Free and Premium Checkpoint 156-215.81 Dumps Questions Answers

The Object Explorer is the part of SmartConsole that allows administrators to add, edit, delete, and clone objects. Objects are entities that represent network elements, such as hosts, networks, gateways, services, users, etc. The Object Explorer provides a tree view of all the objects in the database and allows searching, filtering, and grouping them2. References: Check Point R81 SmartConsole R81 User Guide

The BEST way to tune the profile in order to lower the CPU load still maintaining security at good level is to set the Performance Impact to Medium or lower. This will reduce the number of packets that are inspected by the Threat Prevention blades, while still providing a high level of protection . Setting High Confidence to Low and Low Confidence to Inactive will lower the security level, as it will allow more traffic that may be malicious. The problem is likely with the Threat Prevention Profile, as it can have a significant impact on the CPU utilization of the Security Gateway. Adding more memory to the appliance will not solve the problem, as memory is not the bottleneck in this case. Setting the Performance Impact to Very Low Confidence to Prevent will increase the CPU load, as it will inspect more packets and block more traffic that may be false positives.

References: Threat Prevention Administration Guide, Check Point R81.10

Resource is NOT an objects category in SmartConsole1, p. 18. The objects categories in SmartConsole are Network Object, Host, Network, Group, Gateway, Cluster, VPN Community, Service, Time Object, Access Role, Custom Application / Site, Data Center Object, Limit. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point SmartConsole R81 Help]

When a SAM rule is required on Security Gateway to quickly block suspicious connections which are not restricted by the Security Policy, the administrator needs to take the following action: SmartView Monitor should be opened and then the SAM rule/s can be applied immediately. Installing policy is not required. SAM stands for Suspicious Activity Monitoring and is a feature that allows administrators to block or limit connections from specific sources or destinations without modifying the security policy. SAM rules can be created from SmartView Monitor or SmartEvent based on real-time network activity or security events. References: [Check Point R81 SmartView Monitor Administration Guide]

Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. This option allows the administrator to select which tunnels should be permanent and which should be established on demand. The other options are not valid, as they do not match the available choices in the VPN community settings.

References: [VPN Administration Guide], [Check Point R81.10]

When doing a Stand-Alone Installation, you would install the Security Management Server with none of the other Check Point architecture components. A Stand-Alone Installation is a type of installation that combines the Security Management Server and the Security Gateway on one computer or appliance3, p. 14. SmartConsole, SecureClient, and SmartEvent are not Check Point architecture components, but software applications that can be installed separately. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Installation and Upgrade Guide R81]

Accounting is the option in tracking that allows you to see the amount of data passed in the connection. Accounting tracks the number of bytes and packets for each connection and generates reports based on the collected data. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 14.

This answer is correct because this is the recommended way to configure a VPN tunnel between two subnets and not all subnets defined in the default VPN domain of your gateway1. By creating a dedicated VPN Community, you can specify the VPN peers and the encryption settings for the VPN tunnel2. By selecting the local gateway in the Community, you can set the VPN Domain to ‘User defined’ and put in the local network that you want to include in the VPN tunnel1. This way, you can limit the VPN traffic to the subnets that you want and avoid unnecessary encryption and decryption of other traffic.

The other answers are not correct because they are either outdated or incorrect ways to configure a VPN tunnel between two subnets. Answer A and C are outdated methods that involve editing the user.def file, which is not recommended and can cause problems with the VPN configuration3. Answer D is incorrect because creating an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA will not affect the VPN tunnel establishment, but only the access control policy4. The VPN column in the rule is used to specify the VPN direction, not the VPN Community name4.

How to configure a Site-to-Site VPN with a universal tunnel

Site to Site VPN R81 Administration Guide - Check Point Software

How to configure a Site-to-Site VPN with a 3rd-party remote gateway

Access Control Policy R81 Administration Guide - Check Point Software

 It is possible to have more than one administrator connected to a Security Management Server at once, but objects edited by one administrator will be locked for editing by others until the session is published. This feature is called concurrent administration and it allows multiple administrators to work on the same security policy at the same time. However, when one administrator edits an object, such as a gateway, a rule, or a network, that object is locked for other administrators until the change is published or discarded. The lock icon shows which objects are being edited by other administrators and prevents conflicts or overwrites.References: [Concurrent Administration], [SmartConsole Overview]

The answer is B because in R80 and above, more than one administrator can login to the Security Management Server with write permission at the same time. Every administrator works in a session that is independent of the other administrators. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously34 References: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide

To increase security, the administrator has modified the Core protection ‘Host Port Scan’ from ‘Medium’ to ‘High’ Predefined Sensitivity. The administrator should install the Threat Prevention Policy after Publishing the changes3. The Threat Prevention Policy defines how the Security Gateway inspects and protects against threats such as port scans, bot attacks, and zero-day exploits4. References: Check Point R81 Firewall Administration Guide, Check Point R81 Threat Prevention Administration Guide

The Security Management Server and the Security Gateway are the components that can store logs in the Check Point Security Management Architecture. The Security Management Server stores logs in a database and can also forward them to external log servers. The Security Gateway can store logs locally in a buffer or a local log file, and can also send them to the Security Management Server or a log server.

References: Check Point Security Management Administration Guide R81, p. 11-12

Gaia can be configured using the command line interface (CLI) or the WebUI. The CLI is a text-based interface that allows you to configure and manage Gaia settings using commands and scripts. The WebUI is a graphical interface that allows you to configure and manage Gaia settings using a web browser. Gaia Interface and GaiaUI are not valid terms for Gaia configuration tools.References: [Gaia Administration Guide], [Gaia Overview]

 A one-time password is used to initially create trust between a Gateway and Security Management Server. The administrator generates a one-time password from SmartConsole and enters it on the gateway command line interface using the cpconfig command. This establishes a Secure Internal Communication (SIC) between the gateway and the server . The other options are not used for this purpose. References: [Configuring Secure Internal Communication (SIC)], [Check Point CCSA - R81: Practice Test & Explanation]

SmartConsole provides a consolidated solution for everything that is necessary for the security of an organization, such as Security Policy Management and Log Analysis. Security Policy Management is the process of defining and enforcing rules that control the access and protection of network resources. Log Analysis is the process of collecting, analyzing, and reporting on log data that is generated by network devices and applications. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions from a single console. The other options are not part of SmartConsole, but rather separate software blades or features that can be integrated with SmartConsole. 

One of the major features in R80.x SmartConsole is concurrent administration, which allows multiple administrators to work on the same Security Policy at the same time12. However, only one administrator can edit a rule at a time. If AdminA and AdminB are editing the same rule at the same time, it will cause a conflict and prevent them from saving their changes12. Therefore, the correct answer is B. AdminA and AdminB are editing the same rule at the same time.

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own. In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties34 References: Part 4 - Installing Security Gateway, Deployment Options

The correct answer is A because renaming the hostname of the Standby member to match exactly the hostname of the Active member is not a recommended step to prevent data loss. The hostname of the Standby member should be different from the hostname of the Active member1. The other steps are necessary to ensure a smooth failover and synchronization between the Active and Standby Security Management Servers2. References: Check Point R81.20 Administration Guide, 156-315.81 Checkpoint Exam Info and Free Practice Test

URL Filtering is a blade that enables administrators to control access to millions of websites by category, users, groups, and machines. URL Filtering can be used to improve organizational security, decrease legal liability, and control data security by preventing users from accessing malicious or inappropriate websites. However, URL Filtering cannot be used to control bandwidth issues, such as limiting the amount of traffic or prioritizing certain applications over others3. For that purpose, other blades such as QoS (Quality of Service) or SecureXL are more suitable. References: Check Point R81 URL Filtering Administration Guide

The pen-symbol in the left column means that the rules have been edited by the logged in administrator, but the policy has not been published yet. It indicates that the changes are not yet effective and can be discarded.References: Policy Editor, Publishing Changes

The main objective when using Application Control is to ensure security and privacy of information4. Application Control enables administrators to control access to web applications and web sites based on risk level, user identity, and other criteria. It also provides visibility into web usage and application activity. References: Check Point R81 Application Control Administration Guide

The Internal Certificate Authority (ICA) is created during the primary Security Management Server installation process. The ICA is a component that issues and manages certificates for Check Point products. The ICA is automatically installed and initialized when installing the Security Management Server.

References: : Check Point R81 Security Management Administration Guide, page 26.

Back up and restores can be accomplished through SmartConsole, WebUI, or CLI12. These are the methods to perform system backup and restore, which save and restore the Gaia OS configuration and the Security Management Server database1. WebUI, CLI, or SmartUpdate are not valid methods, as SmartUpdate is used to install software packages and patches, not to back up or restore the system3. CLI, SmartUpdate, or SmartBackup are not valid methods, as SmartBackup is a feature of SmartProvisioning that allows backing up and restoring the configuration of Security Gateways and VSX clusters4. SmartUpdate, SmartBackup, or SmartConsole are not valid methods, as SmartConsole is used to configure and manage the Security Policy, not to back up or restore the system5.

References: System Backup and Restore feature in Gaia, Check Point R81.10, INSTALLATION AND UPGRADE GUIDE R81.10, SmartProvisioning R81.10 Administration Guide, QUANTUM SECURITY MANAGEMENT R81

Access roles allow the firewall administrator to configure network access according to remote access clients, a combination of computer or computer groups and networks, and users and user groups12. Therefore, the correct answer is D.

Check Point Gaia can be configured using:

The Command Line Interface (CLI) – This includes Clish and Expert mode, accessible via SSH, console access, or direct login.

The GAiA Portal (WebUI) – A browser-based graphical user interface used to manage Gaia settings.

Option A (incorrect): The CLI is not limited to serial console access. SSH is widely used.

Option B (incorrect): "Gaia Ultimate Shell" is not an official term.

Option D (incorrect): "Web Ultimate Interface" is not a valid name.

Thus, the correct answer is C. Command line interface; GAiA Portal.

halt is the Gaia command that turns the server off. This command shuts down the operating system and powers off the machine. Other commands that can be used to shut down the server are shutdown and poweroff. References: [Gaia Administration Guide R80.40]

The SmartConsole tab that shows logs and detects security threats, providing a centralized display of potential attack patterns from all network devices, is Logs and Monitor1, p. 24. The Logs and Monitor tab allows administrators to view logs from various sources, such as Security Gateways, SmartEvent servers, and SmartReporter servers. Gateway and Servers, Manage Setting, and Security Policies are other tabs in SmartConsole that have different functions. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point SmartConsole R81 Help]

 In hide NAT, the source IP address is translated. Hide NAT is also known as many-to-one NAT or PAT (Port Address Translation). It maps multiple private IP addresses to one public IP address by using different port numbers. Hide NAT allows outbound connections from the private network to the public network, but not inbound connections from the public network to the private network. In static NAT, the source or destination IP address is translated depending on the direction of the traffic. Static NAT is also known as one-to-one NAT or bi-directional NAT. It maps one private IP address to one public IP address and allows both outbound and inbound connections. In simple NAT, there is no translation of IP addresses. Simple NAT is also known as routing mode or transparent mode. It allows traffic to pass through the NAT device without any modification. There is no hide NAT for destination IP address translation5678 References: What Is Network Address Translation (NAT)?, Network address translation, Network Address Translation Definition, Network Address Translation (NAT)

 Phase 1 of the two-phase negotiation process conducted by IKE operates in Main mode or Aggressive mode12. Main mode is more secure than Aggressive mode, as it protects the identities of the peers and uses six messages to establish the IKE SA13. Authentication, Quick, and High Alert are not valid modes for IKE phase 1.

References: Understand IPsec IKEv1 Protocol, Internet Key Exchange for IPsec VPNs Configuration Guide, Internet Key Exchange

By default, the WebUI listens on port 80. The WebUI is a web-based interface that allows administrators to configure and monitor Gaia OS settings and features from a web browser. The WebUI uses the HTTP protocol to communicate with the Gaia machine, which by default uses port 80 as the standard port number. The other port numbers are not used by the WebUI by default, but they can be changed by modifying the Gaia configuration file or using CLISH commands. 

 RADIUS Accounting gets identity data from requests generated by the accounting client. RADIUS Accounting is a feature that allows tracking and measuring resource usage of network services by users. The accounting client, which is usually a network access server (NAS), sends accounting requests to a RADIUS server with information about user sessions, such as start and stop times, bytes transmitted and received, IP addresses, etc. The RADIUS server records this information in a database for billing, auditing, or reporting purposes. One of the mandatory attributes that the accounting client must include in every accounting request is the User-Name attribute, which identifies the user who is accessing the network service.

There are two default users on Gaia Platform and neither can be deleted. The two default users are admin and monitor. The admin user has full access to the Gaia configuration and management tools, such as CLI and WebUI. The monitor user has read-only access to the Gaia configuration and management tools, and can only view the system status and settings. These two users cannot be deleted, but their passwords can be changed.References: [Gaia Administration Guide], [Gaia Overview]

SmartLog is a unified log viewer that provides fast and easy access to logs from all Check Point components3. It allows the administrator to query for any log field, such as the IP address of the tablet, and filter the results by time, severity, blade, action, and more4. SmartView Tracker is a legacy tool that displays network activity logs from Security Gateways and other Check Point devices. It does not support remote connection to the wireless controller or querying for specific IP addresses. References: SmartLog, SmartLog Queries, [SmartView Tracker]

Accept all encrypted traffic is the option that will match a connection regardless of its association with a VPN community2. This option allows encrypted traffic from any VPN peer, even if it is not defined in a VPN community2. References: Site to Site VPN in R80.x - Tutorial for Beginners

SmartView Monitor is the tool that allows you to monitor the top bandwidth on SmartConsole. SmartView Monitor is a graphical tool that displays real-time network and security performance data, such as traffic, throughput, connections, CPU usage, memory usage, etc. You can use SmartView Monitor to identify the top bandwidth consumers and optimize your network performance.References: [SmartView Monitor], [Monitoring Network Traffic]

 The BEST command to view configuration details of all interfaces in Gaia CLISH is show configuration interface3. This command displays the interface name, IP address, netmask, state, MTU, and other parameters for each interface. ifconfig -a, show interfaces, and show interfaces detail are not valid commands in Gaia CLISH. References: How to configure static routes in CLISH on Gaia OS and IPSO OS, GAIA CLISH Commands - Fir3net, Gaia Administration Guide R80 - Check Point Software, Gaia Clish commands including User Defined (Extended) commands

The TCP/IP model is made up of four layers: Application, Transport, Internet, and Network Interface1, p. 10. The TCP/IP model is a simplified version of the OSI model, which has seven layers: Application, Presentation, Session, Transport, Network, Data Link, and Physical. References: Check Point CCSA - R81: Practice Test & Explanation, [TCP/IP Model Explained]

 To make John’s changes available to other administrators, and to save the database before installing a policy, John must publish the session. Publishing the session saves the changes to the database and makes them visible to other administrators1. The other options do not achieve this goal. References: Publishing a Session

The Transport layer of the TCP/IP model is responsible for managing the flow of data between two hosts to ensure that the packets are correctly assembled and delivered to the target application. It also provides error detection and correction, flow control, and multiplexing. The Transport layer uses protocols such as TCP and UDP.

References: Check Point Security Engineering Study Guide, p. 10-11

The main difference between Static NAT and Hide NAT is that Static NAT allows incoming and outgoing connections, while Hide NAT only allows outgoing connections4. Static NAT translates a single IP address to another single IP address, while Hide NAT translates a group of IP addresses to a single IP address. Static NAT is used to expose internal servers to external networks, while Hide NAT is used to hide internal hosts from external networks. References: Check Point R81 Firewall Administration Guide

With URL Filtering, only the host portion of the URL is sent to the Check Point Online Web Service for analysis. The host portion is the part of the URL that identifies the web server, such as The Check Point Online Web Service uses this information to categorize the URL and return the appropriate action to the Security Gateway3. The other options are not sent to the Check Point Online Web Service for analysis, as they may contain sensitive or irrelevant data.

The Secure Network Distributor (SND) is a feature of the Security Gateway that is used to distribute packets among Firewall instances . It improves the performance and scalability of the Firewall by utilizing multiple CPU cores. The other options are not related to SND. References: [Check Point Security Gateway Architecture and Packet Flow], [Free Check Point CCSA Sample Questions and Study Guide]

A central license is automatically attached to a Security Gateway when it is installed. A local license requires an administrator to designate a gateway for attachment1, p. 8. References: Check Point CCSA - R81: Practice Test & Explanation

A Distributed Deployment is when the Security Management Server and Security Gateway are installed on separate machines. In this setup, the Security Gateway communicates its status to the Security Management Server, which resides at a different IP address.

Option A (Incorrect): "Targeted" is not an official Check Point deployment mode.

Option B (Incorrect): In Bridge Mode, the Security Gateway acts as a Layer 2 bridge and does not communicate its status to another IP.

Option D (Incorrect): In Standalone Mode, the Security Gateway and Management Server are on the same machine, meaning it does not communicate status to a different IP.

Thus, the correct answer is C. Distributed.

Sub Policies are a new feature in R80.10 Gateway that allow creating and attaching sets of rules to specific rules in the main policy4. Sub Policies are useful for delegating permissions, managing large rule bases, and applying different inspection profiles4. The other options are not new features in R80.10 Gateway. References: Check Point R80.10 Security Management Administration Guide

Stateful Inspection is true about looking at both the headers of packets, as well as deeply examining their content. Stateful Inspection inspects packets at all layers of the OSI model and maintains information about the state and context of each connection in a state table. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 6.

 Stateful Inspection and Proxies are two different technologies for implementing firewall security. Stateful Inspection is a technique that inspects packets at the network layer and maintains a state table that tracks the status of each connection. Proxies are applications that act as intermediaries between clients and servers, and inspect packets at the application layer. The competition between stateful inspection and proxies was based on performance, protocol support, and security. When it comes to performance, stateful inspection was significantly faster than proxies, because it did not have to process the payload of each packet and could handle more concurrent connections1. References: Check Point R81 Security Gateway Technical Administration Guide

To view the policy installation history for each gateway, an administrator would use the Installation history tool1, p. 22. The Installation history tool shows the date and time of each policy installation, the name of the administrator who installed it, and the status of the installation3. Revisions, Gateway installations, and Gateway history are not valid tools in SmartConsole. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point SmartConsole R81 Help

 The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway. Installing the Security Policy is not necessary because it does not affect the CoreXL configuration1. References: Check Point R81 Security Management Administration Guide

 The answer is B because AES-CBC-256 is not a supported encryption algorithm for IPsec Security Associations (Phase 2) in R81. The supported encryption algorithms are AES-GCM-128, AES-GCM-256, AES-CBC-128, 3DES, and NULL3 References: Check Point R81 VPN Administration Guide

According to the Check Point R81.10 SmartConsole for Windows1, to restore a backup, you need to supply the following data: Server, Protocol, Username, Password, and Path. The Server is the IP address or hostname of the Security Management Server. The Protocol is either SCP or SFTP. The Username and Password are the credentials for the Security Management Server. The Path is the location of the backup file on the Security Management Server. References: Check Point R81.10 SmartConsole for Windows

The IPS (Intrusion Prevention System) Software Blade provides comprehensive protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities. The other options are not related to this function.

References: : [Check Point R81 Threat Prevention Administration Guide], page 9.

The steps you will need to do in SmartConsole in order to get the connection working behind the Internet Security Gateway are:

Define an accept rule in Security Policy. This rule allows the traffic from your internal networks to pass through the Security Gateway.

Define automatic NAT for each network to NAT the networks behind a public IP. This option translates the private IP addresses of your internal networks to a public IP address assigned by your ISP router. This way, your internal networks can communicate with the Internet using a valid IP address.

Publish and install the policy. This step applies the changes you made to the Security Gateway and activates the security and NAT rules.

References: Check Point R81 Quantum Security Gateway Guide

The key that is created during Phase 2 of a site-to-site VPN is a symmetrical IPSec key3. This key is used to encrypt and decrypt the data that is exchanged between the VPN peers3. The symmetrical IPSec key is derived from the shared secret and the Diffie-Hellman public keys that are exchanged during Phase 13. References: Site to Site VPN in R80.x - Tutorial for Beginners

Specific VPN Communities is the option that would only match and allow traffic to VPN gateways for one Community in common. This option allows you to define a specific VPN community that includes the VPN gateways that are allowed to communicate with each other. The other options are either too broad or too narrow for this scenario. References: [Site to Site VPN in R80.x - Tutorial for Beginners]

A main component of the Check Point security management architecture is SmartConsole2. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References: Check Point R81 Security Management Administration Guide

Manual NAT can offer more flexibility than Automatic NAT because it allows the administrator to define the NAT rules in any order and position1. Automatic NAT creates the NAT rules automatically and places them at the top or bottom of the NAT Rule Base2. References: Check Point R81 Firewall Administration Guide, Check Point R81 Security Management Administration Guide

The statement that best describes Secure Internal Communication (SIC) is: After successful initialization, the gateway can communicate with any Check Point node that possesses a SIC certificate signed by the same ICA. SIC is a mechanism that ensures secure communication between Check Point components by using certificates that are issued by an Internal Certificate Authority (ICA)3. The other statements are not accurate descriptions of SIC.

The port used for full synchronization between cluster members is TCP port 2654. This port is used by the Firewall Kernel to send and receive synchronization data, such as connection tables, NAT tables, and VPN keys4. UDP port 8116 is used by the Cluster Control Protocol (CCP) for internal communications between cluster members4. References: How does the Cluster Control Protocol function in working and failure scenarios for gateway clusters?

 A SAM (Suspicious Activity Monitoring) rule is implemented to provide the function or benefit of blocking suspicious activity. A SAM rule is a rule that defines an action to be taken by the firewall when it detects a suspicious activity, such as an attack, a scan, or a policy violation. The action can be blocking, dropping, rejecting, or logging the traffic that triggered the suspicious activity. A SAM rule can be created manually or automatically by other security features, such as IPS, Anti-Bot, or SmartEvent.References: [SAM Rules], [Suspicious Activity Rules]

The path that is available only when CoreXL is enabled is the medium path. The medium path is used to handle packets that require deeper inspection by the Firewall and IPS blades, but do not need to go through the slow path . The slow path is used to handle packets that require stateful or out-of-state inspection by other blades, such as Application Control or VPN . The firewall path and the accelerated path are available regardless of CoreXL status . References: [CoreXL R81 Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation], [Check Point Security Gateway Architecture and Packet Flow], [Free Check Point CCSA Sample Questions and Study Guide]

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

The answer is A because an identity server uses a shared secret for user authentication. A shared secret is a passphrase that is known by both the identity server and the user. The identity server sends a challenge to the user, who encrypts it with the shared secret and sends it back. The identity server then verifies the response and authenticates the user12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Identity Server

The default tracking option of a rule is Log3. This means that the Security Gateway will generate a log entry for every connection that matches the rule. The log entry will contain information such as source, destination, service, action, and time. Other tracking options include None, Alert, Mail, SNMP Trap, User Alert, and Accounting. References: Check Point R81 Firewall Administration Guide

Certificate based Authentication is the only authentication method available between two Security Gateway managed by the same SMS. This is because certificate based authentication provides stronger security and easier management than pre-shared secret authentication. The other options are either incorrect or irrelevant for this scenario. References: [Check Point R80.10 - Part 6 - Certificate Based Authentication]

Threat Extraction delivers PDF versions of original files with active content removed, such as macros, embedded objects, and scripts. This ensures that users receive clean and safe files in seconds12. References: Check Point SandBlast Zero-Day Protection, Check Point Threat Extraction

When a policy package is installed, user and objects databases are also distributed to the target installation Security Gateways14. The user and objects databases contain information about network objects, users, groups, services, VPN domains, and more14. Therefore, the correct answer is A. User and objects databases.

The difference between the Install Policy button on the SmartConsole’s tab and the Install Policy within a specific policy is that the former installs all the policies that are selected in the Install Policy window, while the latter pre-selects the installation for only the current policy and for the applicable gateways5 . The other options are not accurate differences. References: Installing Policies, [Check Point CCSA - R81: Practice Test & Explanation]

The WebUI can be used to manage Operating System user accounts and add users to your Gaia system, assign privileges to users, and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server. This is done by the SmartConsole1.

References: 1: Check Point R81 Security Management Administration Guide, page 11.

The answer is D because in R80 and above, the first administrator to connect to the Management Server using SmartConsole gets a lock on only the objects being modified in his session of the Management Database. Other administrators can connect to make changes using different sessions, but they cannot modify the same objects as the first administrator until he publishes his changes. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously12 References: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide

The selected option “Accept Domain Name over UDP (Queries)” means that UDP Queries will be accepted by the traffic allowed only through interfaces with external anti-spoofing topology and this will be done before first explicit rule written by Administrator in a Security Policy. This option enables the Security Gateway to accept DNS queries from external hosts and forward them to internal DNS servers. The queries are accepted by an implied rule that is applied before the explicit rules in the Security Policy. The implied rule only allows queries from interfaces that have external anti-spoofing groups defined . References: Check Point R81 Quantum Security Gateway Guide, Implied Rules

A security zone is a group of one or more network interfaces from different centrally managed gateways that have the same security requirements. The zone is based on the network topology and determined according to where the interface leads to. For example, a zone can be defined as internal, external, DMZ, VPN, etc. Security zones are supported by Check Point firewalls and can be used to simplify security policies and network segmentation. The firewall rule can be configured to include one or more zones as source or destination objects. The local directly connected subnet defined by the subnet IP and subnet mask is not considered part of the zone, but rather a property of the interface.References: [Security Zones], [Security Zones Best Practices]

The default Gaia user that has full read/write access is admin3. The admin user is the superuser that can perform any administrative task on the Gaia system, such as configuring network settings, installing software updates, managing licenses, creating snapshots, and more. The admin user can also access the Gaia Portal, which is a web-based interface for managing Gaia settings and features. References: Check Point R81 Gaia Administration Guide

The purpose of the Clean-up Rule is to log all traffic that is not explicitly allowed or denied in the Rule Base78. The Clean-up Rule is the last rule in the rulebase and is used to drop and log explicitly unmatched traffic97. To improve the rulebase performance, noise traffic that is logged in the Clean-up rule should be included in the Noise rule so it is matched and dropped higher up in the rulebase8. The other options are not valid purposes of the Clean-up Rule.

References: Using Intune device cleanup rules, Security policy fundamentals, Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

 The type of Check Point license that ties the package license to the IP address of the Security Management Server is Central license. A Central license is a license that is installed on the Security Management Server and applies to all the Security Gateways that are managed by it. The Central license is based on the IP address of the Security Management Server and cannot be transferred to another Security Management Server with a different IP address.References: [Check Point R81 Licensing Guide], [Managing and Installing license via SmartUpdate]

 Check Point ClusterXL Active/Active deployment is used when there is Load Sharing solution set up. Load Sharing enables multiple Security Gateways to share traffic and provide high availability12. References: Check Point R81, Check Point R81 ClusterXL Administration Guide

 The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

 Check Point technologies that deny or permit network traffic are packet filtering, stateful inspection, and application layer firewall1, p. 15-16. Packet filtering is a basic firewall technique that examines packets based on their source and destination addresses and ports2, p. 13. Stateful inspection is an advanced firewall technique that tracks the state and context of network connections and inspects packets based on their content and sequence2, p. 13. Application layer firewall is a firewall technique that operates at the application layer of the OSI model and inspects packets based on their application protocols and data2, p. 14. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

The SOLR database is used for full text search and enables powerful matching capabilities3 . SOLR is an open source enterprise search platform that provides fast and scalable indexing and searching of data. It supports advanced features such as faceting, highlighting, spell checking, synonyms, etc. The SOLR database is used by Check Point products such as SmartLog and SmartEvent to store and query logs and events3 . The other options are incorrect. Option B is false, as SOLR does not write data to the database, but only reads data from it. Option C is false, as SOLR does not serve GUI, but only provides a RESTful API for queries. Option D is false, as SOLR does not enable powerful matching capabilities and write data to the database, but only enables powerful matching capabilities. References: SOLR - Check Point Software, [Apache Solr]

Since Bob and Joe both have Administrator Roles on their Gaia Platform and they both are logged in on different interfaces, they will both be able to make changes. Gaia allows multiple administrators to log in simultaneously and perform different tasks without locking the database or logging out each other. References: Gaia R81.20 Administration Guide, page 18.

An Endpoint identity agent uses a username/password or Kerberos ticket for user authentication3, p. 28. An Endpoint identity agent is a lightweight client installed on endpoint computers that communicates with Identity Awareness gateways and provides reliable identity information. An Endpoint identity agent does not use a shared secret, a token, or a certificate for user authentication. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Identity Awareness Administration Guide R81]

The best way to restrict access to a network resource only allowing certain users to access it, and only when they are on a specific network, is to create an Access Role object, with specific users or user groups specified, and specific networks defined. Then, use this access role as the “Source” of an Access Control rule. This allows for granular control over network traffic based on user identity and location3.

References: 3: Check Point R81 Security Gateway Administration Guide, page 13.

Suspicious Activity Monitoring (SAM) is the utility that is used to block activities that appear to be suspicious. SAM allows administrators to block connections from specific IP addresses or network objects for a specified period of time3. Penalty Box is a feature of SAM that automatically blocks connections from sources that generate too many log entries. Drop Rule in the rulebase is a firewall action that discards packets that match certain criteria. Stealth rule is a firewall rule that prevents direct access to the Security Gateway from external sources.

This answer is correct because for a certificate-based VPN tunnel, both gateways need to have a certificate issued by a certificate authority (CA) that they trust1. A CA is a trusted entity that verifies the identity of the gateways and signs their certificates2. The gateways can either use the same CA or different CAs, as long as they trust each other’s CA3. This way, the gateways can authenticate each other using their certificates and establish a secure VPN tunnel.

The other answers are not correct because they are either irrelevant or incompatible with certificate-based VPN tunnel. Shared secret passwords and unique passwords are used for pre-shared key (PSK) authentication, which is a different method than certificate authentication4. PSK authentication is less secure and more vulnerable to brute force attacks than certificate authentication. Shared user certificates are not used for gateway authentication, but for user authentication, which is a different level of authentication than gateway authentication. User authentication is optional and can be used in addition to gateway authentication to provide more granular access control.

Configure server settings for P2S VPN Gateway connections - certificate authentication

VPN certificates and how they work

Create Certificate Based Site to Site VPN between 2 Check Point Gateways

HowTo Set Up Certificate Based VPNs with Check Point Appliances

The correct answer is D because the command save configuration  stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1. References: Gaia R81.10 Administration Guide

The Shared policies feature allows administrators to share a policy with other policy packages3. This can save time and effort when managing multiple gateways with similar security requirements. Shared policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers4. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartConsole R81 Resolved Issues

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

The Full Identity Agent allows packet tagging and computer authentication2. Packet tagging is a feature that enables the Security Gateway to identify the source user and machine of each packet, regardless of NAT or routing. Computer authentication is a feature that enables the Security Gateway to authenticate machines that are not associated with any user, such as servers or unattended workstations. The other options are incorrect. Endpoint Security Client is not an Identity Agent, but a software that provides endpoint security features such as firewall, antivirus, VPN, etc. Light Agent is an Identity Agent that does not require installation and runs on a web browser, but it does not support packet tagging or computer authentication. System Agent is not an Identity Agent, but a software that provides system information and health monitoring for endpoints. References: Check Point Identity Agent for Microsoft Windows 10

Plug-and-play (Trial) and Evaluation licenses are considered temporary because they expire after a certain period of time3. Plug-and-play licenses are valid for 15 days, while Evaluation licenses are valid for 30 days. References: Check Point Licensing and Contract Operations User Guide

A correlation unit (CU) is a component of SmartEvent that analyzes log entries on log servers and identifies events based on predefined or custom rules1. A CU receives logs from one or more log servers and forwards them to the SmartEvent server, where they are stored in the events database

When an encrypted packet is decrypted, this happens in the security policy4. The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy. References: Check Point R81 VPN Administration Guide

 Packet filtering is a technique that controls the flow of network data by examining the headers of packets and applying a set of rules to accept or reject them. Packet filtering has some advantages, such as efficiency, cost-effectiveness, ease of use, and transparency3. However, it also has some disadvantages, such as low security and no screening above the network layer4. Packet filtering firewalls cannot inspect the payload of packets or the application layer protocols, which makes them vulnerable to attacks that exploit higher-level vulnerabilitie

 In R80 Management, apart from using SmartConsole, objects or rules can also be modified using a complete CLI and API interface using SSH and custom CPCode integration. This allows you to automate tasks, integrate with third-party tools, and create custom scripts . 3rd Party integration of CLI and API for Gateways or Management prior to R80 is not relevant for R80 Management. A complete CLI and API interface for Management with 3rd Party integration is not a specific option. References: [Check Point R81 Security Management Administration Guide], [Check Point Learning and Training Frequently Asked Questions (FAQs)]

ThreatWiki is a tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed3. ThreatWiki is a web-based service that collects information about files from various sources, such as Check Point customers, partners, and researchers. Administrators can use ThreatWiki to view file reputation, upload files for analysis, and download indicators of compromise3. Whitelist Files, AppWiki, and IPS Protections are not tools that provide a list of trusted files. References: Threat Prevention R80.40 Administration Guide

This answer is correct because these are the two forms of Check Point licenses that are used to activate the software blades on the Security Gateways and the Security Management Servers1. A central license is a license that is attached to a Security Management Server and can be used to manage multiple Security Gateways1. A local license is a license that is attached to a specific Security Gateway and can only be used by that gateway1.

The other answers are not correct because they are either irrelevant or inaccurate options for Check Point licenses forms. Security Gateway and Security Management are not license forms, but software components that provide firewall, VPN, and other security features2. On-premise and Public Cloud are not license forms, but deployment options for Check Point products3. Access Control and Threat Prevention are not license forms, but software blades that provide different security functions.

Check Point License Guide

Check Point Software Blade Quick Licensing Guide

Check Point CloudGuard Network Security

[Check Point Software Blades]

The command api status shows the API server status, including whether it is enabled or not, the port number, and the API version1. References: Check Point R81 API Reference Guide

The three main components of Check Point security management architecture are SmartConsole, Security Management, and Security Gateway5. SmartConsole is the graphical user interface that allows administrators to manage and monitor Check Point products. Security Management is the server that stores the security policy and configuration data. Security Gateway is the device that enforces the security policy on the network traffic. References: Check Point R81 Security Management Administration Guide

The “Hit Count” feature is enabled or disabled on the Policy layer in SmartConsole1. To enable or disable the “Hit Count” feature, right-click on the Policy layer and select “Edit Layer”. Then, check or uncheck the “Enable Hit Count” option1. References: Solved: Hit Count in R80.x

The correct command to show detailed information about VPN tunnels is vpn tu.

vpn tu is an interactive command that provides detailed VPN tunnel status and allows you to clear specific VPN-related connections.

vpn tu tlist (Option B) is not a valid command.

cat $FWDIR/conf/vpn.conf (Option A) only displays configuration settings but does not provide real-time VPN tunnel details.

cpview (Option D) is a general system monitoring tool and does not focus specifically on VPN tunnels.

Thus, the correct answer is C. vpn tu.

The answer is C because inline layer can be defined as a rule action in a policy layer. Inline layer is a sub-policy that contains additional rules that are applied only if the parent rule matches. Ordered layer is a policy layer that contains rules that are applied in order, from top to bottom. One policy can be either inline or ordered, but not both. Pre-R80 Gateways do support ordered layers, but not inline layers5 References: Check Point R81 Policy Layers and Sub-Policies, [Check Point R81 Security Gateway Administration Guide]

The three types of UserCheck messages are inform, ask, and block. Inform messages notify users about security events and do not require any user action. Ask messages prompt users to choose whether to allow or block an action. Block messages prevent users from performing an action and display a reason1. References: Check Point R81 Logging and Monitoring Administration Guide

The Online Activation method is available for Check Point manufactured appliances. The administrator uses the Online Activation method by using the Gaia First Time Configuration Wizard, the appliance connects to the Check Point User Center and downloads all necessary licenses and contracts. This method requires internet access and a valid User Center account. References: [Check Point Licensing and Contract Operations User Guide], [Check Point R81 Gaia Installation and Upgrade Guide]

The changes made by an administrator before publishing the session can be seen by a superuser administrator from Manage and Settings > Sessions, right click on the session and click ‘View Changes…’. This option allows the superuser to review the changes made by another administrator in a pending session1. References: Check Point R81 Security Management Administration Guide

In Check Point’s Security Management Architecture, logs can be stored on the Security Management Server and Security Gateway.

Security Management Server stores logs when configured to do so.

Security Gateways can store logs locally, but they are often forwarded to a Security Management Server or a dedicated Log Server.

Option B (Incorrect): SmartConsole is only a management interface and does not store logs.

Option C (Incorrect): SmartConsole does not store logs.

Option D (Incorrect): Logs are not exclusively stored on the Security Management Server—they can also be stored on the Security Gateway.

Thus, the correct answer is A. Security Management Server and Security Gateway.

 Once a license is activated, a Service Contract file should be installed. This file contains information about the license expiration date, support level, and other details3. The other options are not valid file names.

References: 3: Check Point R81 Security Management Administration Guide, page 15.

 A stateful inspection firewall works by registering connection data and compiling this information in state tables. State tables are data structures that store information about the state and context of each connection, such as source, destination, service, protocol, sequence number, flags, etc. State tables enable the firewall to inspect both the header and the payload of each packet and apply security policies accordingly.References: [Stateful Inspection], [State Tables]

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given. DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1. DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES. 3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

What is DES encryption, and why was it replaced?

Data Encryption Standard - Wikipedia

What is 3DES encryption?

[What is AES encryption and how does it work?]

 A firewall can NOT prevent a network bandwidth saturation attack, which is a type of denial-of-service (DoS) attack that aims to consume all the available bandwidth of a target network or device1, p. 9. A firewall can prevent other types of attacks, such as buffer overflow, SYN flood, and SQL injection, by inspecting packets and applying security rules2, p. 11-12. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

Detailed Log is not a valid tracking log option in R80.x3. The tracking log options in R80.x are Log, Full Log, and Extended Log45. References: Where is ‘full log’ option in track column, LOGGINGAND MONITORING R80, Logging and Monitoring Administration Guide R80.20

References: Certificate-based authentication is considered to be the more secure and preferred VPN authentication method. It uses digital certificates to verify the identity of the VPN client and server, and provides stronger encryption and mutual authentication. Password-based authentication methods are less secure and more vulnerable to brute-force attacks, phishing, and keylogging. MD5 is a hashing algorithm, not an authentication method. Pre-shared secret is a symmetric key that is shared between the VPN peers, but it can be compromised if it is not changed frequently or stored securely12 References: VPN authentication options, Windows VPN technical guide

The tool used to enable cluster membership on a Gateway is cpconfig2. This tool allows you to configure basic settings of Check Point products, such as cluster membership, administrator name and password, GUI clients, and Secure Internal Communication (SIC)2. References: Next Generation Security Gateway Guide R80

 Alerts can be viewed in SmartView Monitor, which is a graphical tool that provides real-time information about the network and security activities, such as traffic, VPN tunnels, threats, and performance4.

References: 4: Check Point R81 Security Management Administration Guide, page 25.

You can use the same layer in multiple policies or rulebases. A layer is a set of rules that can be shared, reused, or inherited by different policies. This allows you to create modular and flexible security policies that can be applied to different scenarios.References: [Layers], [Policy Layers and Sub-Policies]

You should generate new licenses when the existing license expires, license is upgraded or the IP-address where the license is tied changes13. These scenarios require a new license to be generated and activated on the Security Gateway or Management Server13. Therefore, the correct answer is C. When the existing license expires, license is upgraded or the IP-address where the license is tied changes

Gaia can be managed through CLI, WebUI, and SmartDashboard1, p. 17-18. CLI is a command-line interface that allows administrators to configure and monitor Gaia using commands and scripts. WebUI is a web-based interface that allows administrators to configure and monitor Gaia using a browser. SmartDashboard is a graphical user interface that allows administrators to manage security policies and objects for Gaia devices. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Gaia Administration Guide R81], [Check Point Security Management Administration Guide R81]

The CDT utility supports all upgrades, including major version upgrades, Jumbo HFA’s, and hotfixes3. References: Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent

If the NAT property ‘Translate destination on client side’ is not enabled in Global properties, nothing needs to be configured on the client side, because the Gateway takes care of all details necessary. The Gateway translates the destination IP address before sending the packet to the client, so the client does not need to know about the NAT rule or add any host route or ARP entry.

References: Check Point Security Engineering Study Guide, p. 136-137

NAT (Network Address Translation) is a technique that modifies the IP addresses or ports of packets that pass through a security gateway. NAT can be configured in two ways: Automatic or Manual. Automatic NAT means that the NAT rules are generated automatically by the security gateway based on the NAT properties of network objects. Manual NAT means that the NAT rules are defined explicitly by the administrator in the NAT policy. Proxy ARP (Address Resolution Protocol) is a technique that allows a security gateway to answer ARP requests on behalf of other hosts. Proxy ARP is needed when a host on one network segment tries to communicate with a host on another network segment that has a different IP address than its own. In some scenarios, an administrator will need to manually define Proxy ARP for NAT to work properly. One such scenario is when they configure a Manual Static NAT which translates to an IP address that does not belong to one of the firewall’s interfaces2. References: Check Point R81 Network Address Translation Administration Guide

The back up solution that should be used to ensure your database can be restored on that device is snapshot . A snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system. A snapshot can be used to restore a Security Gateway or Security Management Server to its previous state at any time . Therefore, the correct answer is D. snapshot. 

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work. This is because SmartConsole uses a session mechanism that allows users to work offline and save their changes locally until they are ready to publish them to the Management13. If Tom loses connectivity, he can resume his session when he reconnects and continue working on his Rule Base changes. He does not need to reboot his SmartConsole computer, clear the cache, or restore changes. His changes will not be lost since he lost connectivity. References: Check Point R81 Security Management Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3 . The other files are not related to proxy arp configuration. References: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA - R81: Practice Test & Explanation]