156-315.81 Check Point Certified Security Expert R81.20 ( 156-315.81.20 ) Questions and Answers

With SecureXL enabled, accelerated packets will pass through the following:  Network Interface Card and the Acceleration Device . SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. Accelerated packets are packets that match certain criteria and can be handled by SecureXL without involving the Firewall kernel. These packets bypass the OSI Network Layer, OS IP Stack, and Check Point Firewall Kernel, and are processed directly by the Network Interface Card and the Acceleration Device.  The other options are either incorrect or describe non-accelerated packets. 

A star community is a VPN topology where one or more satellites connect to a center gateway. The center gateway can be a Security Gateway or a Security Management Server. The VPN routing option determines how the traffic is routed between the satellites and the center, and between the satellites themselves.  There are three VPN routing options available in a star community 1 2 :

To center only: The satellites can only communicate with the center gateway, and not with each other or with any other VPN targets. This option is useful for remote access clients that only need to access resources on the center gateway.

To center, or through the center to other satellites, to Internet and other VPN targets: The satellites can communicate with the center gateway, and also with other satellites, Internet hosts, and other VPN targets through the center gateway. This option is useful for branch offices that need to access resources on the center gateway, as well as on other branch offices, Internet hosts, and other VPN targets.

To center and to other satellites through center: The satellites can communicate with the center gateway, and also with other satellites through the center gateway. However, they cannot communicate with Internet hosts or other VPN targets. This option is useful for branch offices that need to access resources on the center gateway and on other branch offices, but not on Internet hosts or other VPN targets.

Therefore, the options A (To satellites through center only) and D (To center only) are not valid VPN routing options in a star community.

 The TCP/IP model is a four-layer model that describes how data is transmitted over a network. The four layers are: Application, Transport, Internet, and Network Access. The Application layer provides services and protocols for applications to communicate with each other. The Transport layer provides reliable or unreliable data delivery between hosts. The Internet layer provides routing and addressing of packets across networks. The Network Access layer provides physical and logical access to the network media. References:  Training & Certification | Check Point Software ,  Check Point Resource Library

 According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.20 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References:  Check Point R81

To change the number of firewall instances used by CoreXL, the  cpconfig  command must be used, followed by a reboot. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The number of firewall instances determines how many cores are dedicated to CoreXL. The cpconfig command allows the administrator to configure various settings on the Security Gateway, including the number of firewall instances. After changing this setting, a reboot is required for the changes to take effect. The other commands are either incorrect or do not require a reboot.

 According to the Check Point website, Whitelist Files is the tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed. Whitelist Files can be configured in SmartConsole under Threat Prevention > Policy > Whitelist Files. The other tools are either not related or not valid tools. References: Whitelist Files

The file that gives you a list of all security servers in use, including port number, is  $FWDIR/conf/fwauthd.conf . Security servers are processes that handle application-level protocols such as HTTP, FTP, SMTP, etc., and perform security checks on them. Fwauthd.conf is a configuration file that defines which security servers are enabled, which ports they listen on, and which inspection points they are attached to. 

According to the Check Point R81 training course, the Proxy ARP feature for Manual NAT in R81.20 requires the configuration of the local.arp file on the Security Gateway. This file contains the mapping of IP addresses to MAC addresses for NATed hosts. The other options are either incorrect or irrelevant. References:  Certified Security Expert (CCSE) R81.20 Course Overview

 When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions:  CIFS packets . SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, some packets cannot be accelerated by SecureXL due to various reasons, such as unsupported features, security policy settings, or protocol limitations. One example of packets that cannot be accelerated by SecureXL are CIFS packets, which are used for file sharing and access over SMB protocol. CIFS packets are not accelerated by SecureXL because they require stateful inspection by the Firewall kernel. 

 The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”.cap " number of captures " . This is a feature of CPView that allows the user to capture the current page for later analysis or troubleshooting. The file is saved in the /var/log directory on the Security Gateway. References:  Check Point Resource Library , page 3.

The SmartEvent component that creates events is the Correlation Unit, which is responsible for correlating and analyzing security events to identify patterns and potential threats.

Option A, " Consolidation Policy, " does not create events but is used to configure policies for event consolidation.

Option C, " SmartEvent Policy, " is not responsible for creating events but is used to configure policies related to SmartEvent.

Option D, " SmartEvent GUI, " is the graphical user interface for managing SmartEvent but does not create events itself.

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port  18184 . This port can be changed using the  lea_server  command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

The correct command to show actual allowed connections in the state table is option B: fw tab –t connections. This command displays the contents of the " connections " table, which contains information about the active connections being tracked by the firewall.

Option A (fw tab –t StateTable) is incorrect as there is no " StateTable " table; it should be " connections. "

Option C (fw tab –t connection) is also incorrect, as it should be " connections. "

Option D (fw tab connections) is not the correct syntax for the command.

The port that the CPM process runs on is  TCP 19009 . CPM stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. CPM is responsible for managing policies, objects, logs, tasks, and other management functions. CPM listens on TCP port 19009 for incoming connections from SmartConsole clients.  The other ports are either used by other processes or not related to CPM. 

When configuring Management HA, you have to take into consideration that the Database revisions will not be synchronized between the management servers. Database revisions are snapshots of the database that are created manually or automatically when installing a policy or saving changes. They are stored locally on each management server and are not replicated by Management HA. The other options are either not true or not relevant to Management HA. References:  Check Point R81 Installation and Upgrade Guide

Once a certificate is revoked from the Security Gateway by the Security Management Server, the ce r tificate information is stored on the Certificate Revocation List (CRL). The CRL is a list of certificates that have been revoked by the Internal Certificate Authority (ICA) and are no longer valid for Secure Internal Communication (SIC).  The CRL is signed by the ICA and issued to all the managed Security Gateways the next time a SIC connection is made 1 2 . The CRL helps to prevent unauthorized access to the Security Management Server by revoked Security Gateways.

SmartEvent Unit  is not a blade option when configuring SmartEvent. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. SmartEvent Unit is not a valid component or blade of SmartEvent.

Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services. You can use an API to:

• Use an automated script to perform common tasks

• Integrate Check Point products with 3rd party solutions

• Create products that use and enhance the Check Point solution

 UserCheck is a communication tool used to inform a user about a website or application they are trying to access. UserCheck allows administrators to interact with users in real time, informing them of the security policy and the actions they need to take. UserCheck can also enable users to self-remediate incidents or request exceptions from the administrator. References:  Training & Certification | Check Point Software ,  Check Point Resource Library

The way SSL VPN and IPSec VPN are different is that IPSec VPN uses an additional virtual adapter; SSL VPN uses the client network adapter only. SSL VPN and IPSec VPN are two types of VPN technologies that provide secure remote access to network resources over the internet. SSL VPN uses SSL/TLS protocol to establish an encrypted tunnel between the client and the server, and does not require any additional software or hardware on the client side. IPSec VPN uses IPSec protocol to establish an encrypted tunnel between the client and the server, and requires a dedicated virtual adapter on the client side to handle the IPSec traffic. The other options are either incorrect or not relevant to SSL VPN and IPSec VPN.

 A management plug-in is a software component that interacts with a Security Management Server to provide new features and support for new products. A management plug-in can extend the functionality of SmartConsole, SmartDashboard, SmartView Monitor, SmartView Tracker, SmartEvent, SmartReporter, SmartProvisioning, SmartUpdate, and other management tools. A management plug-in can also add new objects, policies, rules, actions, reports, views, and wizards to the management system. Some examples of management plug-ins are CloudGuard Controller, SandBlast Agent, Endpoint Security Server, Threat Extraction for Web, etc. 

 The command that would be used to enable the Penalty Box feature is  sim erdos -e 1 . Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

The Check Point TE appliance in Recommended Mode includes  2(OS) images . One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version. References: [Check Point R81 Threat Emulation Administration Guide]

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, " SecurID. "

Options A, C, and D are not standard authentication methods for mobile devices in this context.

Session unique identifiers are passed to the web API using the  X-chkp-sid  HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations. References:  Check Point R81 REST API Reference Guide

The statement that is not true about Delta synchronization is  Using UDP Multicast or Broadcast on port 8161 . Delta synchronization is a mechanism that transfers only the changes in the kernel tables between cluster members, instead of sending the entire tables.  It uses UDP Multicast or Broadcast on port  8116 , not 8161 2 . The other statements are true about Delta synchronization. References:  Check Point R81 ClusterXL Administration Guide

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation.   References:  CPD process

 fwssd is a child process of fwd, which is the firewall daemon that handles policy installation, logging, and state synchronization. cpwd is the watchdog process that monitors and restarts other processes. fwm is the management server process that handles communication with GUI clients. cpd is the infrastructure daemon that handles SIC, licensing, and policy code generation. References: Check Point Processes Cheat Sheet – LazyAdmins, Check Point R81 Gaia Administration Guide,  Certified Security Expert (CCSE) R81.20 Course Overview

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via the cpm process.  The cpm process is the main management process that handles database operations, policy installation, and communication with GUI clients via TCP port 19009 3 . The other options are either incorrect or irrelevant to the log flow. References:  Certified Security Expert (CCSE) R81.20 Course Overview ,  Check Point Ports Used for Communication by Various Check Point Modules

The Management API supports three methods of communication: mgmt_cli command, SmartConsole GUI dialog box, and Gaia CLI. Sending API commands over an http connection using web-services is not a supported method.   References:  Check Point Management APIs

 Detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature associated with the Check Point URL Filtering and Application Control Blade. This feature is part of the Check Point SandBlast Network solution, which uses Threat Emulation and Threat Extraction technologies to prevent zero-day attacks. The other features are part of the URL Filtering and Application Control Blade, which allows you to control access to web applications and sites based on various criteria.   References:  URL Filtering and Application Control Administration Guide

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server, where it is forwarded to  fwm  via  cpd . The fwm process is responsible for managing the log files and the cpd process is responsible for communication between processes. The other options are incorrect because they involve processes that are not related to logging or communication.  References:   Check Point Cert i fied Security Expert R81.20 Course Overview ,  sk163413: Support, Support Requests, Training … - Check Point Software ,  Check Point Certified Security Expert R81.20

SandBlast agent extends zero-day prevention to  web browsers and user devices . Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

Running the command fw unloadlocal on the Security Management Server will remove the installed Security Policy from the local firewall module. This command is useful for troubleshooting purposes when there is a problem with the policy installation or enforcement. However, it will also expose the Security Management Server to potential attacks, so it should be used with caution. References:  Training & Certification | Check Point Software , R81 CCSA & CCSE exams released featuring Promo for… - Check Point …

 The most ideal Synchronization Status for Security Management Server High Availability deployment is  Synchronized . Security Management Server High Availability deployment is a feature that allows two or more Security Management Servers to provide redundancy and load balancing for managing security policies and logs. Synchronization Status is a parameter that indicates how up-to-date the databases of the Security Management Servers are with each other. Synchronization Status can have one of the following values: Synchronized, Lagging, Never been synchronized, or Collision. Synchronized means that the databases of all Security Management Servers are identical and have no conflicts. This is the most ideal status as it ensures consistency and reliability of security management. Lagging means that one or more Security Management Servers have not received all the updates from other Security Management Servers, and their databases are outdated. Never been synchronized means that one or more Security Management Servers have never synchronized their databases with other Security Management Servers, and their databases are independent.  Collision means that one or more Security Management Servers have received conflicting updates from other Security Management Servers, and their databases have discrepancies. 

The error “no proposal chosen” indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime.  If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error “no proposal chosen”  1 .

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

The same pre-shared secret or certificate

The same encryption algorithm (e.g., AES-256)

The same hash algorithm (e.g., SHA-256)

The same Diffie-Hellman group (e.g., Group 14)

The same lifetime (e.g., 86400 seconds)

One can use the command  vpn tu  on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer.  Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings  2 .

 SmartEvent automatically defines events based on  IPS  (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent. 

The command that would show the API server status is  api status . API stands for Application Programming Interface, and it is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. API status is a command that shows the current status of the API server, such as whether it is enabled or disabled, running or stopped, listening on which port, using which certificate, etc. The other commands are either invalid or perform different functions. 

 To set the IP address and default gateway of the Management interface on a Check Point appliance, you can use the following commands:

set interface Mgmt ipv4-address 192.168.80.200 mask-length 24  - This co m mand sets the IPv4 address of the Management interface to 192.168.80.200 and the subnet mask to 255.255.255.0 (24 bits).

set static-route default nexthop gateway address 192.168.80.1 on  - This command sets the default gateway to 192.168.80.1 and enables the static route.

save config  - This command saves the configuration changes to the appliance.

These commands are documented in the  Check Point appliance initial installation  guide, which you can find in the web search results.

The other options are incorrect because they use invalid syntax or parameters for the commands. For example, option B uses  add static-route  instead of  set static-route , option C u s es  0.0.0.0.  instead of  0.0.0.0 , and option D uses  add static-route default  instead of  set static-route default .

The NAT rules that are prioritized first are  Manual/Pre-Automatic NAT . NAT stands for Network Address Translation, and it is a feature that allows Security Gateways to modify the source or destination IP addresses or ports of packets that pass through them. NAT rules are the rules that define how NAT is applied to traffic that matches certain criteria. There are three types of NAT rules: Manual/Pre-Automatic NAT, Automatic NAT, and Manual/Post-Automatic NAT. Manual/Pre-Automatic NAT rules are the rules that are manually created by administrators and placed before the automatic NAT rules in the rulebase. These rules have the highest priority and are processed first by the Security Gateway. Automatic NAT rules are the rules that are automatically generated by the Security Gateway based on the NAT properties of network objects. These rules have the second highest priority and are processed after the manual/pre-automatic NAT rules. Manual/Post-Automatic NAT rules are the rules that are manually created by administrators and placed after the automatic NAT rules in the rulebase.  These rules have the lowest priority and are processed last by the Security Gateway. 

 The correct command for enabling the management data plane separation (MDPS) is set mdps mgmt plane on. This command enables routing separation between management and data planes on a security gateway. This means that management traffic will use a different routing table than data traffic, which can improve security and performance. References: [Check Point Security Expert R81 Administration Guide], page 76.

Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_report.pdf file was delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing some graphs, tables and links.

The component of SandBlast protection that her company is using on a Gateway is  SandBlast Threat Extraction . SandBlast Threat Extraction is a software blade that provides protection against malicious files by removing potentially risky elements, such as macros, embedded objects, scripts, etc. The sanitized files are delivered to the users with a notification about the removed elements. SandBlast Threat Extraction can also reconstruct the original files after they are scanned by SandBlast Threat Emulation, which is another software blade that provides protection against malicious files by em u lating them in a virtual sandbox and analyzing their behavior. References:  R81 Threat Prevention Administration Guide , page 37.

 How many interfaces can you configure to use the Multi-Queue feature? You can configure up to  5 interfaces  to use the Multi-Queue feature. Multi-Queue is a performance enhancement feature that allows distributing the network traffic among multiple CPU cores, instead of using a single core for all traffic. Multi-Queue can be enabled on interfaces that have high traffic load and support multiple receive/transmit queues. Multi-Queue can be configured via SmartConsole or via CLI with the command  sim affinity -m . References:  R81 Performance Tuning Administration Guide , page 18.

 The SOLR database is used for full text search and enables powerful matching capabilities. The SOLR database is part of the Log Server component, which is responsible for indexing and storing logs received from Security Gateways and other sources. The SOLR database allows users to perform complex queries on the logs using keywords, filters, operators, and expressions. References:  Log Server

Browser-Based Authentication is an identity awareness method that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Browser-Based Authentication redirects users to a web page where they can enter their credentials and be a u thenticated by an external server, such as LDAP or RADIUS. After authentication, users can a c cess the Internet and corporate resources according to the security policy rules that apply to their identity.

Browser-Based Authentication is suitable for scenarios where users can use company issued or personal laptops, since it does not require any installation or configuration on the user’s device. It also supports various operating systems and browsers, and can be customized to match the company’s branding.

The references are:

Check Point R81 Identity Awareness Administration Guide , page 9

Configuring Browser-Based Authentication in SmartConsole

Check Point Certified Security Expert R81.20 (CCSE) Core Training , slide 13

The FWD process provides logging services, such as forwarding logs from Gateway to Log Server, providing Log Export API (LEA) and Event Logging API (EL-A) services. The FWD process is respons i ble for sending logs from the Security Gateway to the Security Management Server or Log Server, and for fetching logs from the Security Management Server or Log Server to SmartConsole. The FWD process also handles the communication with external logging applications that use the LEA or EL-A protocols.

The verified answer is C. Identity Awareness.

Identity Awareness is the Check Point software blade that provides detailed visibility of users, groups, and machines, while also providing application and access control through the creation of accurate, identity-based policies 1 . Identity Awareness allows you to easily configure network access and auditing based on three items: network l o cation, the identity of a user and the identity of a machine 1 . Identity Awareness int e grates with multiple identity sources, such as Microsoft Active Directory, Cisco Ide n tity Services Engine, and RADIUS Accounting 2 3 .

Application Control is the Check Point software blade that enables network admini s trators to identify and control thousands of applications and widgets, and millions of websites, based on categories, risk, and characteristics.

Firewall is the Check Point software blade that provides stateful inspection and e n forcement of network traffic, and protects against network and application-level a t tacks.

URL Filtering is the Check Point software blade that enables secure web access by blocking access to malicious and inappropriate websites, and enforcing compliance with corporate policies.

The best way to test if the policy from two weeks ago have the same issue is to install the speci f ic version of the policy from the installation history view of the gateway. This way, you can keep the changes from the last weeks in the management server and revert back to them later if needed. You do not need to take a backup or a snapshot of the gateway or the management server for this purpose. References: [Check Point Security Expert R81 Administration Guide], page 34.

 ClusterXL and VRRP are the two cluster solutions that are available under R81.20.  According to the ClusterXL R81.20 Administration Guide 1 , ClusterXL is a Check Point software-based clustering solution that provides high availability and load sharing for Check Point Security Gateways and Cluster Members. ClusterXL supports two modes: High Availability and Load Sharing. In High Availability mode, all Cluster Members are connected to the same network segment and share a virtual IP address. One member is active and handles all traffic, while the others are in standby mode and ready to take over in case of a failure. In Load Sharing mode, all Cluster Members are active and share the traffic load according to a predefined algorithm.  ClusterXL supports both unicast and multicast modes for Load Sharing 1 .

VRRP (Virtual Router Redundancy Protocol) is an industry standard protocol that pr o vides high availability for routers or firewalls by creating a virtual router with a virtual IP address that is shared by a group of routers or firewalls. One router or firewall is elected as the master and handles all traffic directed to the virtual IP address, while the others are backups that monitor the master and take over if it fails.  VRRP can be used with Check Point Security Gateways to provide redundancy and failover for external interfa c es 1 .

NSRP (NetScreen Redundancy Protocol) is a proprietary protocol developed by Juniper Networks that provides high availability and load balancing for NetScreen fir e walls.  NSRP is not supported by Check Point products 2 .

HSRP (Hot Standby Router Protocol) is a Cisco proprietary protocol that provides high availability for routers by creating a virtual router with a virtual IP address that is shared by a group of routers. One router is elected as the active router and handles all traffic directed to the virtual IP address, while another router is elected as the standby router and monitors the active router and takes over if it fails. HSRP is not supported by Check Point products.

IP Clustering is a feature of Linux Virtual Server (LVS) that provides high availability and load balancing for IP-based services by creating a cluster of real servers that are a c cessed through a virtual IP address. The cluster is managed by a director that routes r e quests to the real servers according to a scheduling algorithm. IP Clustering is not su p ported by Check Point products.

 According to out of the box SmartEvent policy, the blade that will automatically be correlated into events is IPS. IPS (Intrusion Prevention System) is a blade that detects and prevents network attacks by inspecting traffic and applying signatures and protections. SmartEvent correlates IPS logs into events based on predefined event definitions, such as IPS Attack, IPS Attack High Confidence, IPS Attack Critical Confidence, etc. The other blades are not automatically correlated into events by default, but they can be added to the SmartEvent policy manually. References: [SmartEvent Policy]

 The recommended configuration when the customer requires SmartLog indexing for 14 days and SmartEvent to keep events for 180 days is to install Management and SmartEvent on different machines. This is because SmartLog and SmartEvent use different databases and storage methods, and having them on separate machines allows for better performance and scalability. References: [SmartLog Administration Guide]

The type of Endpoint Identity Agent that does not exist is Terminal. Endpoint Identity Agent is a software component that runs on Windows or Mac devices and provides identity information to the Check Point Security Gateway. Endpoint Identity Agent a l lows the Security Gateway to enforce granular access policies based on user identity and device compliance status. There are three types of Endpoint Identity Agent:

Full Identity Agent - a persistent agent that provides seamless and transparent identity acquisition and SSO (single sign-on) capabilities. It supports various authentic a tion methods, such as Active Directory, LDAP, RADIUS, certificate, etc. It also supports endpoint compliance checks and remediation actions.

Light Identity Agent - a lightweight agent that provides identity acquisition through a web browser. It supports Active Directory authentication only. It does not support SSO or endpoint compliance features.

Custom Identity Agent - a customized agent that provides identity acquisition through an API. It allows third-party applications or systems to integrate with Check Point Identity Awareness and provide user identity information.

Terminal is not a type of Endpoint Identity Agent, but it is a type of Terminal Server Agent. Terminal Server Agent is a software component that runs on Windows Terminal Servers or Citrix Servers and provides identity information for multiple concurrent users who connect to these servers using Remote Desktop Protocol (RDP) or Independent Computing Architecture (ICA) protocol. Terminal Server Agent allows the Security Gat e way to enforce granular access policies based on user identity and session information. 

Cluster Synchronization is a mechanism that allows cluster members to share state i n formation and maintain a consistent security policy. Cluster Synchronization uses two types of synchronization: Full Synchronization and Delta Synchronization. Full Synchr o nization transfers the entire Security Policy and state tables from one cluster member to another. Delta Synchronization transfers only the changes in the state tables.  Cluster Synchronization uses two services for communication: TCP port 256 (CPHA) for Full Sy n chronization and UDP port 8116 for Delta Synchronization 3 . Therefore, the correct a n swer is A.

Dynamic Balancing is a feature that uses a daemon to balance the required number of firewall instances and SNDs based on the current load. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage. It monitors the system and makes changes as needed to optimize the performance of the Security Gateway. It is supported on Check Point Appliances with R80.40 and higher versions. References:  Dynamic Balancing for CoreXL - Check Point Software ,  Dynamic Balancing available on R80.40 - Check Point CheckMates ,  CLI R81.20 Reference Guide - Check Point Software ,  Performance Tuning R81.20 Administration Guide - Check Point Software

The Check Point history feature in R81 provides the following functions:

View install changes: This function allows you to view the changes that were made in each policy installation, such as added, modified, or deleted rules, objects, se t tings, etc. You can also compare the changes between different policy installations and filter them by various criteria.

Install specific version: This function allows you to install a specific version of the policy from the history, which can be useful for reverting to a previous policy or testing different policies. You can also view the changes that will be applied by installing a sp e cific version before installing it. References:  R81 Security Management Administration Guide , page 85.

The back end database for Check Point R81 Management uses PostgreSQL, which is an open source relational database management system 2 .  MongoDB, MySQL, and DBMS are not used by Check Point R81 Management. References:  2 : Check Point Software, Getting Started, Database.

 The best way to display the correlated events generated by SmartEvent policies is to open a new tab in the SmartConsole / Logs & Monitor and select External Apps / SmartEvent. This will launch the SmartEvent GUI, which provides a comprehensive view of the network security events, including charts, reports, and timelines.  The SmartEvent GUI can also be accessed from a web browser using the SmartView web interface 1 . References:  Check Point R81 SmartEvent A d ministration Guide

 The default shell of Gaia CLI is clish. Clish stands for Command Line Interface Shell and it is a restrictive shell that controls the number of commands available in the CLI. Clish provides a user-friendly interface that supports command completion, history, and help functions. Clish also supports role-based administration, which means that different users can have different levels of access to Gaia features and commands based on their roles. 

 Gaia can be configured using the command line interface (CLI) or the WebUI. The CLI is a text-based interface that allows users to enter commands and view responses in a terminal window. The CLI can be accessed through a console connection, an SSH connection, or a Telnet connection. The WebUI is a graphical interface that allows users to configure Gaia settings through a web browser. The WebUI can be accessed by entering the IP address of the Gaia device in the browser’s address bar.

 FWD is a process that runs on both Security Management Server and Security Gateway. On Security Management Server, FWD handles logging and communication with SmartConsole.  On Security Gateway, FWD receives policy files from FWM (the policy compiler process on Security Management Server) and stores them in a temporary d i rectory before installing them on the firewall kernel 7 . Therefore, FWD is responsible for receiving policy files from FWM on Security Gateway side. The correct answer is A.

 In R81, more than one administrator can login to the Security Management Server with write permission at the same time. This feature is enabled by default and allows concurrent administration of the security policy. Every administrator works in a session that is independent of the other administrators. Changes made by one administrator are not visible to others until they are published. Administrators can also lock objects to prevent others from editing them until they are unlocked. References:  R81 Security Management Administration Guide , page 43.

 The correct command for checking the Deployment Agent status over the GAIA CLISH is “show installer status”. This command displays information about the Deployment Agent such as its version, status, last update time, and last operation result. The other commands are either inv a lid or irrelevant for this purpose. References: [Check Point Security Expert R81 Installation and Upgrade Guide], page 23.

The verified answer is B. Automatic proxy ARP configuration can be enabled.

Proxy ARP is a feature that allows a gateway to respond to ARP requests on behalf of another IP address that is not on the same network segment. Proxy ARP is required for manual NAT rules when the NATed IP addresses are not routed to the gateway 1 .

By default, proxy ARP for manual NAT rules has to be configured manually by edi t ing the local.arp file or using the CLISH commands on the gateway 2 . However, since R80.10, there is an option to enable automatic proxy ARP configuration for manual NAT rules by modifying the files $CPDIR/tmp/.CPprofile.sh and $CPDIR/tmp/.CPprofile.csh on the gateway 3 .

fw ctl proxy is a command that displays the proxy ARP table on the gateway, but it does not configure proxy ARP 4 .

Translate Destination on Client Side is a NAT option that determines whether the de s tination IP address is translated before or after the routing decision. It does not affect proxy ARP.

 In a Standalone deployment, a Check Point computer runs both the Security Gateway and Security Management Server products. This means that the same appliance performs both network security functions and security policy management functions. A Standalone deployment is suitable for small or branch offices that do not require a separate management server. References:  Check Point R81 Installation and Upgrade Guide , page 10

 By default, when the CPUSE Software Updates Policy is set to Automatic, updates are checked every three hours 3 . This means that the CPUSE agent will automatically download and install updates that match the policy settings every three hours.  The other options are not the default values for the CPUSE Software Updates Policy. References:  3 : Check Point Software, Getting Started, CPUSE Software Updates Policy.

In Management HA, you should use the active SmartConsole for making changes. The active SmartConsole is connected to the Primary Security Management Server, which is responsible for synchronizing the configuration with the Secondary Security Management Server. If you use the secondary SmartCenter, your changes will not be replicated to the primary SmartCenter and will be lost in case of a failover. References:  Check Point Resource Library , page 9

 In the Network policy layer, the default action for the Implied last rule is  drop  all traffic. However, in the Application Control policy layer, the default action is  accept  all traffic. The Implied last rule is a rule that is automatically added at the end of each policy layer and defines what to do with traffic that does not match any of the user-defined rules. The default actions for each policy layer can be changed in the Global Properties or in the layer properties. References:  R81 Security Management Administration Guide , page 30.

The correct statement about Security Gateway and Security Management Server failover in Check Point R81.X in terms of Check Point Redundancy driven solution is:  Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure . Security Gateway failover is a feature that allows a cluster of Security Gateways to provide high availability and load balancing for network traffic. If one Security Gateway fails or becomes unreachable, another Security Gateway in the cluster automatically takes over its role and handles the traffic without interrupting the service. Security Management Server failover is a feature that allows a backup Security Management Server to take over the role of the primary Security Management Server in case of failure or disaster. However, this feature requires manual intervention to activate the backup server and restore the database from a backup file. 

The Implicit Clean-up Rule is another name for the Clean-up Rule, which is the last rule in every policy layer. The Clean-up Rule defines the default action for traffic that does not match any of the preceding rules in the layer. The default action is to drop the traffic and log it, but it can be changed by the administrator. References:  Training & Certification | Check Point Software ,  Check Point Resource Library

The cloud-based SandBlast Mobile application that is used to register new devices and users is  Check Point Gateway . Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is  three . One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members.  This configuration provides optimal performance and security for Mobile Access traffic. 

According to the Check Point website, Capsule Connect and Capsule Workspace both offer secured connection for remote users who are using their mobile devices. However, there are differences between the two. For credential protection, Connect uses One-time Password login support and has no SSO support, whereas Workspace offers both One-Time Password and certain SSO login support. The other statements are either false or partially true. References: Capsule Connect and Capsule Workspace

 To ensure that VMAC mode is enabled, the CLI command that should be run on all cluster members is  fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1 . VMAC mode is a feature that allows ClusterXL to use virtual MAC addresses for cluster interfaces, instead of physical MAC addresses. This improves the failover performance and compatibility of ClusterXL with switches and routers. To check if VMAC mode is enabled, the command fw ctl get int fwha_vmac_global_param_enabled can be used, which returns 1 if VMAC mode is enabled, and 0 if VMAC mode is disabled. 

The command that lists all interfaces using Multi-Queue is  cpmq get . Multi-Queue is a feature that allows network interfaces to use multiple transmit and receive queues, which improves the performance and scalability of the Security Gateway by distributing the network load among several CPU cores. Cpmq is a command that allows administrators to configure and manage Multi-Queue settings on network interfaces. Cpmq get lists all interfaces using Multi-Queue and shows their queue count and core distribution. 

The process that handles connection from SmartConsole R81 is  cpm . Cpm stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. Cpm is responsible for managing policies, objects, logs, tasks, and other management functions.  The other processes are either obsolete or irrelevant for SmartConsole connection.

The command that lists firewall chain is  fw ctl chain 1 .  This command displays the list of chain modules that are registered on the Security Gateway 2 .  Chain modules are components of the Firewall kernel that inspect and process packets according to the security policy and other features 3 .  The o r der of the chain modules determines the order of the packet inspection and processing 3 .  The  fw ctl chain  command can help you troubleshoot connectivity or performance issues, or to verify that a feature is enabled or disabled on the Security Gateway 2 .  To run this command, you need to access the Security Gateway in expert mode and run  fw ctl chain 1 .

Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new CPU to replace the existing single core CPU. After installation, the administrator needs to perform some additional tasks for it to function properly.

The tasks that the administrator needs to perform are:

Go to Clish-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot Security Gateway

Go to SmartConsole | Install Security Policy

The first task is to enable and configure CoreXL, which is a performance enhancement feature that allows running multiple instances of the firewall kernel on multiple CPU cores. CoreXL can be enabled and configured via cpconfig, which is a utility that pr o vides a menu-based interface for various system settings. After enabling CoreXL, the administrator needs to reboot the Security Gateway for the changes to take effect.

The second task is to install the security policy on the Security Gateway via SmartCo n sole, which is a unified graphical user interface for managing Check Point products. I n stalling the security policy will activate the CoreXL instances and distribute the traffic among them. References:  R81 Performance Tuning Administration Guide , page 15;  R81 S e curity Management Administration Guide , page 83.

CoreXL is a performance-enhancing technology that enables the Security Gateway to utilize multiple CPU cores for processing traffic. CoreXL creates multiple instances of the Firewall ke r nel, each running on a separate CPU core. Each Firewall instance can handle traffic concurrently and independently, applying the same security policy to the packets that are assigned to it. CoreXL does not allow different policies per core, as this would create inconsistency and co m plexity in the security enforcement.

The references are:

Best Practices - Security Gateway Performance

Check Point Certified Security Expert R81.20 (CCSE) Core Training , slide 16

Check Point R81 Quantum Security Gateway Guide , page 42

 The TCP port that the CPM process listens on is 19009. The CPM process is the Check Point Management process that handles all management operations on the Security Management Server, such as policy installation, database synchronization, logging, etc. It communicates with other processes and clients using TCP port 19009. The other ports are used by different processes or services. TCP port 18191 is used by the FWM process for management communication. TCP port 18190 is used by the CPD process for inter-process communication. TCP port 8983 is used by the Solr process for SmartLog indexing. References: [Check Point Ports]

The solution to troubleshoot the issue of some Internet resources being unavailable is to run  fw ctl zdebug drop  on the relevant gateway 1 .  This command lists all dropped packets in real time and e x plains the reasons for the drop 2 .  It is a powerful tool that can help diagnose connectivity problems and firewall policy issues 3 .  To use this command, you need to access the gateway in expert mode and run  fw ctl zdebug + drop 2 .  You can also filter the output by using grep with an IP address or a keyword, for example:  fw ctl zdebug + drop | grep 10.10.10.10  or  fw ctl zdebug + drop | grep SYN 3 .  This command is a wrapper for the full debugs, and it will run the debug co m mands for you and will allow you to run debug from one debug module only 4 .  By default, it will use a small debug buffer but if you wish, you can provide the  -buf  option to use your own size 4 .  To stop the command, press Ctrl+C and then run  fw ctl debug 0  to reset the debug state 3 .

Note: Running this command may affect the performance of the firewall, so use it with caution and only when necessary 3 . References:  Solved: is it possible /supported to run fw ctl zdebug on … - Check … ,  How to use the fw ctl zdebug command to view drops on the Security Gateway ,  Troubleshooting dropped packets in Checkpoint using zdebug ,  “fw ctl zdebug” - Helpful Command Combinations - Check Point CheckMates

If an administrator wants to add manual NAT for addresses not owned by the Check Point firewall, they also need to add the proxy ARP configurations in a file called  $FWDIR/conf/local.arp . This file contains the mappings between the IP addresses and the MAC addresses of the NATed hosts. The proxy ARP feature allows the firewall to answer ARP requests on behalf of the NATed hosts and forward the traffic to them. The local.arp file needs to be edited manually and reloaded with the command  arp -f $FWDIR/conf/local.arp . References:  R81 Security Management Administration Guide , page 1014.

 The command to add users to or from existing roles is  add rba user < User Name > roles < List > . This command allows you to assign one or more roles to a user in the Gaia database. Roles are collections of permissions that define what actions a user can perform on the system. You can use predefined roles or create your own custom roles. To remove a role from a user, you can use the command  delete rba user < User Name > roles < List > . 

 Check Point and Third-party Gateways can establish a certificate-based Site-to-Site VPN tunnel if they have a mutually trusted certificate authority. This means that both gateways trust the same root CA or intermediate CA that issued their certificates. This way, they can authenticate each other using their certificates and establish a secure VPN tunnel. References:  Check Point Resource Library , page 5

The statement that is false in respect of the SmartConsole after upgrading the management server to R81.20 is that as far as you use version R80.40, no upgrade is needed due to compat i bility mode. This is false because SmartConsole R80.40 is not compatible with R81.20 manag e ment server and you need to upgrade your SmartConsole to R81.20 as well. The other stat e ments are true and valid ways to obtain the SmartConsole upgrade package. References: [Check Point Security Expert R81 Installation and Upgrade Guide], page 18.

You can establish a VPN before the user login to the Endpoint Client by enabling Machine Authent i cation in the Gateway object of the Smart Console 1 .  Machine Authentication is a feature that allows you to authenticate with a machine certificate and establish a VPN tunnel before the Windows L o gon 2 .  This feature provides the following benefits 2 :

It enhances the security of the VPN connection by verifying the identity of the machine b e fore allowing access to the network.

It simplifies the user experience by eliminating the need to enter credentials twice (once for the VPN and once for the Windows Logon).

It enables seamless connectivity to the network resources and domain services, such as Group Policy, login scripts, and mapped drives. Machine Authentication is supported on Check Point Endpoint Security Client for Windows with E80.71 and higher versions 2 .  It requires a hotfix on top of R77.30 jumbo 286 on the Security Gateway 2 .  To configure Machine Authentication, you need to do the following steps 2 :

Generate and distribute machine certificates to the Endpoint machines using a trusted Certi f icate Authority (CA).

Enable Machine Authentication in the Gateway object of the Smart Console and select the CA that issued the machine certificates.

Install policy on the Security Gateway and reboot it.

Enable Machine Authentication in the Endpoint Security Client and select the machine certif i cate to use.

 The command switch to specify the Gaia API context is  mgmt_cli --context gaia_api < Command > . This switch allows the user to execute Gaia OS commands through the management API.  The Gaia API context is different from the default management API context, which is used to execute commands related to the security policy and objects 1 . References:  Check Point R81 Management API Reference Guide

https://community.checkpoint.com/t5/General-Topics/Check-Point-Inspection-points-iIoO/td-p/34938

The default order of the " fw monitor " inspection points is:

i (input): this is the first inspection point, where packets enter the firewall.

l (local): this is the second inspection point, where packets are processed locally by the firewall, before being forwarded to the next hop.

o (output): this is the third inspection point, where packets are sent out to their final de s tination.

O (offload): this is the fourth inspection point, where packets are offloaded to hardware acceleration for faster processing.

 Check Point API is an interface that allows users to automate tasks and manage Check Point products using RESTful web service calls. Check Point API uses JSON format for requests and responses.  To create a new host object with the name “My Host” and IP address of “192.168.0.10”, users need to use the set host command with the name and ip-address parameters 6 . The command syntax is:

set host name “My Host” ip-address “192.168.0.10”

Therefore, the correct answer is A.

Access roles are objects that define a set of users, machines, or networks that can access a speci f ic network resource. You can create access roles based on any combination of the following cr i teria:

Users and user groups: You can use users and user groups from various sources, such as LDAP, RADIUS, local database, etc.

Computers or computer groups: You can use computers or computer groups that are identified by their IP address, MAC address, or hostname.

Networks: You can use networks that are defined by their IP address range, subnet mask, or gateway.

You can use access roles in the Source or Destination column of an Access Control rule to allow or deny network access based on the identity of the users, machines, or networks.

The references are:

Check Point Certified Security Expert R81.20 (CCSE) Core Training , slide 11

Check Point R81 Quantum Security Gateway Guide , page 139

Check Point R81 Identity Awareness Administration Guide , page 9

 Office mode is a feature that allows a security gateway to assign a remote client an IP address from a network that is protected by the security gateway. This way, the remote client can access resources on the internal network as if it was physically connected to it. The IP address is assigned to the r e mote client after the user authenticates for a tunnel, and it is routable, meaning that it can be reached by other hosts on the network.  Office mode is useful for scenarios where the remote client needs to use applications that rely on IP addresses, such as VoIP or file sharing 1 2 .

The correct command to verify the CPUSE (Check Point Update Service Engine) version is:

Option B is incorrect because it uses the " [Expert@HostName:0]# " prompt, which is typically used for expert mode commands, but the CPUSE version can be checked using the " show installer status build " command in standard mode.

Option C is incorrect because it uses the " [Expert@HostName:0]# " prompt, and while it includes the " build " parameter, it ' s not the standard command to check the CPUSE version.

Option D is incorrect because it uses the " HostName:0 > " prompt, but it lacks the " show " command and uses " build " instead of " status build. "

The main difference between SSL VPN (Secure Sockets Layer Virtual Private Network) and IPSec VPN (Internet Protocol Security Virtual Private Network) is in the way they operate:

SSL VPN typically does not require the installation of a resident VPN client. It often relies on a web browser to establish the VPN connection, making it more convenient for remote users who may not want to install dedicated VPN software.

IPSec VPN, on the other hand, often requires the installation of a resident VPN client on the user ' s device to establish the VPN connection. This client software is necessary for configuring and managing the VPN connection.

Option C, stating that SSL VPN and IPSec VPN are the same, is incorrect because they have distinct characteristics as described above.

Option A is incorrect because it inaccurately suggests that IPSec VPN does not require a resident VPN client, which is not true in most cases.

Option B is incorrect because it wrongly claims that SSL VPN requires the installation of a resident VPN client.

In SmartDashboard, Threat Prevention profiles can be assigned to one or more rules. This means that you can have multiple profiles assigned to a single gateway, and each of these profiles can be associated with one or more rules. This allows for granular control over threat prevention settings for different rules or scenarios.

The API command to create a new host with the name " New Host " and IP address " 192.168.0.10 " is:

This command adds a host object with the specified name and IP address to the Check Point configuration.

The purpose of a SmartEvent Correlation Unit is to evaluate logs from the log server component to identify patterns/threats and convert them to events. The SmartEvent Correlation Unit is a software module that runs on the SmartEvent server or on a dedicated server. It applies correlation rules and logic to the logs received from various sources, such as security gateways, endpoints, or third-party devices. It then generates events that represent security incidents or trends that require attention or action. References:  Check Point Security Expert R81 Course ,  SmartEvent Administration Guide

The Correlation Unit in SmartEvent architecture has the function of analyzing each log entry as it arrives at the log server according to the Event Policy. When it identifies a threat pattern, it forwards an event to the SmartEvent Server. This is an essential function in threat detection and analysis, as it helps in identifying and alerting about security threats based on the configured policies.

Option A correctly describes the function of the Correlation Unit, making it the verified answer.

 User-mode processes are processes that run in the user space of the operating system, as opposed to kernel-mode processes that run in the kernel space. User-mode processes are usually less priv i leged and have less access to system resources than kernel-mode processes. Check Point products use both user-mode and kernel-mode processes to provide various functionalities and services.

The following are some of the user-mode processes that can be seen on the management server and gateway:

fwd : This process is responsible for policy installation, logging, and communication with ot h er Check Point components. It runs on both the management server and gateway.

cpd : This process is responsible for licensing, certificate management, and communication with SmartConsole. It runs on both the management server and gateway.

cpwd : This process is responsible for monitoring and restarting other processes. It runs on both the management server and gateway.

The following is a user-mode process that can only be seen on the management server:

fwm : This process is responsible for managing the security policy database, compiling the security policy, and generating reports. It runs only on the management server.

Therefore, the correct answer is B.

The formats in which Threat Emulation forensics reports can be viewed in are  PDF, HTML, and XML . Threat Emulation is a feature that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior. Threat Emulation generates forensics reports that provide detailed information about the emulated files, such as verdict, severity, activity summary, screenshots, network activity, registry activity, file activity, and process activity. These reports can be viewed in PDF, HTML, or XML formats from SmartConsole or SmartView.

 The deployment of Check Point API does not have the purpose of creating a customized GUI Client for manipulating the objects database. The Check Point API is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The Check Point API can be used to execute an automated script to perform common tasks, create products that use and enhance the Check Point solution, and integrate Check Point products with 3rd party solutions.  However, creating a customized GUI Client for manipulating the objects database is not a supported or intended use case of the Check Point API. 

The main stages of a policy installation are Verification, Compilation, Transfer, and Commit. Ver i fication is the stage where the policy is checked for syntax errors and conflicts. Compilation is the stage where the policy is translated into a binary format that can be executed by the Se cur i ty Gateway. Transfer is the stage where the policy is sent from the Security Management Server to the Security Gateway.  Commit is the stage where the policy is activated on the Security Gat e way 3 . References:  Check Point R81 Security Management Guide

To determine the cause of a cluster gateway showing " Down " despite running " clusterXL_admin up " on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

SandBlast appliances can be deployed in the following modes:

C. Inline/prevent or detect

SandBlast appliances can be deployed in an inline mode where they actively inspect and prevent or detect malicious traffic. In this mode, the appliance sits in the network traffic path and can take actions to block or detect threats in real-time.

The FWD daemon uses TCP port 256 to do a Full Synchronization between gateway cluster members. This port is also used for other synchronization types, such as Delta Synchronization and Accelerated Synchronization. The FWD daemon is responsible for synchronizing the connections table, NAT table, and VPN keys between cluster members. References: ClusterXL Administration Guide, SK25977 - Ports Used by Check Point Software

SecureXL is a technology that improves the performance of Security Gateway by offloading the pr o cessing of some packets from the Firewall kernel to the SecureXL device driver 1 .  SecureXL can handle packets in three different paths, depending on the type and state of the packet 2 :

Firewall Path: This is the slowest path, where packets are processed by the Firewall kernel and all the inspection blades. This path is used for packets that require full inspection, such as the first packet of a connection, packets that match a rule with a UTM blade, or packets that are not eligible for acceleration.

Accelerated Path: This is the fastest path, where packets are processed by the SecureXL d e vice driver and bypass the Firewall kernel. This path is used for packets that belong to an established connection that is marked for acceleration, and do not require any further inspection by the Firewall or other blades.

Medium Path: This is a hybrid path, where packets are processed by both the SecureXL d e vice driver and the Firewall kernel, but skip some inspection steps. This path is used for packets that belong to an established connection that is not marked for acceleration, but do not require full i n spection by all the blades.

The other options are not correct because:

A. Initial Path; Medium Path; Accelerated Path: There is no such thing as Initial Path in S e cureXL terminology. The initial packet of a connection is always handled by the Firewall Path.

B. Layer Path; Blade Path; Rule Path: These are not paths of traffic flow, but components of the unified policy in R80 and above versions.  The Layer Path refers to the order of layers in the policy, the Blade Path refers to the order of blades within a layer, and the Rule Path refers to the order of rules within a blade 3 .

C. Firewall Path; Accept Path; Drop Path: These are not paths of traffic flow, but possible a c tions that the Firewall can take on a packet. The Firewall Path is one of the paths of traffic flow, but the Accept Path and Drop Path are not.  The Accept Path means that the packet is allowed to pass through the Firewall, and the Drop Path means that the packet is blocked by the Firewall 4 .

Dynamic Dispatch is a feature that enhances CoreXL performance by dynamically assigning new co n nections to CoreXL FW instances based on their CPU utilization 1 .  To enable Dynamic Dispatch on S e curity Gateway without enabling Firewall Priority Queues (FPQ), you need to run the command  fw ctl multik set_mode 4  in Expert mode and reboot 2 . This command will set the CoreXL mode to Dynamic Dispatcher without FPQ. The other options are not correct because:

A. fw ctl Dyn_Dispatch on: This command does not exist and will return an error message.

B. fw ctl Dyn_Dispatch enable: This command does not exist and will return an error message.

D.  fw ctl multik set_mode 1: This command will set the CoreXL mode to Static Dispatcher without FPQ, which is the default mode 2 . This mode will use a static hash function to assign new connections to CoreXL FW instances based on their IP addresses and protocol.

Capsule Connect is a full layer 3 VPN client that provides secure and seamless remote access to corporate networks from iOS and Android devices. It supports all VPN authentication methods, such as certificates, passwords, tokens, and challenge-response. It also supports split tunneling and seamless roaming. References:  Capsule Connect Datasheet ,  Capsule Connect Administration Guide

  Log Consolidator  is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

The Access Control policy supports two policy layers. These are the Network layer and the Applic a tion & URL Filtering layer. The Network layer contains rules that control the network traffic based on the source, destination, service, and action.  The Application & URL Filtering layer contains rules that control the application and web access based on the application, site category, and user identity 1 2 .

The Access Control policy can also use inline layers, which are sub-policies that are embedded within a rule.  Inline layers allow more granular control over specific traffic or scenarios, such as VPN, Mobile Access, or different user groups 1 3 .  However, inline layers are not considered as separate policy layers, but rather as extensions of the parent rule 4 .

Therefore, the correct answer is A. The Access Control policy supports two policy layers.

The tool that is used to enable ClusterXL is cpconfig.  ClusterXL is a software-based Load Sharing and High Availability solution that distributes network traffic between clusters of redundant Security Gateways 1 .  ClusterXL can be enabled on Check Point Security Gateways running on Gaia OS, S e curePlatform OS, IPSO OS, or X-Series XOS 2 .

To enable ClusterXL, the administrator must run the cpconfig command on each cluster member and select the option to enable ClusterXL. This will prompt the administrator to choose the ClusterXL mode (High Availability or Load Sharing) and the Cluster Control Protocol (CCP) mode (Broadcast or Multicast).  After enabling ClusterXL, the administrator must reboot the cluster members for the changes to take effect 3 4 .

Therefore, the correct answer is B. The tool that is used to enable ClusterXL is cpconfig.

 Application Control is the software blade that provides Application Security and identity control. It allows administrators to define granular policies based on users or groups to identify, block or limit the usage of web applications and widgets. Application Control also integrates with Identity Awareness to provide user-level visibility and control. References:  Training & Certification | Check Point Software ,  Check Point Resource Library

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address.  Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions.  Security Gateway is the device that inspects and filters network traffic according to the security policies. 

 For Stateful Mode configuration, chain modules marked with  2  will not apply. Stateful Mode configuration is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. Chain modules are firewall kernel modules that perform various security functions, such as VPN, IPS, QoS, etc. Each chain module is associated with a key, which specifies the type of traffic applicable to the chain module. The key can be one of the following values: 0 for all packets, 1 for stateful packets, 2 for stateless packets, and 3 for no match packets. For Stateful Mode configuration, only chain modules with key 0 or 1 will apply, as they handle all packets or stateful packets. Chain modules with key 2 will not apply, as they handle stateless packets, which are not relevant for Stateful Mode configuration.

The path to monitor the compliance status of the Check Point R81.20 based management is Logs & Monitor > New Tab > Open compliance View. Compliance View is a feature that allows administrators to monitor and assess the compliance level of their Check Point products and security policies based on best practices and industry standards. Compliance View provides a dashboard that shows the overall compliance status, compliance score, compliance trends, compliance issues, compliance reports, and compliance blades for different security aspects, such as data protection, threat prevention, identity awareness, etc. To access Compliance View in R81.20 SmartConsole, administrators need to go to Logs & Monitor > New Tab > Open compliance View. The other options are either incorrect or not available in R81.20.

Ken can use either of the two commands lock database override or unlock database to obtain a configuration lock from another administrator on R81 Security Management Server via CLI. These commands allow him to override the existing lock and gain exclusive access to the database. He can also use the WebUI to perform the same action. References:  Training & Certification | Check Point Software ,  New Courses and Certificates for R81.20 - Check Point CheckMates

According to the Check Point website, you can use the pre_upgrade_verifier tool to verify if your management server is ready to upgrade to R81.20. This tool checks the compatibility of your current configuration and database with the target version, and provides a detailed report of any issues or warnings. The other tools are either used for exporting or importing databases, or not valid tools. References: Upgrade Verification Service

SecureXL Templating is a feature that accelerates the processing of packets that belong to the same connection or session by creating a template for the first packet and applying it to the subsequent packets. SecureXL Templating is precluded by factors that prevent the creation of a template, such as source port ranges, encrypted connections, NAT, QoS, etc.   References:  SecureXL Mechanism

The cphaconf set_ccp multicast command is used to set the Cluster Control Protocol (CCP) to Multicast mode. This mode allows cluster members to communicate with each other using multicast packets. The other commands are either incorrect or set the CCP to Broadcast mode.   References:  ClusterXL Administration Guide

 Connections to the Check Point R81 Web API use the HTTPS protocol. The Web API is a RESTful web service that allows you to perform management tasks on the Security Management Server using HTTP requests.   References:  Check Point Management APIs

 Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions . References: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

Sticky Decision Function (SDF) is a feature that ensures that VPN traffic is handled by the same core on a Security Gateway with multiple CPU cores. This improves the performance and stability of VPN tunnels by avoiding out-of-order packets and reducing encryption overhead. However, the limitation of employing SDF is that acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF. This means that SDF may reduce the overall throughput and scalability of the Security Gateway. Therefore, SDF should be used only when necessary and only on gateways that are dedicated to VPN traffic. References:  R81 Performance Tuning Administration Guide

NAT rules are prioritized in the following order:

Automatic Static NAT: This is the highest priority NAT rule and it translates the source or de s tination IP address to a different IP address without changing the port number. It is configured in the network object properties.

Automatic Hide NAT: This is the second highest priority NAT rule and it translates the source IP address and port number to a different IP address and port number. It is configured in the ne t work object properties.

Manual/Pre-Automatic NAT: This is the third highest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase before the automatic NAT rules.

Post-Automatic/Manual NAT rules: This is the lowest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase after the automatic NAT rules.

The statement that is correct about the Sticky Decision Function is  It is not supported with either the Performance pack of a hardware based accelerator card . The Sticky Decision Function (SDF) is a feature that ensures that packets from the same connection are handled by the same cluster member in a Load Sharing configuration.  However, SDF is not compatible with SecureXL acceleration, which is enabled by default or by using a Performance pack or a hardware based accelerator card 4 . The other statements are either incorrect or outdated about SDF. References:  Check Point R81 ClusterXL Administration Guide ,  Sticky Decision Function - Check Point CheckMates

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References:  R81 Mobile Access Administration Guide

 Sticky Decision Function (SDF) is required to prevent asymmetric routing in an Active-Active cluster. Asymmetric routing occurs when packets from a source to a destination follow a different path than packets from the destination to the source. This can cause problems with stateful inspection and NAT.  SDF ensures that packets from the same connection are handled by the same cluster member 1 . References:  Check Point R81 ClusterXL Administration Guide

 You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an  Inspect  or  Bypass  action for the file types.  The Inspect action means that the file will be sent to the Threat Emulation engine for analysis, and the Bypass action means that the file will not be sent and will be allowed or blocked based on other Threat Prevention blades 1 . The other options are not valid actions for file types in Threat Prevention profiles. References:  Check Point R81 Threat Prevention Administration Guide

 The API command  add host name < New HostName > ip-address < ip address >  can be used in a script to create 100 new host objects with different IP addresses. This command adds a new host object with the specified name and IP address to the database. The other commands are either not valid or not suitable for creating new host objects. References: Check Point - Management API reference

Check Point’s FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark.

The cpinfo tool generates a R81 Security Gateway configuration report that includes information about the hardware, operating system, product version, patches, and configuration settings.   References:  cpinfo - Check Point Support Center

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

The fw ctl affinity -l -a -r -v command is the most accurate CLI command to get info about assignment (FW, SND) of all CPUs in your SGW. This command displays the affinity settings of all interfaces and processes in a verbose mode, including the Firewall (FW) and Secure Network Distributor (SND) instances.   References:  CoreXL Administration Guide

 Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances.   References:  SecureXL Mechanism

The API server is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. You can verify that the API server is responding by using the following command in Expert mode:

This command will display the current status of the API server, such as running, stopped, or initializing. It will also show the API version, port number, and SSL certificate information. References:  Check Point R81 REST API Reference Guide

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

The Event List within the Event tab contains  events generated by a query . The Event List shows the events that match the query criteria, such as time range, filter, and aggregation.  The events can be sorted by different columns, such as severity, time, action, and source 3 . The other options are either not part of the Event tab or not related to the Event List. References:  Check Point R81 Logging and Monitoring Administration Guide

 Check Point Central Deployment Tool (CDT) communicates with the Security Gateway / Cluster Members over Check Point SIC using TCP port 18191 by default. CDT is a tool that allows you to perform simultaneous configuration changes on multiple gateways or clusters using predefined commands or scripts.   References:  Check Point Central Deployment Tool (CDT)

 Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more), rather than determining their maliciousness.  By cleaning the file before it enters the organization, Threat Extraction preemptively prevents both known and unknown threats, providing better protection against zero-day attacks 1 .  Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast 2 . The other options are either incorrect or irrelevant to the mechanism behind Threat Extraction. References:  Threat Extraction (CDR) - Check Point Software ,  Check Point Document Threat Extraction Technology

To fully enable Dynamic Dispatcher on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled without Firewall Priority Queues. Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Dynamic Dispatcher can improve the throughput and scalability of the Security Gateway, especially for traffic that is not accelerated by SecureXL. The other commands are not valid or do not enable Dynamic Dispatcher. References:  R81 Performance Tuning Administration Guide

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of " Wire Mode " .

The command  cphaprob igmp  can be used to display the Multicast MAC address of a cluster.  This command shows the IGMP (Internet Group Management Protocol) information for each cluster interface, including the VRID (Virtual Router ID), the Multicast IP address, and the Multicast MAC address 3 . The other commands do not show the Multicast MAC address information. References:  Check Point R81 ClusterXL Administration Guide

 Tom will need two machines to install Check Point R81 in a distributed deployment, if he does not include a SmartConsole machine in his calculations. A distributed deployment consists of a Security Management Server that manages one or more Security Gateways. Therefore, Tom will need one machine for the Security Management Server and another machine for the Security Gateway. The other options are either too few or too many machines for a distributed deployment. References: Check Point R81 Installation and Upgrade Guide

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member.   References: [ClusterXL Administration Guide]

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts.   References:  Anti-Bot Software Blade

SmartView is a web-based application that allows you to view and analyze logs, reports, and events from multiple Check Point products. You can access SmartView by using the following URL:

You need to use HTTPS protocol and the default port 443. You also need to enter the IP address of the Security Management Server that hosts the SmartView application. You cannot use the host name of the Security Management Server or a different port number. References:  SmartView R81 Administration Guide

 For ClusterXL to work properly, one of the mandatory requirements is that the  Magic MAC number  must be unique per cluster node. The Magic MAC number is a MAC address that is used by ClusterXL to hide the physical MAC addresses of the cluster members from the network. This way, the cluster can present a single virtual MAC address to the network, and avoid ARP issues when a failover occurs. The Magic MAC number is derived from the Cluster Virtual IP address, which must also be unique per cluster. 

The command cphaprob all show stat is not related to redundancy and functions. This command does not exist in ClusterXL or VRRP. The other commands are valid commands for checking the status of cluster members, interfaces, and synchronization. ClusterXL and VRRP are both high availability solutions that provide redundancy and load balancing for Check Point gateways. References:  Check Point Security Expert R81 Course , ClusterXL Administration Guide, VRRP Administration Guide

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References:  Check Point Security Expert R81 Course , Threat Extraction Administration Guide

The correct command to store the GAIA configuration in a file is  save configuration < filename > 1 .  This will create a file with the current system level configuration in the home directory of the current user 1 .  The other commands are incorrect because they either do not exist or do not save the configuration to a file. References:  1 : Backing up Gaia system level configuration(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= & solutionid=sk102234)

 The best way to block .exe and .bat file types using Threat Emulation technologies is to  enable DLP and select .exe and .bat file type . DLP stands for Data Loss Prevention, and it is a feature that allows administrators to define rules and actions to protect sensitive data from unauthorized access or transfer. One of the DLP rule conditions is File Type, which can be used to block or alert on specific file types, such as .exe and .bat, that may contain malicious code or scripts. The other options are either not related to Threat Emulation technologies, or not effective in blocking .exe and .bat file types. 

The directory /opt/CPsuite-R81/fw1/log contains the log files for the Security Gateway, such as fir e wall, VPN, IPS, and anti-virus logs 1 .  These log files can be viewed and analyzed using SmartConsole or SmartView 2 . The other directories are not correct because:

A.  The directory /opt/CPSmartlog-R81/log contains the log files for the SmartLog server, which is a separate component that indexes and searches the logs from multiple Security Gateways 3 .

B.  The directory /opt/CPshrd-R81/log contains the log files for the shared components of the Check Point suite, such as cpwd, cpca, cpd, and cpwatchdog 4 .

D. The directory /opt/CPsuite-R81/log does not exist by default and is not used for logging purposes.

The command vpn tu tlist shows detailed information about VPN tunnels, such as the peer IP address, encryption domain, IKE phase 1 and phase 2 status, encryption algorithm, and tunnel uptime. The command vpn tu is an interactive tool that allows users to list, delete, or reconnect VPN tunnels. The command cpview is a real-time performance monitoring tool that shows various statistics about the system and network. References: VPN Administration Guide, SK97638 - What is cpview Utility and How to Use it

The feature that provides Full Layer3 VPN –IPSec VPN, giving users network access to all mobile applications, is the correct answer.

Capsule Connect/VPN is used to establish secure VPN connections for mobile devices, and the Full Layer3 VPN (IPSec VPN) option provides comprehensive network access.

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to co m municate between cluster members. CCP has two main functions: Health Check and State Synchron i zation. Health Check is the mechanism that monitors the status and availability of each cluster me m ber and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchroniz a tion messages. The other options are not correct because:

A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Ser v ers.

B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.

D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in Clu s terXL.

 The  fwaccel stat  command on the gateway shows the status of SecureXL acceleration, including the number of accelerated and non-accelerated connections, and the reason for non-acceleration. The reason for non-acceleration can be either a rule that disables templating, or a feature that is not supported by SecureXL. To determine which rule disables templating, the administrator can use the  -s  option to show the rule numbers and names. For example:

When an encrypted packet is received by a Check Point Security Gateway, it is decrypted according to the security policy. The security policy defines the rules and settings for encryption and decryption of traffic, such as the encryption algorithm, the encryption domain, the pre-shared secret or certif i cate, etc. The security policy is enforced by the Firewall kernel, which is responsible for decrypting the packets before passing them to the inbound chain for further inspection. The inbound chain consists of various inspection modules that apply security checks and actions on the decrypted packets. The outbound chain is the reverse process, where the packets are inspected and then encrypted accor d ing to the security policy before being sent out.

Check Point API is a set of web services that enable the usage of functions and commands in a d y namic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality.  According to the Check Point Resource Library 1 , the following are the types of Check Point API available in R81.x:

Identity Awareness Web Services : This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest regi s tration, captive portal, identity agents, etc.

OPSEC SDK : This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.

Management : This type of API allows external applications to perform management oper a tions on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote a c cess to corporate resources from various devices. Mobile Access uses SSL VPN technology and su p ports different authentication methods and access scenarios.

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References:  Check Point Security Expert R81 Course ,  Threat Emulation Administration Guide

VPN Link Selection is a feature that allows the Security Gateway to select the best link for each VPN tunnel based on the network topology and the Link Selection configuration 1 .  When the primary VPN link goes down, the Firewall can update the Link Selection entries to start using a different link for the same tunnel, as long as the remote peer supports this feature and has multiple IP addresses co n figured 2 . This way, the VPN tunnel can be maintained without interruption or renegotiation. The ot h er options are not correct because:

Firewall

A. The Firewall will not drop the packets, but will try to send them over another link if poss i ble.

Firewall

C. The Firewall will not send out the packet on all interfaces, but will use the routing table to determine the best interface for each destination.

Firewall

D. The Firewall will not inform the client that the tunnel is down, but will try to keep the tu n nel up by switching to another link.

Management HA is a feature that allows the Security Management server to have one or more bac k up Standby Security Management servers that are ready to take over in case of failure 1 . The Active Security Management server is the one that handles all the management operations, such as policy installation, object creation, configuration backup, etc. The Standby Security Management servers are synchronized with the Active Security Management server and store the same data, such as dat a bases, certificates, CRLs, etc.  The Standby Security Management servers can also perform some ope r ations, such as fetching a Security Policy or retrieving a CRL 1 .

To make changes to the system, such as editing objects or policies, the administrator needs to co n nect to the Active Security Management server. This is because the Active Security Management server is the only one that can modify the data and synchronize it with the Standby Security Ma n agement servers.  The administrator can use SmartConsole to connect to the Active Security Ma n agement server by entering its IP address or hostname 1 . The administrator can also use SmartDas h board to connect to the Active Security Management server by selecting Policy > Management High Availability.  This shows information about the Security Management server that includes its peers - displayed with the name, status and type of Security Management server 1 .

The other options are incorrect because:

A. secondary Smartcenter: This is a synonym for a Standby Security Management server, which cannot be used to make changes to the system.

C. connect virtual IP of Smartcenter HA: This is not a valid option because there is no virtual IP for Smartcenter HA. Each Security Management server has its own IP address and hostname.

D. primary Smartcenter: This is a synonym for the Active Security Management server, but it is not the correct term to use. The term primary implies that there is only one Active Security Ma n agement server, which is not true.  The administrator can put the Active Security Management server on standby and promote a Standby Security Management server to active at any time 1 .

 The main stages of a policy installation are Verification & Compilation, Transfer and Commit. Verification & Compilation is the stage where the Security Management Server checks the validity and consistency of the policy and compiles it into a binary format. Transfer is the stage where the compiled policy is sent to the Security Gateways over a secure channel. Commit is the stage where the Security Gateways activate the new policy and update their connections table accordingly. References:  Check Point Security Expert R81 Course ,  Policy Installation Process

Threat Extraction (Answer B): Threat Extraction always delivers a file, but it removes potentially malicious content from the file before delivering it to the user. It is designed to provide a safe version of the file quickly, taking less than a second to complete.

Threat Emulation (Option A): Threat Emulation does not deliver the original file to the user until it has been thoroughly analyzed for threats. It may take more than 3 minutes to complete the analysis. The emphasis here is on safety and thorough inspection, which may result in a longer processing time.

Therefore, Option B correctly describes the main difference between Threat Extraction and Threat Emulation.

In the context of Check Point remote access clients and Office Mode, the correct answer is:

A. SecuRemote: SecuRemote is a Check Point remote access client that does not provide an Office-Mode Address. Office Mode is a feature that assigns a unique IP address from a designated IP pool to remote users when they connect to the corporate network. SecuRemote does not support this feature.

B. Endpoint Security Suite, C. Endpoint Security VPN, and D. Check Point Mobile are remote access clients that support Office Mode and can provide an Office-Mode Address to remote users.

Therefore, option A is the correct answer as it correctly identifies a remote access client that does not provide an Office-Mode Address.

The cvpnd_restart command is used to restart the daemon after making modifications to the $CVPNDIR/conf/cvpnd.C file. The cvpnd daemon is responsible for managing the communication between the Check Point components and the Content Vectoring Protocol (CVP) server. The CVP server is an external server that provides content inspection and filtering services for Check Point gateways. The $CVPNDIR/conf/cvpnd.C file contains the configuration settings for the cvpnd daemon, such as the CVP server IP address, port number, timeout value, and debug level. References:  Check Point Security Expert R81 Course , Content Inspection Using ICAP, cvpnd daemon debug file

In a Cpinfo (Checkpoint information) command, various information is collected from a Security Gateway. However, firewall logs are NOT collected from a Security Gateway in a Cpinfo.

A. Firewall logs

The Cpinfo command typically collects information such as configuration and database files, system message logs, OS and network statistics, but it does not include firewall logs. Firewall logs are usually obtained separately using other methods or tools.

The blades of Threat Prevention in Check Point include:

Intrusion Prevention System (IPS)

AntiVirus

AntiBot

SandBlast Threat Emulation/Extraction

So, the correct answer is D, which includes all the mentioned blades.

The correct syntax to import a host object using mgmt_cli is  mgmt_cli add host name < name > ip-address < ip-address > --format < format > 1 . The name and ip-address parameters are mandatory, while the format parameter is optional and can be either json or txt.  The other options are incorrect because they either use wrong parameters, wrong hyphens, or wrong object types. References:  1 : Check Point Resource Library 2

Threat Emulation downloads packages by default once per day. The packages contain updates for the Threat Emulation engine, signatures, and images. The download frequency can be changed in the Threat Prevention policy settings. References:  Threat Emulation Administration Guide ,  Threat Prevention R81 Release Notes

NAT (Network Address Translation) is one item that will not be configured on the R81 Security Management Server when setting up an externally managed log server. NAT is a technique that allows devices with private IP addresses to communicate with devices with public IP addresses by translating the private addresses to public ones. NAT is not relevant for configuring an externally managed log server, which requires only the IP address, SIC (Secure Internal Communication), and FQDN (Fully Qualified Domain Name) of the log server. References:  Check Point Security Expert R81 Course ,  Logging and Monitoring Administration Guide

 Mobile Access is not part of the SandBlast component. Mobile Access is a software blade that provides secure remote access to corporate resources from various devices, such as smartphones, tablets, and laptops. Mobile Access supports different connectivity methods, such as SSL VPN, IPsec VPN, and Mobile Enterprise Application Store (MEAS). Mobile Access also integrates with Mobile Threat Prevention (MTP) to protect mobile devices from malware and network attacks. References:  Check Point Security Expert R81 Course , Mobile Access Administration Guide, SandBlast Mobile Datasheet

When simulating a problem on a ClusterXL cluster with the command " cphaprob –d STOP -s problem -t 0 register " to initiate a failover on an active cluster member, you can use the command " cphaprob –d STOP unregister " to remove the problematic state and return the cluster to normal operation.

Option A correctly identifies the command that allows you to remove the problematic state, making it the verified answer.

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

The correct steps to configure the HTTPS Inspection Policy in Check Point R81 are as follows 1 :

Go to  Manage & Settings > Blades > HTTPS Inspection > Configure  in SmartDashboard.

Enable  HTTPS Inspection  and select the  Policy  tab.

Create a new  HTTPS Inspection Layer  or edit an existing one.

Define the  rules  for inspecting HTTPS traffic based on the source, destination, service, and action.

Install the  policy  on the relevant gateways.

The other options are incorrect because they either use wrong blade names, wrong menu options, or wrong configuration steps. References:  1 : LAB:25 How to Configure HTTPS Inspection in Check Point Firewall R81(https://www.youtube.com/watch?v=NCvV7-R9ZgU)

In R81.20, dbedit scripts are being replaced by the mgmt_cli utility for managing and configuring security policies and objects. Here ' s an explanation of each option:

A. dbedit is not supported in R81.20: This is not entirely accurate. While dbedit is still available and functional in R81.20, it is being phased out in favor of mgmt_cli for policy and object management.

B. dbedit is fully supported in R81.20: This statement is not accurate because although dbedit can still be used, it is not the primary recommended tool for policy management in R81.20.

C. You can use dbedit to modify threat prevention or access policies, but not create or modify layers: This statement is partially true, but it does not provide the complete picture. You can use dbedit for some policy-related tasks, but it ' s not the primary tool for policy management in R81.20.

D. dbedit scripts are being replaced by mgmt_cli in R81.20: This is the correct and recommended approach. mgmt_cli is the primary tool for managing security policies and objects in R81.20, and it is gradually replacing dbedit for these tasks.

Therefore, option D is the most accurate and recommended answer.

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References:  Check Point Security Expert R81 Course , SOLR Troubleshooting

 The cpinfo command is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The cpinfo output can be used for troubleshooting or sent to Check Point support for analysis. The -x parameter is used to get information about the specified Virtual System on a VSX gateway. A Virtual System is a virtualized firewall instance that runs on a VSX gateway and has its own security policy and objects. References:  Check Point Security Expert R81 Course ,  cpinfo Utility ,  VSX Administration Guide

Implicit MEP (Multicast Ethernet Point) options refer to the way multicast traffic is handled within a network. In this case, the question is asking about an implicit MEP option, and the correct answer is:

A. Primary-backup: This is an implicit MEP option where one switch (primary) forwards multicast traffic while the other switch (backup) does not forward the traffic. It is used to ensure redundancy in case the primary switch fails.

B. Source address-based, C. Round-robin, and D. Load Sharing are not implicit MEP options; they are different methods of handling multicast traffic and do not describe the concept of primary-backup.

Therefore, option A is the correct answer as it represents an implicit MEP option.

Automation and Orchestration differ in that automation relates to codifying tasks, whereas orchestration relates to codifying processes. Automation is the process of converting manual tasks into executable scripts or programs that can be run by machines or software agents. Orchestration is the process of coordinating multiple automated tasks into a coherent workflow that achieves a desired outcome or goal. Orchestration can also involve integrating different systems, tools, and services through web service interactions such as XML and JSON. References:  Check Point Security Expert R81 Course , Automation & Orchestration Administration Guide