156-215.81 Check Point Certified Security Administrator R81.20 CCSA (156-215.81.20) Questions and Answers

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port  8161 .  The correct port number for Delta synchronization is  8116 1 2 . The other statements are true about Delta synchronization. References:  ClusterXL Administration Guide R81 ,  Check Point CCSA - R81: Practice Test & Explanation

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s 3 .  The Management API’s support HTTPS protocol only, not HTTP 3 .  The other methods are valid ways to communicate using the Management API’s 3 . References:  Check Point Learning and Training Frequently Asked Questions (FAQs)

The BEST object type to represent an LDAP group in a Security Policy is an Access Role.  An Access Role object defines a set of users, machines, or networks that can access a resource or service 1 , p. 27.  An Access Role object can include LDAP groups as one of its components 2 , p. 10. References:  Check Point CCSA - R81: Practice Test & Explanation ,  Check Point Identity Awareness Administration Guide R81

The command  show cluster state  is used to monitor cluster members in CLI. It displays information such as the cluster mode, the cluster members, their status, their priority, and their interfaces. References: [ClusterXL Administration Guide], [Check Point CLI Reference Card]

In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway using the CPLIC command 1 .  This command allows you to install a license from a file or from the User Center 1 . Therefore, the correct answer is D.  True, Central License can be installed with CPLIC command on a Security Gateway. 

Domain-based— VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

This statement is  not true  because a VPN domain is  not  a service or user, but a  host or network  that can send or receive VPN traffic through a VPN Gateway 1 .  This is the definition given in the Site to Site VPN R81 Administration Guide 1 .  The other statements are true according to the same guide 1 .

Remote Access VPN R81.20 Administration Guide

Site to Site VPN R81 Administration Guide

DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud

R80 is supported by Gaia only, which is Check Point’s unified security operating system for all Check Point appliances, open servers, and virtualized gateways 1 , p. 14. Windows and SecurePlatform are not supported by R80. References:  Check Point CCSA - R81: Practice Test & Explanation , [Check Point Learning and Training Frequently Asked Questions (FAQs)]

 To ensure that VMAC mode is enabled, you should run the command  fw ctl get int fwha_vmac_global_param_enabled  on all cluster members and check that the result of the command returns the value 1 1 . This command shows the current value of the global kernel parameter  fwha_vmac_global_param_enabled , which controls whether VMAC mode is enabled or disabled.  VMAC mode is a feature that associates a Virtual MAC address with each Virtual IP address of the cluster, which reduces the need for Gratuitous ARP packets and improves failover performance 1 . The other options are incorrect. Option A is not a valid command.  Option C is a command to show the status of cluster interfaces, not VMAC mode 2 .  Option D is a command to show the value of a different global kernel parameter,  fwha_vmac_global_param_enabled , which controls whether VMAC mode is enabled for all interfaces or only for non-VLAN interfaces 1 . References:  How to enable ClusterXL Virtual MAC (VMAC) mode ,  cphaprob

 To make John’s changes available to other administrators, and to save the database before installing a policy, John must publish the session.  Publishing the session saves the changes to the database and makes them visible to other administrators 1 . The other options do not achieve this goal. References:  Publishing a Session

Check Point provides an Automatic Licensing and Verification tool that ensures licenses are properly validated. This tool:

Automatically checks current licenses against Check Point ' s online license repository.

Activates newly added licenses.

Ensures compliance with active contracts.

Option B (incorrect): " Verification licensing " is not an official Check Point feature.

Option C (incorrect): " Verification tool " is too generic and does not refer to Check Point’s licensing system.

Option D (incorrect): " Automatic licensing " does not fully describe the verification and activation process.

Thus, the correct answer is A. Automatic Licensing and Verification tool.

Certificate is the most secure means of authentication among the given options 2 . A certificate is a digital document that contains information about the identity of a user or a device, and is signed by a trusted authority. A certificate can be used to prove the identity of a user or a device without revealing any sensitive information, such as passwords or tokens. Password, token, and pre-shared secret are less secure means of authentication because they can be easily compromised, stolen, or guessed by attackers. References:  Secure User Authentication Methods - freeCodeCamp.org ,  What is the Most Secure Authentication Method for Your Organization …

The path that is available only when CoreXL is enabled is the medium path. The medium path is used to handle packets that require deeper inspection by the Firewall and IPS blades, but do not need to go through the slow path . The slow path is used to handle packets that require stateful or out-of-state inspection by other blades, such as Application Control or VPN . The firewall path and the accelerated path are available regardless of CoreXL status . References: [CoreXL R81 Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation], [Check Point Security Gateway Architecture and Packet Flow] , [Free Check Point CCSA Sample Questions and Study Guide]

halt is the Gaia command that turns the server off. This command shuts down the operating system and powers off the machine. Other commands that can be used to shut down the server are shutdown and poweroff. References: [Gaia Administration Guide R80.40]

The back up solution that should be used to ensure your database can be restored on that device is snapshot . A snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system. A snapshot can be used to restore a Security Gateway or Security Management Server to its previous state at any time . Therefore, the correct answer is D. snapshot. 

Accounting is the option in tracking that allows you to see the amount of data passed in the connection. Accounting tracks the number of bytes and packets for each connection and generates reports based on the collected data.  References :  Certified Security Administrator (CCSA) R81.20 Course Overview , page 14.

The GAiA Portal is the WebUI for Check Point security appliances. By default, it uses the HTTPS protocol for secure communication. The default port for HTTPS-based web access is port 443.

Port 4434 (A) is not the default port for GAiA Portal.

Port 80 (B) is the default for standard HTTP, but GAiA Portal requires HTTPS.

Port 8080 (C) is sometimes used for alternative web services, but not for GAiA Portal.

Port 443 (D) is the correct default port for GAiA Portal access.

Thus, the correct answer is D. 443.

The default shell of the Gaia CLI is cli.sh, which provides a limited set of commands for basic configuration and troubleshooting.  To change from the cli.sh shell to the advanced shell (also known as expert mode) to run Linux commands, the administrator needs to execute the command ‘expert’ in the cli.sh shell

When a certificate is revoked from a Security Gateway, the information is stored on the Certificate Revocation List (CRL). The CRL is maintained by the Internal Certificate Authority (ICA) and is checked during certificate validation processes.

Option A (Incorrect): The Security Management Server maintains certificate information but does not store revoked certificates permanently.

Option C (Incorrect): The Internal Certificate Authority manages certificate issuance but does not store revoked certificates—it publishes a CRL instead.

Option D (Incorrect): The Security Administrator does not receive direct notifications of revoked certificates.

Thus, the correct answer is B. Stored on the Certificate Revocation List.

The  fwm  process is responsible for managing the communication between the SmartConsole and the Security Management Server.  It can only be seen on a Management Server 1 2 . References:  Check Point Processes and Daemons ,  Check Point CCSA - R81: Practice Test & Explanation

The WebUI can be used to manage Operating System user accounts and add users to your Gaia system, assign privileges to users, and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server.  This is done by the SmartConsole 1 .

References:  1 :  Check Point R81 Security Management Administration Guide , page 11.

The command cplic print is used to verify license installation. It displays the installed licenses and their expiration dates . References: [Check Point R81 Command Line Interface Reference Guide],  Check Point :: Pearson VUE

The options that are not tracking options are Partial log, Network log, and Full log. Tracking options are settings that determine how the Security Gateway handles traffic that matches a rule in the security policy. The valid tracking options are Log, Detailed Log, Extended Log, Alert, Mail, SNMP trap, User Defined Alert, and None. The other options are incorrect. Log is a tracking option that records basic information about the traffic, such as source, destination, service, action, etc. Detailed Log is a tracking option that records additional information about the traffic, such as NAT details, data amount, etc. Extended Log is a tracking option that records even more information about the traffic, such as matched IPS protections, application details, etc. References: [Logging and Monitoring Administration Guide R80 - Check Point Software]

The Check Point software blade that provides Application Security and identity control is Application Control 3  .  Application Control enables network administrators to identify, allow, block, or limit usage of thousands of applications and millions of websites 3  . Therefore, the correct answer is D.  Application Control

 A Security Policy is created in SmartConsole, stored in the Security Management Server, and distributed to the various Security Gateways. SmartConsole is a graphical user interface that allows administrators to create and edit security policies. The Security Management Server is a central server that stores and manages the security policies. The Security Gateways are devices that enforce the security policies on the network traffic.

References: :  Check Point R81 Security Gateway Administration Guide , page 9.

The key that is created during Phase 2 of a site-to-site VPN is a symmetrical IPSec key 3 .  This key is used to encrypt and decrypt the data that is exchanged between the VPN peers 3 .  The symmetrical IPSec key is derived from the shared secret and the Diffie-Hellman public keys that are exchanged during Phase 1 3 . References:  Site to Site VPN in R80.x - Tutorial for Beginners

 Application Control is the software blade that enables Access Control policies to accept, drop, or limit web site access based on user, group, and/or machine. Application Control allows you to define granular rules for applications, web sites, web categories, web content types, and users. You can also use Application Control to monitor and block risky applications and web usage. References: [Application Control Administration Guide R80.40]

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References:  Check Point Security Management Administration Guide R81 , p. 9

Upgrading the Security Gateway does not require a new license to be generated and installed. The license is tied to the IP address or hostname of the Security Gateway, not the software version.  However, if the IP address or hostname changes, the existing license expires, or the license is upgraded, a new license must be generated and installed 1 2  References:  Check Point R81 ,  Managing and Installing license via SmartUpdate

In Check Point SmartConsole, when multiple administrators work on security policies, a lock icon appears on rules or objects that are being modified.

If AdminB sees a lock, it means that AdminA is currently editing the rule, and it is locked for others.

Once AdminA publishes the session, the rule becomes available to other administrators.

Option B (incorrect): Saving a session does not release the lock; it must be published.

Option C (incorrect): The lock is not caused by AdminB but by another user (AdminA).

Option D (incorrect): A lock appears when another user (AdminA) is editing, not the current user.

Thus, the correct answer is A. Rule is locked by AdminA and will be made available if the session is published.

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log.  You can add Accounting and/or Suppression to each of these options 1 . Accounting enables you to track the amount of data that is sent or received by a specific rule. Suppression enables you to reduce the number of logs that are generated by a specific rule. Therefore, the correct answer is C. Accounting/Suppression. References:  Logging and Monitoring Administration Guide R80 - Check Point Software

 Identity Captive Portal is a Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication 2 .  To enable Identity Captive Portal for a specific rule, you need to right click Accept in the rule, select “More”, and then check “Enable Identity Captive Portal” 3 . References:  Identity Awareness Administration Guide R80 ,  Identity awareness with captive portal in Checkpoint R80

Application Control is a blade that enables administrators to control access to applications and web sites by users, groups, machines, and time.  Application Control can eliminate unknown and unwanted applications in your network to reduce IT complexity and application risk, identify and control which applications are in your IT environment and which to add to the IT environment, and automatically identify trusted software that has authorization to run 1 . However, Application Control cannot scan the content of files being downloaded by users in order to make policy decisions.  That is the function of another blade called Content Awareness, which can inspect files based on their type, size, name, and data 2 . References:  Check Point R81 Application Control Administration Guide ,  Check Point R81 Content Awareness Administration Guide

The tracking actions that can be selected when configuring Spoof Tracking are  Log, alert, none . Spoof Tracking is a feature that detects packets with spoofed source IP addresses and logs them in SmartView Tracker. The administrator can choose to log only, log and alert, or do nothing when spoofed packets are detected. The other options are not valid tracking actions for Spoof Tracking, as they are either not available or not relevant for this feature.

References: [Spoof Tracking], [Firewall Administration Guide]

The Stealth Rule is used to prevent users from directly connecting to a Security Gateway.  It is usually placed at the top of the rule base, before any other rule that allows traffic to the Security Gateway 1 , p. 32. References:  Check Point CCSA - R81: Practice Test & Explanation

The statement that is true regarding Gaia command line is that all configuration changes should be made in CLISH and expert-mode should be used for OS-level tasks. CLISH is the default shell of Gaia CLI that provides a limited set of commands for basic configuration and troubleshooting. Expert mode is an advanced shell that allows running Linux commands and accessing the file system. Configuration changes should not be done in expert-mode, as they may cause inconsistencies or errors in the system. The other statements are false regarding Gaia command line. 

The Threat Prevention Software Blade that provides protection from malicious software that can infect your network computers is  Anti-Virus . Anti-Virus is a software blade that scans files and traffic for viruses, worms, trojans, spyware, and other malware. Anti-Virus can block or clean infected files and prevent malware outbreaks. IPS is a software blade that provides protection from network attacks and exploits. Anti-Malware is not a software blade, but rather a term that refers to any software that can detect and remove malware. Content Awareness is a software blade that provides visibility and control over data that enters or leaves the network based on file types, data types, and keywords.

References: [Anti-Virus Software Blade], [IPS Software Blade] , [What is Anti-Malware?], [Content Awareness Software Blade]

 In Security Gateways R75 and above, SIC uses AES-128 for encryption. SIC stands for Secure Internal Communication, which is a mechanism that establishes trust between Check Point components, such as Security Gateways, Security Management Servers, Log Servers, etc. SIC uses certificates to authenticate and encrypt the communication between the components. AES-128 is an encryption algorithm that uses a 128-bit key to encrypt and decrypt data. The other options are incorrect. AES-256 is an encryption algorithm that uses a 256-bit key, but it is not used by SIC. DES and 3DES are older encryption algorithms that use 56-bit and 168-bit keys respectively, but they are not used by SIC either. References: [Secure Internal Communication (SIC) between Check Point components], AES - Wikipedia, DES - Wikipedia, Triple DES - Wikipedia

Access roles allow the firewall administrator to configure network access according to remote access clients, a combination of computer or computer groups and networks, and users and user groups 1 2 . Therefore, the correct answer is D.

When a policy package is installed, user and objects databases are also distributed to the target installation Security Gateways 1 4 .  The user and objects databases contain information about network objects, users, groups, services, VPN domains, and more 1 4 . Therefore, the correct answer is A.  User and objects databases.

The ports to which the Client Authentication daemon listens on by default are 259 and 900. Client Authentication is a method that allows users to authenticate with the Security Gateway before they are allowed access to protected resources. The Client Authentication daemon (fwauthd) runs on the Security Gateway and listens for authentication requests on TCP ports 259 and 900 . References: [Check Point R81 Remote Access VPN Administration Guide] , [Check Point R81 Quantum Security Gateway Guide]

When changes are made to a Rule base, it is important to  Publish database  to enforce changes 5 . Publishing database saves the changes to the database and makes them available to other administrators. Installing policy applies the changes to the Security Gateways. References:  Check Point R81 Security Management Administration Guide , [Check Point R81 SmartConsole R81 Resolved Issues], [Check Point R81 Firewall Administration Guide]

 Identity Awareness is a blade that enables administrators to define access rules based on the identity of users and machines, rather than just IP addresses. Identity Awareness allows easy configuration for network access and auditing based on three items: network location, the identity of a user, and the identity of a machine. Network location refers to the source or destination network segment of the traffic. The identity of a user refers to the username or group membership of the user who initiates or receives the traffic. The identity of a machine refers to the hostname or certificate of the machine that initiates or receives the traffic. References: [Check Point R81 Identity Awareness Administration Guide]

In order to see real-time and historical graph views of Security Gateway statistics in SmartView Monitor, the Monitoring Blade feature needs to be enabled on the Security Gateway. The Monitoring Blade is a software blade that collects and displays network and security performance data from the Security Gateway, such as traffic, throughput, connections, CPU usage, memory usage, etc. The Monitoring Blade can be enabled or disabled on each Security Gateway from the SmartConsole. References: [Monitoring Blade], [SmartView Monitor]

RADIUS protocol uses UDP (User Datagram Protocol) to communicate with the gateway.  UDP is a connectionless protocol that does not require a handshake or acknowledgment before sending or receiving data 2 .

References:  2 : [Check Point R81 Identity Awareness Administration Guide], page 14.

The INSPECT Engine is the core component of Check Point’s Stateful Inspection technology. It is used to extract state related information from packets and store that information in state tables.  The INSPECT Engine also evaluates the security policy and enforces it on the packets 1 . References:  Check Point R81 Security Gateway Technical Administration Guide

 The correct answer is A because session unique identifiers are passed to the web api using the X-chkp-sid http header option 1 .  The X-chkp-sid header is used to authenticate and authorize API calls 1 . The other options are not related to session unique identifiers. References:  Check Point R81 Security Management Administration Guide

 DLP and Geo Policy are examples of  Shared Policies . Shared Policies are policies that can be shared with other policy packages to save time and effort when managing multiple gateways with similar security requirements. Shared Policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers. Other types of policies include Inspection Policies, Unified Policies, and Standard Policies. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

The answer is B because bridge mode deployment adds a Security Gateway to an existing environment without changing IP routing. Bridge mode is a transparent mode that does not require assigning IP addresses to the Security Gateway interfaces. Distributed deployment is a deployment where the Security Management Server and the Security Gateway are installed on separate machines. Remote deployment is a deployment where the Security Gateway is installed on a remote site and connects to the Security Management Server over a VPN tunnel. Standalone deployment is a deployment where the Security Management Server and the Security Gateway are installed on the same machine. References: [Check Point R81 Bridge Mode], [Check Point R81 Deployment Scenarios]

The correct answer is A because detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature of the Check Point URL Filtering and Application Control Blade 3 .  This feature is part of the Check Point Anti-Virus and Anti-Bot Blades 3 .  The other options are features of the Check Point URL Filtering and Application Control Blade 3 . References:  Check Point R81 URL Filtering and Application Control Administration Guide

The technologies that are used to deny or permit network traffic are Stateful Inspection, Firewall Blade, and URL/Application Blade. Stateful Inspection is a technology that inspects network traffic at the packet level and maintains the state and context of each connection. Firewall Blade is a software blade that enforces security policy and prevents unauthorized access to protected resources. URL/Application Blade is a software blade that enables administrators to control access to millions of websites and applications based on users, groups, and machines.

References: :  Check Point R81 Security Gateway Administration Guide , page 9. :  Check Point R81 Security Gateway Administration Guide , page 10. :  Check Point R81 Security Gateway Administration Guide , page 12.

The command that shows the installed licenses in Expert mode is cplic print.  This command displays information about the licenses that are installed on the local machine or a remote machine 1 .  The other commands are not valid for showing licenses in Expert mode. 

The correct answer is B because Threat Extraction always delivers a file and takes less than a second to complete 2 .  Threat Extraction removes exploitable content from files and delivers a clean and safe file to the user 2 .  Threat Emulation analyzes files in a sandbox environment and delivers a verdict of malicious or benign 2 .  Threat Emulation can take more than 3 minutes to complete depending on the file size and complexity 2 . References:  Check Point R81 Threat Prevention Administration Guide

The statement that best describes Secure Internal Communication (SIC) is: After successful initialization, the gateway can communicate with any Check Point node that possesses a SIC certificate signed by the same ICA.  SIC is a mechanism that ensures secure communication between Check Point components by using certificates that are issued by an Internal Certificate Authority (ICA) 3 . The other statements are not accurate descriptions of SIC.

 The SIC Status “Unknown” means that there is no connection between the gateway and Security Management Server.  This can happen if the gateway is down, unreachable, or has not been initialized yet 1 2 . References:  Check Point R81 Security Management Administration Guide ,  Free Check Point CCSA Sample Questions and Study Guide

Sub Policies are a new feature in R80.10 Gateway that allow creating and attaching sets of rules to specific rules in the main policy 4 .  Sub Policies are useful for delegating permissions, managing large rule bases, and applying different inspection profiles 4 . The other options are not new features in R80.10 Gateway. References:  Check Point R80.10 Security Management Administration Guide

The correct answer is A because renaming the hostname of the Standby member to match exactly the hostname of the Active member is not a recommended step to prevent data loss.  The hostname of the Standby member should be different from the hostname of the Active member 1 .  The other steps are necessary to ensure a smooth failover and synchronization between the Active and Standby Security Management Servers 2 . References:  Check Point R81.20 Administration Guide ,  156-315.81 Checkpoint Exam Info and Free Practice Test

 The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway.  Installing the Security Policy is not necessary because it does not affect the CoreXL configuration 1 . References:  Check Point R81 Security Management Administration Guide

The Object Explorer is the part of SmartConsole that allows administrators to add, edit, delete, and clone objects. Objects are entities that represent network elements, such as hosts, networks, gateways, services, users, etc.  The Object Explorer provides a tree view of all the objects in the database and allows searching, filtering, and grouping them 2 . References:  Check Point R81 SmartConsole R81 User Guide

According to the Managing and Installing license via SmartUpdate 2 , there are two repositories installed on the Security Management Server by SmartUpdate: License & Contract and Package Repository. The License & Contract repository stores all licenses available and all of the assigned licenses. The Package Repository stores all packages downloaded from the Check Point Cloud or uploaded from a local device. References:  Managing and Installing license via SmartUpdate

A Distinguished Name (DN) is a unique identifier for an entry in an LDAP directory. A DN consists of a sequence of relative distinguished names (RDNs) separated by commas. Each RDN is composed of an attribute type and an attribute value, such as cn=John Smith or ou=Sales. A DN can have different components depending on the structure and schema of the LDAP directory, but some common components are: Common Name (cn), Country ©, Organizational Unit (ou), Organization (o), State or Province (st), and Locality (l).  User container is not a component of a DN 3 . References:  Check Point R81 Identity Awareness Administration Guide

 src:192.168.1.1 AND dst:172.26.1.1 AND action:Drop is the correct log query to show only dropped packets with source address of 192.168.1.1 and destination address of 172.26.1.1. The AND operator means that all conditions must be true for the query to match.  The OR operator means that any condition can be true for the query to match 3 . The other queries will either show packets that are not dropped or packets that have different source or destination addresses.

 To use Application objects in a rule, the “Applications & URL Filtering” blade should be enabled on the policy layer where the rule is being created.  Enabling the “Application Control” blade on a gateway is not enough 3 .

References:  3 :  Check Point R81 Security Management Administration Guide , page 102.

The answer is C because inline layer can be defined as a rule action in a policy layer. Inline layer is a sub-policy that contains additional rules that are applied only if the parent rule matches. Ordered layer is a policy layer that contains rules that are applied in order, from top to bottom. One policy can be either inline or ordered, but not both.  Pre-R80 Gateways do support ordered layers, but not inline layers 5  References:  Check Point R81 Policy Layers and Sub-Policies , [Check Point R81 Security Gateway Administration Guide]

 When you upload a package or license to the appropriate repository in SmartUpdate, the package or license is stored on the Security Management Server. SmartUpdate is a tool that allows you to centrally manage software updates and licenses for all Check Point products on your network.

References: :  Check Point R81 Security Management Administration Guide , page 16.

The components of Check Point Capsule are Capsule Docs, Capsule Cloud, and Capsule Workspace 1 2 3 . There is no Capsule Enterprise component. Capsule Docs protects business documents everywhere they go. Capsule Cloud protects mobile users outside the enterprise security perimeter. Capsule Workspace creates a secure business environment on mobile devices. References:  Check Point Capsule Datasheet ,  Check Point Capsule Workspace Datasheet ,  Mobile Secure Workspace with Capsule

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. The Full Identity Agent is a client-side software that provides full identity awareness features, such as user authentication, computer authentication, packet tagging, identity caching, and identity sharing. The other types of Endpoint Identity Agents are Custom, Complete, and Light, which have different features and capabilities. 

The two Check Point Protocols that are used by are FWD and LEA 5 6 7 . FWD is the Firewall Daemon that handles communication between different Check Point components, such as Security Management Server, Security Gateway, SmartConsole, etc. LEA is the Log Export API that allows external applications to retrieve logs from the Security Gateway or Security Management Server. Therefore, the correct answer is B. FWD and LEA. References:  Border Gateway Protocol - Check Point Software ,  Check Point IPS Datasheet ,  List of valid protocols for services? - Check Point CheckMates

SmartEvent is a unified security management solution that provides real-time visibility into security events across the network. SmartEvent shows correlated logs and aggregated data to provide an overview of potential threats and attack patterns, as well as generate reports and alerts based on predefined or customized indicators. SmartView Tracker, SmartLog, and SmartView Monitor are other SmartConsole applications that can show logs, search queries, and network statistics respectively, but they do not provide the same level of correlation and analysis as SmartEvent. References: [Check Point R81 SmartEvent Administration Guide]

 The RFC number that acts as a best practice guide for NAT is RFC 1918. RFC 1918 defines a range of private IP addresses that are not globally routable and can be used for internal networks. NAT is a technique that maps these private IP addresses to public IP addresses that can communicate with the Internet. RFC 1918 provides guidelines and recommendations for using NAT in different scenarios and environments. References: [RFC 1918], [Network Address Translation (NAT)]

If the NAT property ‘Translate destination on client side’ is not enabled in Global properties, nothing needs to be configured on the client side, because the Gateway takes care of all details necessary. The Gateway translates the destination IP address before sending the packet to the client, so the client does not need to know about the NAT rule or add any host route or ARP entry.

References:  Check Point Security Engineering Study Guide , p. 136-137

The steps to configure the HTTPS Inspection Policy are as follows 3 4 :

Go to  Manage & Settings   >   Blades   >   HTTPS Inspection   >   Policy .

Click on  New HTTPS Inspection Rule  or select an existing rule and click on  Edit Rule .

Define the  Source ,  Destination , and  Action  for the rule. The action can be either  Inspect ,  Bypass , or  Ask .

Click on  OK  and then on  Install Policy  to apply the changes. References:  HTTPS Inspection R81 Administration Guide ,  Check Point CCSA - R81: Practice Test & Explanation

The option that allows all encrypted and non-VPN traffic that matches the rule is Accept all encrypted traffic.  This option enables you to allow traffic to any destination that is encrypted, regardless of whether it is part of a VPN community or not 2 . Therefore, the correct answer is B.  Accept all encrypted traffic. 

The purpose of a Stealth Rule is to drop any traffic destined for the firewall that is not otherwise explicitly allowed 1 , p. 32.  A Stealth Rule is usually placed at the top of the rule base, before any other rule that allows traffic to the Security Gateway 2 , p. 13. A Stealth Rule is not used to hide a server’s IP address, to allow administrators to access SmartDashboard, or to drop any traffic that is not explicitly allowed. References:  Check Point CCSA - R81: Practice Test & Explanation ,  156-315.81 Checkpoint Exam Info and Free Practice Test

When a gateway requires user information for authentication, it queries servers for user information in the following order: first the internal user database, then the generic external user profile, and finally LDAP servers in order of priority. The internal user database is a local database that stores user information on the Security Gateway or Security Management Server. The generic external user profile is a predefined profile that allows users to authenticate with any external server that supports RADIUS or TACACS protocols. LDAP servers are external servers that use the Lightweight Directory Access Protocol to store and retrieve user information. The gateway queries LDAP servers according to the priority that is defined in the LDAP Account Unit object properties. 

Secure Internal Communication (SIC) is handled by the CPD process 3 . CPD is the Check Point Daemon that runs on all Check Point modules and handles internal licensing and SIC operations. SIC is a mechanism that ensures secure communication between Check Point components using certificates and encryption. References:  Check Point R81 Security Management Administration Guide

 The  Security Gateways  collect logs and send them to the  log server . The Security Gateways are the components that enforce the security policy on network traffic and generate logs for each connection that matches a rule with a tracking option. The log server is the component that receives and stores the logs from the Security Gateways and provides a centralized interface for viewing and analyzing them. The log server can be either a dedicated server or integrated with the Security Management Server. References: [Check Point R81 Security Management Administration Guide]

The INSPECT Engine is a technology that extracts detailed information from packets and stores that information in state tables.  It enables stateful inspection and application layer filtering 1 2  References:  INSPECT Engine ,  Stateful Inspection

The file that is an electronically signed file used by Check Point to translate the features in the license into a code is cp.macro. This file contains a list of macros that define the license features and their values. It is located in the $FWDIR/conf directory on the Security Management Server or Security Gateway. References: [Check Point R81 Licensing Guide], [Check Point R80.40 Licensing Guide]

SmartView is the web application for real-time event monitoring in SmartEvent R80 and above.  It provides a unified view of security events across the network and allows for quick investigation and response 3 4 . References:  SmartEvent R80.40 Administration Guide ,  SmartView

The correct answer is D because the recommended size of the root partition for a dedicated R80 SmartEvent server is at least 20GB 2 . Any size, less than 20GB, or more than 10GB and less than 20GB are not sufficient for the SmartEvent server. References:  Check Point R80.40 Installation and Upgrade Guide

When an encrypted packet is decrypted, this happens in the security policy 4 . The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy. References:  Check Point R81 VPN Administration Guide

 The answer is B because AES-CBC-256 is not a supported encryption algorithm for IPsec Security Associations (Phase 2) in R81.  The supported encryption algorithms are AES-GCM-128, AES-GCM-256, AES-CBC-128, 3DES, and NULL 3  References:  Check Point R81 VPN Administration Guide

NAT (Network Address Translation) is a technique that modifies the IP addresses or ports of packets that pass through a security gateway. NAT can be configured in two ways: Automatic or Manual. Automatic NAT means that the NAT rules are generated automatically by the security gateway based on the NAT properties of network objects. Manual NAT means that the NAT rules are defined explicitly by the administrator in the NAT policy. Proxy ARP (Address Resolution Protocol) is a technique that allows a security gateway to answer ARP requests on behalf of other hosts. Proxy ARP is needed when a host on one network segment tries to communicate with a host on another network segment that has a different IP address than its own. In some scenarios, an administrator will need to manually define Proxy ARP for NAT to work properly.  One such scenario is when they configure a Manual Static NAT which translates to an IP address that does not belong to one of the firewall’s interfaces 2 . References:  Check Point R81 Network Address Translation Administration Guide

According to the Check Point R81.10 SmartConsole for Windows 1 , to restore a backup, you need to supply the following data: Server, Protocol, Username, Password, and Path. The Server is the IP address or hostname of the Security Management Server. The Protocol is either SCP or SFTP. The Username and Password are the credentials for the Security Management Server. The Path is the location of the backup file on the Security Management Server. References:  Check Point R81.10 SmartConsole for Windows

A Distributed Deployment is when the Security Management Server and Security Gateway are installed on separate machines. In this setup, the Security Gateway communicates its status to the Security Management Server, which resides at a different IP address.

Option A (Incorrect): " Targeted " is not an official Check Point deployment mode.

Option B (Incorrect): In Bridge Mode, the Security Gateway acts as a Layer 2 bridge and does not communicate its status to another IP.

Option D (Incorrect): In Standalone Mode, the Security Gateway and Management Server are on the same machine, meaning it does not communicate status to a different IP.

Thus, the correct answer is C. Distributed.

 Gaia has two default user accounts that cannot be deleted. They are Admin and Monitor. Admin is the user account that has full administrative privileges and can access both WebUI and CLI.  Monitor is the user account that has read-only privileges and can access only WebUI 2 . The other options are not default user accounts in Gaia.

Security Zones are a feature of Application Control and Identity Awareness that allow you to define groups of network objects based on their level of trust.  Security Zones do not work with Manual NAT rules, because Manual NAT rules are applied before the Application Control and Identity Awareness policy is enforced 1 . References:  Check Point R81 Security Management Administration Guide

Identity Awareness uses several methods for acquiring identity, such as Active Directory Query, Identity Agent, Browser-Based Authentication, Terminal Servers, Captive Portal, and RADIUS 1 2 .  Cloud IdP (Identity Provider) is not a method used by Identity Awareness 1 2 . Therefore, the correct answer is B.  Cloud IdP (Identity Provider).

Multiple administrators can connect to a Security Management Server at the same time, and each administrator has their own username and works in a session that is independent of other administrators 1 . This allows concurrent administration and prevents conflicts between different administrators. The other options are incorrect. Only one administrator can be connected is false. All administrators can modify a network object at the same time is false, as only one administrator can lock and edit an object at a time. Only one has the right to write is false, as all administrators have write permissions unless they are restricted by roles or permissions. References:  Security Management Server - Check Point Software

Suspicious Activity Monitoring (SAM) is the utility that is used to block activities that appear to be suspicious.  SAM allows administrators to block connections from specific IP addresses or network objects for a specified period of time 3 . Penalty Box is a feature of SAM that automatically blocks connections from sources that generate too many log entries. Drop Rule in the rulebase is a firewall action that discards packets that match certain criteria. Stealth rule is a firewall rule that prevents direct access to the Security Gateway from external sources.

The User Directory is used to obtain identification and security information about network users. It can be integrated with external user databases such as LDAP, RADIUS, or TACACS+.  References :  Certified Security Administrator (CCSA) R81.20 Course Overview , page 9.

Application information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option 4 .  The “Extended Log” option provides additional information about the application, such as name, category, risk, and technology 4 . References:  LOGGINGAND MONITORING R80

The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities 4 . This option enables you to define which VPN communities are allowed in the rule. All Connections (Clear or Encrypted) allows traffic to any destination, regardless of whether it is encrypted or not. Accept all encrypted traffic allows traffic to any encrypted destination, regardless of the VPN community.  All Site-to-Site VPN Communities allows traffic to any site-to-site VPN gateway, regardless of the VPN community 4 . Therefore, the correct answer is C.  Specific VPN Communities.

Two basic rules that Check Point recommends for building an effective security policy are Cleanup Rule and Stealth Rule.  A Cleanup Rule is a rule that is placed at the end of the rule base and drops or logs any traffic that does not match any of the previous rules 2 .  A Stealth Rule is a rule that is placed at the top of the rule base and protects the Security Gateway from direct access by unauthorized users 3 .  The other options are not basic rules for building a security policy, but rather types or categories of rules.

 Check Point ClusterXL Active/Active deployment is used when there is Load Sharing solution set up.  Load Sharing enables multiple Security Gateways to share traffic and provide high availability 1 2 . References:  Check Point R81 ,  Check Point R81 ClusterXL Administration Guide

 The correct answer is A because a pencil icon in a rule means that you have changed this rule 3 . The pencil icon indicates that the rule has been modified but not published yet.  You can hover over the pencil icon to see who made the change and when 3 . The other options are not related to the pencil icon. References:  Check Point Learning and Training Frequently Asked Questions (FAQs)

An explicit rule is created by an administrator and configured to allow or block traffic based on specified criteria. Explicit rules are displayed in the Rule Base and can be modified by the administrator.  References :  Certified Security Administrator (CCSA) R81.20 Course Overview , page 12.

 It is Best Practice to have an Explicit CleanUp rule at the end of each policy layer.  This rule will log and drop any traffic that does not match any of the preceding rules in the layer 1 , p. 23. References:  Check Point CCSA - R81: Practice Test & Explanation

To view the policy installation history for each gateway, an administrator would use the Installation history tool 1 , p. 22.  The Installation history tool shows the date and time of each policy installation, the name of the administrator who installed it, and the status of the installation 3 . Revisions, Gateway installations, and Gateway history are not valid tools in SmartConsole. References:  Check Point CCSA - R81: Practice Test & Explanation ,  Check Point SmartConsole R81 Help

 The answer is A because changing the Security Gateway IP-address requires re-establishing the trust with the Security Management Server by initializing the Secure Internal Communication (SIC). Changing the Security Gateway name in command line or changing the Security Management Server name or IP-address in SmartConsole does not require re-establishing the trust, but it may require updating the topology and pushing the policy. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 Security Gateway Administration Guide]

The function that can NOT be performed in the Unified SmartConsole Gateways and Servers tab is  Open SSH . SSH is a secure shell protocol that allows remote access to a device via command line interface. The Unified SmartConsole does not provide an option to open SSH from the Gateways and Servers tab, as it is not a graphical user interface. The other functions can be performed in the Unified SmartConsole Gateways and Servers tab, such as upgrading the software version, opening WebUI, or opening service request with Check Point Technical Support.

References: [SSH (Secure Shell)], [QUANTUM SECURITY MANAGEMENT R81]

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work.  This is because SmartConsole uses a session mechanism that allows users to work offline and save their changes locally until they are ready to publish them to the Management 1 3 . If Tom loses connectivity, he can resume his session when he reconnects and continue working on his Rule Base changes. He does not need to reboot his SmartConsole computer, clear the cache, or restore changes. His changes will not be lost since he lost connectivity. References:  Check Point R81 Security Management Administration Guide ,  Check Point CCSA - R81: Practice Test & Explanation | Udemy

References: Certificate-based authentication is considered to be the more secure and preferred VPN authentication method. It uses digital certificates to verify the identity of the VPN client and server, and provides stronger encryption and mutual authentication. Password-based authentication methods are less secure and more vulnerable to brute-force attacks, phishing, and keylogging. MD5 is a hashing algorithm, not an authentication method.  Pre-shared secret is a symmetric key that is shared between the VPN peers, but it can be compromised if it is not changed frequently or stored securely 1 2  References:  VPN authentication options ,  Windows VPN technical guide

The position of an implied rule is manipulated in the Global Properties window. Implied rules are predefined rules that are not displayed in the rule base. They allow or block traffic for essential services such as communication with Check Point servers, logging, and VPN traffic.  The position of an implied rule can be changed in the Global Properties > Firewall > Implied Rules section 5 6 . References:  How to view Implied Rules in R80.x / R81.x SmartConsole ,  Implied Rules

 A one-time password is used to initially create trust between a Gateway and Security Management Server. The administrator generates a one-time password from SmartConsole and enters it on the gateway command line interface using the cpconfig command. This establishes a Secure Internal Communication (SIC) between the gateway and the server . The other options are not used for this purpose. References: [Configuring Secure Internal Communication (SIC)], [Check Point CCSA - R81: Practice Test & Explanation]

The command to restore a backup of Check Point configurations without the OS information is  restore_backup 4 . This command restores the Gaia OS configuration and the firewall database from a compressed file. The other commands are not valid for this purpose.  import backup  is not a valid command.  cp_merge  is a command to merge policies or objects from different databases.  migrate import  is a command to import a previously exported database using  migrate export . References:  System Backup and Restore feature in Gaia , [cp_merge], [migrate import]

Stateful Inspection is true about looking at both the headers of packets, as well as deeply examining their content. Stateful Inspection inspects packets at all layers of the OSI model and maintains information about the state and context of each connection in a state table.  References :  Certified Security Administrator (CCSA) R81.20 Course Overview , page 6.

The command  api status  shows the API server status, including whether it is enabled or not, the port number, and the API version 1 . References:  Check Point R81 API Reference Guide

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate 1 .  A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic 2 .  A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date 3 .  The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway 3 .

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication.  PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA 4 .  Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms 4 .  PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication 5 .

What is mutual authentication? | Two-way authentication

Mutual authentication - AWS Client VPN

VPN authentication options - Windows Security

Mutual Authentication | Top 3 Methods of Mutual Authentication

Authentication methods and features - Microsoft Entra

 Core Protections are installed as part of the Threat Prevention Policy.  Core Protections are a set of IPS protections that are essential for securing your network against malicious traffic 4 . The other policies do not include Core Protections.

References:  1 :  Check Point CLI Reference Card   2 :  Anti-Spoofing   3 :  SmartView Tracker   4 :  Core Protections

In Check Point’s Security Management Architecture, logs can be stored on the Security Management Server and Security Gateway.

Security Management Server stores logs when configured to do so.

Security Gateways can store logs locally, but they are often forwarded to a Security Management Server or a dedicated Log Server.

Option B (Incorrect): SmartConsole is only a management interface and does not store logs.

Option C (Incorrect): SmartConsole does not store logs.

Option D (Incorrect): Logs are not exclusively stored on the Security Management Server—they can also be stored on the Security Gateway.

Thus, the correct answer is A. Security Management Server and Security Gateway.

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own.  In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties 3 4  References:  Part 4 - Installing Security Gateway ,  Deployment Options

Check Point Security Management supports two types of Policy Layers:

Ordered Layers – Enforced in sequential order, where each rule is evaluated before moving to the next layer.

Inline Layers – A sub-layer within a rule that adds additional inspection without affecting other rules.

Option A (incorrect): " Inbound Layers and Outbound Layers " is not a Check Point terminology.

Option C (incorrect): " Structured Layers and Overlap Layers " do not exist in Check Point policy management.

Option D (incorrect): Check Point R81.X fully supports Policy Layers.

Thus, the correct answer is B. Ordered Layers and Inline Layers.

In a Distributed deployment, the Security Gateway and the Security Management software are installed on different computers or appliances 2 . This allows for better scalability and performance. References:  Check Point Security Management Administration Guide R81

Each cluster, at a minimum, should have at least three interfaces 4 . These are:

A  sync interface  for synchronizing state information between cluster members.

A  cluster interface  for sending and receiving cluster control packets.

A  production interface  for handling regular traffic that passes through the cluster 4 . References:  Check Point R80.20 – How to configure Cluster firewalls – First Time Setup

A main component of the Check Point security management architecture is  SmartConsole 2 . SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References:  Check Point R81 Security Management Administration Guide

Aggressive Mode in IKEv1 uses  three packets  for negotiation, with all data required for the SA passed by the initiator 1 . The responder sends the proposal, key material, and ID, and authenticates the session in the next packet.  The initiator replies and authenticates the session 1 .

The other answers are not correct because they either refer to the Main Mode in IKEv1, which uses six packets for negotiation 2 , or they are irrelevant to the number of packets used in Aggressive Mode.

Understand IPsec IKEv1 Protocol - Cisco

Negotiation modes for phase 1 - IBM

FAQ-What are the differences between IKEv1 and IKEv2- Huawei

From SmartConsole, go to the Log & Monitor and filter for the IP address of the tablet is the correct answer. This is because the Log & Monitor view in SmartConsole allows you to view and analyze logs and events from various sources, such as Security Gateways, Security Management Servers, and SmartEvent Servers. You can use filters to search for specific logs and events based on different criteria, such as source IP, destination IP, action, time, etc. References: [Logging and Monitoring Administration Guide R80.20]

References: Threat Emulation is not a policy type available for each policy package. Threat Emulation is a software blade that is part of the Threat Prevention policy type. The other options are valid policy types that can be configured for each policy package. References: [Threat Prevention Administration Guide R80.40], [Security Po licies Administration Guide R80.40]

The default tracking option of a rule is  Log 3 . This means that the Security Gateway will generate a log entry for every connection that matches the rule. The log entry will contain information such as source, destination, service, action, and time. Other tracking options include None, Alert, Mail, SNMP Trap, User Alert, and Accounting. References:  Check Point R81 Firewall Administration Guide