it makes emulation of known files unnecessary. ThreatCloud is a cloud-based service that collects and analyzes threat intelligence from multiple sources, such as Check Point products, third-party vendors, open sources, and customers. ThreatCloud provides real-time updates and feeds to Check Point products, such as SandBlast, which is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment. By integrating with ThreatCloud, a Threat Emulation appliance can benefit from the shared information about malicious and benign files, and avoid emulating files that are already known to be safe or harmful. This can improve the performance and efficiency of the Threat Emulation appliance. The other options are either incorrect or not relevant to ThreatCloud or Threat Emulation. 

The file that gives you a list of all security servers in use, including port number, is $FWDIR/conf/fwauthd.conf. Security servers are processes that handle application-level protocols such as HTTP, FTP, SMTP, etc., and perform security checks on them. Fwauthd.conf is a configuration file that defines which security servers are enabled, which ports they listen on, and which inspection points they are attached to. 

 The file that contains the host address to be published, the MAC address that needs to be associated with the IP address, and the unique IP of the interface that responds to ARP request is $FWDIR/conf/local.arp. Local.arp is a configuration file that defines static ARP entries for hosts behind NAT devices. This file allows the Security Gateway to respond to ARP requests for NATed hosts with the correct MAC address, and to publish the NATed IP address instead of the real IP address. The other files are either not related or not valid. 

 To enable MTA (Mail Transfer Agent) functionality in the Security Gateway, the Threat Prevention Software Blade Package is required. The Threat Prevention Software Blade Package includes the Anti-Virus, Anti-Bot, and Threat Emulation blades, which can scan and hold external email with potentially malicious attachments. The MTA functionality allows the Security Gateway to act as an SMTP relay between the mail server and the Internet, and apply Threat Prevention policies to the email traffic. The other options are either not related or not sufficient to enable MTA functionality. R

A star community is a VPN topology where one or more satellites connect to a center gateway. The center gateway can be a Security Gateway or a Security Management Server. The VPN routing option determines how the traffic is routed between the satellites and the center, and between the satellites themselves. There are three VPN routing options available in a star community12:

• To center only: The satellites can only communicate with the center gateway, and not with each other or with any other VPN targets. This option is useful for remote access clients that only need to access resources on the center gateway.
• To center, or through the center to other satellites, to Internet and other VPN targets: The satellites can communicate with the center gateway, and also with other satellites, Internet hosts, and other VPN targets through the center gateway. This option is useful for branch offices that need to access resources on the center gateway, as well as on other branch offices, Internet hosts, and other VPN targets.
• To center and to other satellites through center: The satellites can communicate with the center gateway, and also with other satellites through the center gateway. However, they cannot communicate with Internet hosts or other VPN targets. This option is useful for branch offices that need to access resources on the center gateway and on other branch offices, but not on Internet hosts or other VPN targets.

Therefore, the options A (To satellites through center only) and D (To center only) are not valid VPN routing options in a star community.

References: 1: Remote Access VPN R81.20 Administration Guide - Check Point Software, page 13 2: Gaia R81.20 Administration Guide - Check Point Software, page 1030

According to the Check Point R81 training course, the Proxy ARP feature for Manual NAT in R81.20 requires the configuration of the local.arp file on the Security Gateway. This file contains the mapping of IP addresses to MAC addresses for NATed hosts. The other options are either incorrect or irrelevant. References: Certified Security Expert (CCSE) R81.20 Course Overview

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. The option that can be added to each Log, Detailed Log and Extended Log is Accounting/Suppression. Accounting/Suppression is a feature that allows administrators to control how often logs are generated for certain rules or connections. Accounting means that logs are generated periodically based on a specified interval or volume. Suppression means that logs are generated only for the first and last packet of a connection or session. Accounting/Suppression can be added to any tracking option to reduce the number of logs and save disk space.

Browser-based Authentication is a method of acquiring identities from unidentified users by sending them to a web page where they can log in and authenticate. Browser-based Authentication uses two techniques to acquire identities: Captive Portal and Transparent Kerberos Authentication1.

Captive Portal is a simple method that attempts authentication through a web interface before granting a user access to Intranet resources. When a user tries to access a protected resource, they are redirected to a web page where they have to enter their credentials. The credentials are verified by the Identity Awareness Security Gateway or an external authentication server. If the authentication is successful, the user’s identity is associated with their IP address and they are allowed to access the resource12.

Transparent Kerberos Authentication is a more seamless method that leverages the existing Kerberos infrastructure in the network. When a user tries to access a protected resource, the Identity Awareness Security Gateway intercepts the Kerberos ticket request and extracts the user’s identity from it. The user’s identity is then associated with their IP address and they are allowed to access the resource without any additional prompts. This method requires that the Identity Awareness Security Gateway is configured as a trusted proxy in the Active Directory domain12.

Therefore, the correct answer is B. Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication.

References:

• 1, THE IMPORTANCE OF ACCESS ROLES - Check Point Software, page 2
• 2, Browser-based Authentication Check Point - Bing
• 3, How to Configure Client Authentication - Check Point Software, page 1
• 4, Identity Sources - Check Point Software
• 5, Configuring Browser-Based Authentication - Check Point Software
• 6, Two Factor Authentication - Check Point Software

 UserCheck is a communication tool used to inform a user about a website or application they are trying to access. UserCheck allows administrators to interact with users in real time, informing them of the security policy and the actions they need to take. UserCheck can also enable users to self-remediate incidents or request exceptions from the administrator. References: Training & Certification | Check Point Software, Check Point Resource Library

The path to monitor the compliance status of the Check Point R81.20 based management is Logs & Monitor > New Tab > Open compliance View. Compliance View is a feature that allows administrators to monitor and assess the compliance level of their Check Point products and security policies based on best practices and industry standards. Compliance View provides a dashboard that shows the overall compliance status, compliance score, compliance trends, compliance issues, compliance reports, and compliance blades for different security aspects, such as data protection, threat prevention, identity awareness, etc. To access Compliance View in R81.20 SmartConsole, administrators need to go to Logs & Monitor > New Tab > Open compliance View. The other options are either incorrect or not available in R81.20.

The correct statement about Security Gateway and Security Management Server failover in Check Point R81.X in terms of Check Point Redundancy driven solution is: Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure. Security Gateway failover is a feature that allows a cluster of Security Gateways to provide high availability and load balancing for network traffic. If one Security Gateway fails or becomes unreachable, another Security Gateway in the cluster automatically takes over its role and handles the traffic without interrupting the service. Security Management Server failover is a feature that allows a backup Security Management Server to take over the role of the primary Security Management Server in case of failure or disaster. However, this feature requires manual intervention to activate the backup server and restore the database from a backup file. 

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction. 

 The most ideal Synchronization Status for Security Management Server High Availability deployment is Synchronized. Security Management Server High Availability deployment is a feature that allows two or more Security Management Servers to provide redundancy and load balancing for managing security policies and logs. Synchronization Status is a parameter that indicates how up-to-date the databases of the Security Management Servers are with each other. Synchronization Status can have one of the following values: Synchronized, Lagging, Never been synchronized, or Collision. Synchronized means that the databases of all Security Management Servers are identical and have no conflicts. This is the most ideal status as it ensures consistency and reliability of security management. Lagging means that one or more Security Management Servers have not received all the updates from other Security Management Servers, and their databases are outdated. Never been synchronized means that one or more Security Management Servers have never synchronized their databases with other Security Management Servers, and their databases are independent. Collision means that one or more Security Management Servers have received conflicting updates from other Security Management Servers, and their databases have discrepancies. 

The cloud-based SandBlast Mobile application that is used to register new devices and users is Check Point Gateway. Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

 The number of cores that can be used in a Cluster for Firewall-kernel on the new device with 4 cores is 4. Cluster is a feature that allows two or more Security Gateways to provide high availability and load balancing for network traffic. Firewall-kernel is a component of the Security Gateway that performs packet inspection according to security policies. The number of cores that can be used for Firewall-kernel in a Cluster depends on the number of cores available on each device in the Cluster. The Cluster will use the lowest common denominator of cores among all devices in the Cluster for Firewall-kernel. Therefore, if one device has 2 cores and another device has 4 cores, the Cluster will use 2 cores for Firewall-kernel on each device. However, if both devices have 4 cores, the Cluster will use 4 cores for Firewall-kernel on each device.

 SmartEvent automatically defines events based on IPS (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent. 

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions. Security Gateway is the device that inspects and filters network traffic according to the security policies. 

 According to the Check Point website, SmartEvent Maps is a feature that was supported in previous versions of SmartEvent, but is not supported in R81. SmartEvent Maps displayed a graphical representation of security events on a world map. The other options are either supported or not valid features in R81. References: SmartEvent Maps

The default commands that appear when right-clicking the IP address, source or destination, in an event in SmartEvent are ping, whois, nslookup, and Telnet. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent has a feature that allows administrators to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in an event provides a list of default and customized commands that can be executed on the IP address of the active cell. The default commands are ping, whois, nslookup, and Telnet. Ping is a command that tests the connectivity and latency between two hosts by sending packets and measuring the response time. Whois is a command that queries a database for information about the owner and registrar of a domain name or an IP address. Nslookup is a command that queries a DNS server for information about a domain name or an IP address, such as its IP address, name server, mail server, etc. Telnet is a command that establishes a remote connection to another host using the Telnet protocol. 

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

 The Logs and Monitor tab is used to monitor network and security performance in SmartConsole. The Logs and Monitor tab lets you view and analyze logs, events, reports, and alerts from various sources, such as Security Gateways, Security Management Servers, Endpoint Security Servers, and SmartEvent Servers. You can also use the Logs and Monitor tab to create custom views, filters, queries, and charts to display the data that is relevant to your needs12.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 23 2: Check Point R81 SmartConsole User Guide - Check Point Software, page 9

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is three. One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members. This configuration provides optimal performance and security for Mobile Access traffic. 

The best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic is: Pamela should check SecureXL status on DMZ Security gateway and if it’s turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, this also means that some traffic might not be seen by fw monitor, which is a tool that captures packets at different inspection points in the Firewall kernel. Therefore, to ensure that fw monitor captures all traffic, SecureXL should be turned OFF before using fw monitor. The other suggestions are either incorrect or less effective in capturing traffic. 

 According to the Check Point website, Whitelist Files is the tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed. Whitelist Files can be configured in SmartConsole under Threat Prevention > Policy > Whitelist Files. The other tools are either not related or not valid tools. References: Whitelist Files

 The statement that is most correct regarding about “CoreXL Dynamic Dispatcher” is: The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores. CoreXL Dynamic Dispatcher is a feature that allows the Security Gateway to dynamically assign connections to the most available CoreXL FW instance, based on the CPU core utilization. This improves the performance and load balancing of the Security Gateway, especially when handling connections with different processing requirements. The other statements are either incorrect or describe the CoreXL Static Dispatcher mechanism, which assigns connections based on a hash function of the Source IP, Destination IP, and IP Protocol type.

The command that shows the status of processes is cpwd_admin list. Cpwd_admin is a command that allows administrators to manage processes that are registered with the Check Point WatchDog (CPWD) daemon. CPWD is a daemon that monitors the health of critical processes on the Security Gateway or Management Server, and restarts them if they fail or stop responding. Cpwd_admin list shows the process name, PID, status, start time, monitor status, and number of restarts for each process registered with CPWD. 

 When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions: CIFS packets. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, some packets cannot be accelerated by SecureXL due to various reasons, such as unsupported features, security policy settings, or protocol limitations. One example of packets that cannot be accelerated by SecureXL are CIFS packets, which are used for file sharing and access over SMB protocol. CIFS packets are not accelerated by SecureXL because they require stateful inspection by the Firewall kernel. 

Security Gateway Clusters in Load Sharing mode are not supported by the Central Deployment feature in R81.20 SmartConsole. According to the Check Point R81.20 Known Limitations article1, Central Deployment in SmartConsole does not support:

• Connection from SmartConsole Client to the Management Server through a proxy server. In this case, use the applicable API command
• ClusterXL in Load Sharing mode
• VRRP Cluster
• Installation of a package on a VSX VSLS Cluster that contains more than 3 members.
• On Multi-Domain Servers: Global Domain, or the MDS context
• Standalone server
• Standby Security Management Server or Multi-Domain Security Management
• Scalable Platforms 40000 / 60000
• SMB Appliances

The other options are supported by the Central Deployment feature in R81.20 SmartConsole. Dedicated Log Server, Dedicated SmartEvent Server, and Security Gateways/Clusters in ClusterXL HA new mode can be selected as targets for installing packages using the Central Deployment wizard.

Identity Awareness maps users and computer identities, enabling enforcement of Access Control policy rules and auditing data based on identity. It is an easy-to-deploy and scalable solution that works for both Active Directory and non-Active Directory based networks, including employees and guest users1. By considering network location, user identity, and machine identity, organizations can control access between different segments in the network using an identity-based policy2.

References:

• Check Point Troubleshooting Expert - R81 (CCTE) Reference Materials
• Check Point Certified Troubleshooting Expert R81.20 - CCTE
• Check Point CCTE Certification Sample Questions and Practice Exam

 Check Point API is an interface that allows users to automate tasks and manage Check Point products using RESTful web service calls. Check Point API uses JSON format for requests and responses. To create a new host object with the name “My Host” and IP address of “192.168.0.10”, users need to use the set host command with the name and ip-address parameters6. The command syntax is:

set host name “My Host” ip-address “192.168.0.10”

Therefore, the correct answer is A.

References: 6: Check Point API reference

The back end database for Check Point R81 Management uses PostgreSQL, which is an open source relational database management system2. MongoDB, MySQL, and DBMS are not used by Check Point R81 Management. References: 2: Check Point Software, Getting Started, Database.

The lock symbol in the left column of the rule means that another user has locked the rule for editing. This is to prevent multiple users from editing the same rule at the same time and causing conflicts. References: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics-TP-Policy/TP-Policy-Edit-Rules.htm

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on Security Gateways that acquire identities from various sources, such as AD Query, Identity Agent, Captive Portal, etc. PEP is a daemon that runs on Security Gateways that enforce the security policy based on identities received from PDPs. Identity sharing is a feature that allows PDPs to share identities with other PDPs or PEPs in different gateways or domains. References: [Check Point R81 Identity Awareness Administration Guide]

The Endpoint Policy Management License is required for managing the Endpoint Security Suite, which includes blades such as the Remote Access VPN. The IPSec VPN License is installed on the VPN Gateway and is a basic requirement for a Remote Access VPN solution. The MobileAccessLicense is required on the Security Gateway for the following Remote Access solutions.

 Backward Compatibility means that the Management Server is able to manage older Gateways. The lowest supported version is documented in the Release Notes of each version. The Installation and Upgrade Guide only provides information about how to install or upgrade the Management Server and the Gateways, not about the compatibility between them. References: Check Point R81 Release Notes, page 6.

 cp.macro is an electronically signed file used by Check Point to translate the features in the license into a code. It is located in the $FWDIR/conf directory on the Security Management Server. The cp.macro file contains a list of features and their corresponding codes, which are used to generate the license file (.lic) based on the contract file (.xml). The license file (.lic) is then installed on the Security Gateway or Security Management Server to activate the licensed features. References: Check Point R81 Licensing and Contract Administration Guide, page 10

The command fw ctl debug 0 will reset the kernel debug options to default settings. This command will disable all the debug flags and clear the debug buffer. It is recommended to use this command before and after performing a kernel debug, to avoid any interference or confusion with other debug outputs. The command fw ctl debug 0 is also equivalent to fw ctl debug -buf 0.

References:

• Best Practices - HTTPS Inspection - Check Point Software, section “How to perform a Kernel Debug”
• LOGGINGAND MONITORING R81 - Check Point Software, page 104

 For Wire mode configuration, chain modules marked with 00000001 will not apply. Wire mode is a special configuration that allows a Security Gateway to pass traffic without inspection, acting as a bridge between two network segments. In Wire mode, only chain modules that are essential for basic functionality are applied, such as VPN, QoS, ClusterXL, and SecureXL. Chain modules that are related to inspection-based Software Blades, such as Firewall, IPS, Application Control, and so on, are skipped. The chain modules that are skipped are marked with 00000001 in the output of fw ctl chain command. References: Wire Mode

The state of the Management HA when both members have different policies/databases is Collision. This state indicates that there is a conflict between the members and they need to be synchronized manually. The other states are not applicable in this scenario. The Synchronized state indicates that both members have identical policies/databases and are ready for failover. The Never been synchronized state indicates that the members have never been synchronized since they were configured as HA pair. The Lagging state indicates that one member has a newer policy/database than the other member and needs to be synchronized automatically. References: [Management High Availability]

https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityManagement_WebAdminGuide/

html_frameset.htm?topic=documents/R77/CP_R77_SecurityManagement_WebAdminGuide/98838

 In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway using the CPLIC command. The CPLIC command allows you to add, delete, or list Central Licenses on a Security Gateway from the command line. You need to provide the IP address of the Security Management Server and the license string as parameters for the CPLIC command. 

The User Directory Software Blade allows you to create user definitions on an LDAP server, such as Active Directory, and use them in your security policy. You can also integrate with other user authentication methods, such as SecurID, RADIUS, or TACACS+, but you cannot create user definitions on those servers.

The references are:

• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 13
• Check Point R81 Quantum Security Gateway Guide, page 139
• Check Point R81 Identity Awareness Administration Guide, page 9

 When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom, and enforces the first rule that matches the packet. The order of rule enforcement depends on the action of the matching rule. If the action is Accept, the gateway allows the packet to pass through the gateway, but also continues to check rules in the next Policy Layer down. If the action is Drop, Reject, or Encrypt, the gateway applies that action to the packet and stops checking rules in that Policy Layer and any subsequent Policy Layers. If there is no matching rule in a Policy Layer, the gateway applies the Implicit Clean-up Rule for that Policy Layer, which is usually Drop. 

Native Applications require a thin client under the circumstance that you are about to use a client (FTP, RDP, etc.) that is installed on the endpoint. A thin client is a lightweight software component that enables secure connectivity for native applications without requiring additional configuration or user intervention. A thin client is automatically downloaded and installed on the endpoint when a user initiates a native application session through Mobile Access Portal or SNX Portal. References: [Check Point Security Expert R81 Mobile Access Administration Guide], page 16.

 The reason why the web session is being disconnected after 10 minutes is that the idle timeout for the web session is specified with the “set web session-timeout” command, not the “set inactivity-timeout” command. The “set inactivity-timeout” command only affects the CLI session, not the web session. To prevent the web session from being disconnected after 10 minutes of inactivity, you need to use the “set web session-timeout” command with a higher value than 10 minutes. References: [Check Point Security Expert R81 Administration Guide], page 77.

 On R81.20 the IPS Blade is managed by the Threat Prevention policy. The Threat Prevention policy is a unified policy that includes Anti-virus, IPS, Anti-bot, and Threat Emulation software blades. The IPS blade provides protection against network attacks and exploits by inspecting the traffic and blocking malicious packets. The IPS blade can be configured with different profiles and exceptions to suit different security needs. References: R81 Threat Prevention Administration Guide, page 15.

 The correct upgrade method for upgrading from R80.40 to R81.20 without any downtime is the Multi-Version Cluster Upgrade (MVC). MVC is a new feature in R80.40 that replaces the deprecated Connectivity Upgrade (CU). MVC allows you to upgrade cluster members to a newer version without losing connectivity and test the new version on some of the cluster members before you decide to upgrade the rest of the cluster members. MVC synchronizes connections between cluster members that run different versions and ensures that the cluster remains operational during the upgrade process. MVC is intended only to test the current configuration in the newer version and not to change the security policy and install it on cluster members with different software versions. MVC is disabled by default and can be enabled on each cluster member individually. MVC has some limitations, such as not supporting VSX clusters, IPS blade, or SecureXL acceleration.

References:

• Multi-Version Cluster (MVC) replaces Connectivity Upgrade (CU) in R80.40
• Multi-Version Cluster (MVC) Upgrade
• Configuring the Multi-Version Cluster Mechanism

When Identity Awareness is enabled, AD Query and Browser-based Authentication are used as identity sources for Application Control. AD Query allows the Security Gateway to query Active Directory servers for identity information based on IP addresses. Browser-based Authentication allows the Security Gateway to redirect unidentified users to a captive portal where they can authenticate with their credentials. These identity sources provide accurate and up-to-date identity information for Application Control, which can enforce granular policies based on user, group, machine, and domain objects. References: R81 Identity Awareness Administration Guide, page 9.

In Management HA, you should use the active SmartConsole for making changes. The active SmartConsole is connected to the Primary Security Management Server, which is responsible for synchronizing the configuration with the Secondary Security Management Server. If you use the secondary SmartCenter, your changes will not be replicated to the primary SmartCenter and will be lost in case of a failover. References: Check Point Resource Library, page 9

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.7%20

The correct Check Point command to check if the API services are running for the GAIA operating system is gala_api status. The gala_api command is used to manage the API services in the GAIA operating system, and the status option is used to check the status of the API services.

The upgrade process for a Management High Availability Cluster is to first upgrade the Standby Management Server, then perform a failover and upgrade the Active Management Server. This way, the cluster can maintain its functionality and synchronization during the upgrade.

The references are:

• Check Point R81 Upgrade Guide, page 17
• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 10

The valid SecureXL paths in R81.20 are F2F (Slow path), Accelerated Path, Medium Path and F2V1. SecureXL is a technology that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2. SecureXL uses different paths to process packets, depending on the type and state of the connection3. The SecureXL paths are3:

• F2F (Slow path): This path handles packets that require a full inspection by the Firewall kernel. It is the slowest path, but it supports all features and blades. Examples of packets that use this path are packets that belong to a new connection, packets that match a rule with UTM blades, or packets that require address translation.
• Accelerated Path: This path handles packets that belong to an established connection that does not require any further inspection by the Firewall kernel. It is the fastest path, but it supports only a limited set of features and blades. Examples of packets that use this path are packets that match an accept rule with no UTM blades, or packets that match a rule with SecureXL acceleration enabled.
• Medium Path: This path handles packets that belong to an established connection that requires some inspection by the Firewall kernel, but not a full inspection. It is faster than the F2F path, but slower than the Accelerated path. It supports more features and blades than the Accelerated path, but less than the F2F path. Examples of packets that use this path are packets that match a rule with IPS or Anti-Bot blades, or packets that require NAT templates.
• F2V: This path handles packets that are encapsulated or decapsulated by the VPN kernel. It is faster than the F2F path, but slower than the Accelerated path. It supports VPN features such as encryption, decryption, encapsulation, and decapsulation. References: R81.x Security Gateway Architecture (Logical Packet Flow) - Check Point CheckMates, SecureXL Mechanism in R80.10 and above - Check Point Software, SecureXL - Check Point Software

Starting R81, the Access Control Policy installation process is accelerated thereby reducing the duration of the process significantly. According to the Check Point R81 Security Management Administration Guide1, Accelerated Install Policy is a new feature in R81 that optimizes common use-cases and drastically speeds up the installation with up to 90% improvement. Policy installation is accelerated depending on the changes that were made to the Access Control policy since the last installation. When the policy installation is accelerated, the icon will appear under the “Install Policy Acceleration” column in the Install Policy window.

References:

• Accelerated Install Policy - Check Point Software, section “Accelerated Install Policy”

The Check Point Compliance Blade has a library of Check Point-defined tests to use as a baseline for good gateway and policy configuration. A Best Practice test is related to specified regulations in different regulatory standards. It describes compliance status and recommends corrective steps. Global Tests - Examine all applicable configuration settings in the organization. Object-based Tests - Examine the configuration settings for specified objects (gateways, profiles and other objects)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk120256

The SmartEvent component that is responsible to collect the logs from different Log Servers is the SmartEvent Correlation Unit. The SmartEvent Correlation Unit is a daemon that runs on the SmartEvent Server and receives logs from one or more Log Servers. The SmartEvent Correlation Unit analyzes the logs and generates correlated events according to the SmartEvent policy2. References: Check Point R81 SmartEvent Administration Guide

 The destination versions that are supported for a Multi-Version Cluster Upgrade are R81.20 and later. This means that the cluster members can be upgraded from any supported version to R81.20 or higher using the Multi-Version Cluster mode. R81.40, R76, and R70 are not supported destination versions for a Multi-Version Cluster Upgrade. References: : Check Point Software, Getting Started, Supported Upgrade Paths

The correct steps upgrading a HA cluster (M1 is active, M2 is passive) using Multi-Version Cluster (MVC) Upgrade are:

• In SmartConsole, change the version of the cluster object to R81.20.
• Upgrade the passive node M2 to R81.20 using CPUSE or CLI.
• Enable the MVC mechanism on the upgraded R81.20 Cluster Member M2 using the command cphaconf mvc on.
• Install the Access Control Policy and make sure that the installation will not stop if installation on one cluster member fails by selecting Continue installing on other Gateways in the Policy Installation Settings dialog box.
• After examining the cluster states using cphaprob stat and verifying that both members are synchronized, upgrade node M1 to R81.20 using CPUSE or CLI.
• On each Cluster Member, disable the MVC mechanism using the command cphaconf mvc off and Install the Access Control Policy3.

References: Check Point R81 Installation and Upgrade Guide

The license for Check Point Mobile users is installed on the Security Management Server. Check Point Mobile is a client application that allows remote users to securely access corporate resources from their mobile devices. To use Check Point Mobile, you need to have a valid license for the Mobile Access Software Blade on the Security Management Server. The license determines the number of concurrent users that can connect to the Security Gateway using Check Point Mobile. You can view and manage the license from the SmartConsole or the CPUSE WebUI. For more information, you can refer to the Check Point R81 Mobile Access Blade Administration Guide1 or the Check Point Cybersecurity BootCamp R81.20 – CCSA & CCSE Training2.

Management Data Plane Separation (MDPS) is a feature that allows the separation of the management plane and the data plane on a Security Gateway or a cluster. The management plane is responsible for accessing, provisioning and monitoring the Security Gateway, while the data plane is responsible for all other network traffic and processing. Each network environment is independent and includes interfaces, routes, sockets, and processes1. References: Check Point R81 Administration Guide

You can locate the file via SmartConsole > Command Line. According to the CLISH documentation1, when you save the configuration with the “save configuration config.txt” command, the file is stored in a temporary location on the management server. To access the file, you need to use SmartConsole and go to Command Line > View File > config.txt2. Alternatively, you can also use the “show configuration” command in CLISH to view the current configuration2.

References: : CLISH - SourceForge : Summary of Gaia Clish Commands - Check Point Software

The minimum open server hardware requirements for a Security Management Server/Standalone in R81 are:

• CPU: Intel Core i5-4590 or equivalent (4 cores)
• Memory: 8 GB RAM
• Disk space: 500 GB

The other options do not match the minimum requirements. Option A has insufficient CPU cores, memory and disk space. Option B has excessive CPU cores and disk space. Option D has excessive CPU cores, memory and disk space.

References: Check Point R81 Release Notes, page 6

The verified answer is B. Automatic proxy ARP configuration can be enabled.

Proxy ARP is a feature that allows a gateway to respond to ARP requests on behalf of another IP address that is not on the same network segment. Proxy ARP is required for manual NAT rules when the NATed IP addresses are not routed to the gateway1.

By default, proxy ARP for manual NAT rules has to be configured manually by editing the local.arp file or using the CLISH commands on the gateway2. However, since R80.10, there is an option to enable automatic proxy ARP configuration for manual NAT rules by modifying the files $CPDIR/tmp/.CPprofile.sh and $CPDIR/tmp/.CPprofile.csh on the gateway3.

fw ctl proxy is a command that displays the proxy ARP table on the gateway, but it does not configure proxy ARP4.

Translate Destination on Client Side is a NAT option that determines whether the destination IP address is translated before or after the routing decision. It does not affect proxy ARP.

References:

• Configuring Proxy ARP for Manual NAT - Check Point Software1
• R80.10: Automatic Proxy ARP with Manual NAT rules - checkpointengineer2
• Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.103
• fw ctl proxy - Check Point Software
• NAT Properties - Check Point Software

The type of Endpoint Identity Agent that does not exist is Terminal. Endpoint Identity Agent is a software component that runs on Windows or Mac devices and provides identity information to the Check Point Security Gateway. Endpoint Identity Agent allows the Security Gateway to enforce granular access policies based on user identity and device compliance status. There are three types of Endpoint Identity Agent:

• Full Identity Agent - a persistent agent that provides seamless and transparent identity acquisition and SSO (single sign-on) capabilities. It supports various authentication methods, such as Active Directory, LDAP, RADIUS, certificate, etc. It also supports endpoint compliance checks and remediation actions.
• Light Identity Agent - a lightweight agent that provides identity acquisition through a web browser. It supports Active Directory authentication only. It does not support SSO or endpoint compliance features.
• Custom Identity Agent - a customized agent that provides identity acquisition through an API. It allows third-party applications or systems to integrate with Check Point Identity Awareness and provide user identity information.

Terminal is not a type of Endpoint Identity Agent, but it is a type of Terminal Server Agent. Terminal Server Agent is a software component that runs on Windows Terminal Servers or Citrix Servers and provides identity information for multiple concurrent users who connect to these servers using Remote Desktop Protocol (RDP) or Independent Computing Architecture (ICA) protocol. Terminal Server Agent allows the Security Gateway to enforce granular access policies based on user identity and session information. 

 The command switch to specify the Gaia API context is mgmt_cli --context gaia_api . This switch allows the user to execute Gaia OS commands through the management API. The Gaia API context is different from the default management API context, which is used to execute commands related to the security policy and objects1. References: Check Point R81 Management API Reference Guide

 The Compliance Blade allows you to search for text strings in many windows and panes, to search for a value in a field, the syntax is field_name:string. For example, to search for all rules that have a comment containing “VPN”, the syntax is comment:VPN. The other options are not valid syntaxes for searching for a value in a field3. References: 3: Check Point Software, Getting Started, Searching for Text Strings.

 Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. Permanent VPN tunnels are always active and prevent VPN tunnel negotiation failures due to idle time or traffic volume. You can configure permanent VPN tunnels in SmartConsole by selecting the Permanent Tunnel option in the VPN Community Properties window.

 The most likely reason why you are not seeing any data type information in your logs even though you have enabled Full Log as a tracking option to a security rule is that Data Awareness is not enabled on your Security Gateway. Data Awareness is a feature that allows you to monitor and control data types that are transferred over HTTP, HTTPS, FTP, SMTP, POP3, or IMAP protocols. Data Awareness can identify over 700 data types, such as credit card numbers, social security numbers, bank account numbers, medical records, etc., and provide visibility into the data usage patterns of your users. Data Awareness can also enforce data loss prevention (DLP) policies to prevent sensitive data from leaving your network or entering your network from untrusted sources. To enable Data Awareness on your Security Gateway, you need to activate the Data Awareness Software Blade in SmartConsole and install the policy on the Security Gateway. 

The two ClusterXL Deployment options are Distributed and Full High Availability. Distributed deployment means that each cluster member has its own Security Management Server and synchronizes with other members. Full High Availability deployment means that one cluster member is active and handles all traffic, while the other members are in standby mode and ready to take over in case of a failure. The other options are not valid ClusterXL Deployment options, but rather ClusterXL Modes or ClusterXL Load Sharing Methods. References: [Check Point Security Expert R81 ClusterXL Administration Guide], page 6.

The correct answer is A. SecurelD.

SecurelD is an authentication method that uses a token-based system to generate one-time passwords (OTPs) for users. Users need to have a physical or software token that displays a code that changes periodically. The code is used along with a personal identification number (PIN) to authenticate the user.

DynamiclD is another authentication method that uses OTPs, but it does not require a token. Instead, it sends the OTP to the user’s email or phone number.

Radius and TACACS are protocols that allow remote authentication of users through a centralized server. They do not use tokens, but they can support different types of authentication methods, such as passwords, certificates, or OTPs.

References:

• Certified Security Expert (CCSE) R81.20 Course Overview1
• What Is Token-Based Authentication? | Okta2

CoreXL is a technology that improves the performance of the Security Gateway by utilizing multiple CPU cores for processing traffic. CoreXL creates multiple instances of the firewall kernel (fwk) that run in parallel on different CPU cores. The number of kernel instances can be configured using the cpconfig command on the Security Gateway3. The minimum number of CPU cores required to enable CoreXL is 2, as one core is reserved for SND (Secure Network Distributor) and one core is used for running a kernel instance4. If the Security Gateway has only one CPU core, CoreXL cannot be enabled. Therefore, the correct answer is C.

References: 3: CoreXL Administration Guide 4: [CoreXL Frequently Asked Questions (FAQ)]

Mobile Access Gateway can be configured as a reverse proxy for internal web applications. Reverse proxy users browse to a URL that is resolved to the Security Gateway IP address. The Security Gateway then forwards the requests to the internal web servers and returns the responses to the users. To enable reverse proxy mode on the Mobile Access Gateway, the administrator needs to run the ReverseProxy command on the command line interface of the Security Gateway5. Therefore, the correct answer is C.

References: 5: Reverse Proxy Mode

 How many interfaces can you configure to use the Multi-Queue feature? You can configure up to 5 interfaces to use the Multi-Queue feature. Multi-Queue is a performance enhancement feature that allows distributing the network traffic among multiple CPU cores, instead of using a single core for all traffic. Multi-Queue can be enabled on interfaces that have high traffic load and support multiple receive/transmit queues. Multi-Queue can be configured via SmartConsole or via CLI with the command sim affinity -m. References: R81 Performance Tuning Administration Guide, page 18.

 The command that may impact performance briefly and should not be used during heavy traffic times of day is fw tab -t connections. This command displays all the entries in the connections table, which can be very large and consume a lot of CPU resources. The other commands are less intensive and can be used safely. The command fw tab -t connections -s displays only the statistics of the connections table, such as number of entries, peak size, etc. The command fw tab -t connections -c clears all the entries in the connections table. The command fw tab -t connections -f displays only the entries that match a filter expression. References: [fw tab Command]

 The command to check the status of Check Point processes is cpwd_admin list. This command displays the process ID, name, state, start time, and watchdog status of all the processes that are monitored by the Check Point WatchDog daemon (CPWD). You can also use this command to start, stop, or restart a specific process. References: [cpwd_admin Command]