156-215.81 Check Point Certified Security Administrator R81.20 CCSA (156-215.81.20) Questions and Answers

The best way to restrict access to a network resource only allowing certain users to access it, and only when they are on a specific network, is to create an Access Role object, with specific users or user groups specified, and specific networks defined. Then, use this access role as the “Source” of an Access Control rule. This allows for granular control over network traffic based on user identity and location3.

References: 3: Check Point R81 Security Gateway Administration Guide, page 13.

The protocol that is specifically used for clustered environments is Cluster Control Protocol (CCP). CCP is a proprietary Check Point protocol that is used for communication between cluster members and for cluster administration. CCP enables cluster members to exchange state information, synchronize connections, monitor interfaces, and perform failover operations. The other options are incorrect. Clustered Protocol, Synchronized Cluster Protocol, and Control Cluster Protocol are not valid terms in Check Point terminology. References: [Cluster Control Protocol (CCP) - Check Point Software]

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

 A session starts when an Administrator logs in through SmartConsole and ends when the Administrator logs out. A session allows multiple administrators to work on the same policy simultaneously, without overwriting each other’s changes3.

References: 3: Check Point R81 Security Management Administration Guide, page 17.

Automatic Hide NAT enables Source Port Address Translation by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

The Application Layer Firewalls inspect traffic through the Lower layer(s) of the TCP/IP model and up to and including the Application layer. The lower layers are the Physical, Data Link, and Network layers, which deal with the transmission and routing of packets. The Application layer is the highest layer of the TCP/IP model, which provides services and protocols for specific applications such as HTTP, FTP, SMTP, etc. The Application Layer Firewalls can inspect the content and context of the traffic and enforce granular security policies based on various criteria such as user identity, application identity, content type, etc. References: [Check Point R81 Firewall Administration Guide]

The statement that a Sectional Title can be used to disable multiple rules by disabling only the sectional title is false. A Sectional Title is a visual divider that helps organize and navigate large rule bases. It does not affect the rule enforcement order or the rule functionality. Disabling a Sectional Title does not disable the rules under it. To disable multiple rules, you need to select them individually or use Shift+Click or Ctrl+Click to select them in bulk, and then right-click and choose Disable Rule(s). The other statements are true. Section titles are not sent to the gateway side, they are only displayed in SmartConsole. These sections are simple visual divisions of the Rule Base and do not hinder the order of rule enforcement. Sectional Titles do not need to be created in SmartConsole, they can also be created using SmartConsole CLI or API commands.References: [Sectional Titles], [SmartConsole CLI Guide], [SmartConsole API Reference Guide]

 The SIC Status “Unknown” means that there is no connection between the gateway and Security Management Server. This can happen if the gateway is down, unreachable, or has not been initialized yet12. References: Check Point R81 Security Management Administration Guide, Free Check Point CCSA Sample Questions and Study Guide

Bridge Mode is a deployment option for Check Point Security Gateway that allows it to act as a transparent bridge between two network segments, without changing the IP addressing scheme. Bridge Mode supports most of the security features, such as Data Loss Prevention, Antivirus, Application Control, etc. However, Bridge Mode does not support NAT, because NAT requires modifying the IP addresses or ports of the packets, which contradicts the transparent nature of Bridge Mode1. References: Check Point R81 Security Gateway Technical Administration Guide

The SmartCenter that should be connected to for making changes is the active SmartCenter. The active SmartCenter is the one that is currently synchronizing its configuration with the secondary SmartCenter and handling the communication with the gateways . The primary SmartCenter is the one that was initially configured as the main server, but it may become inactive if a failover occurs. The virtual IP of SmartCenter HA is used to access the SmartConsole, not to make changes. References: [Security Management Server High Availability (HA) R81 Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation], [How to configure ClusterXL High Availability on Security Management Server]

 When an Admin logs into SmartConsole and sees a lock icon on a gateway object and cannot edit that object, it indicates that another Admin has made an edit to that object and has yet to publish the change. SmartConsole supports concurrent administration, which means that multiple Admins can work on the same security policy at the same time. However, when one Admin edits an object, such as a gateway, a rule, or a network, that object is locked for other Admins until the change is published or discarded. The lock icon shows which objects are being edited by other Admins and prevents conflicts or overwrites. The gateway being powered off, incorrect routing to reach the gateway, or logging in to Read-Only mode do not cause the lock icon to appear.References: [Concurrent Administration], [SmartConsole Overview]

 Captive Portal is a feature of Identity Awareness that allows you to authenticate users through a web browser before they access the Internet or corporate resources. Captive Portal can be used for various authentication methods, such as user name and password, one-time password (OTP), or certificate3. Captive Portal does not manage user permission in SmartConsole, provide remote access to SmartConsole, or authenticate users to the Gaia OS. Those are different functions that are not related to Captive Portal. References: Check Point R81 Identity Awareness Administration Guide

In a Distributed deployment, the Security Gateway and the Security Management software are installed on different computers or appliances2. This allows for better scalability and performance. References: Check Point Security Management Administration Guide R81

The purpose of the Clean-up Rule is to log all traffic that is not explicitly allowed or denied in the Rule Base78. The Clean-up Rule is the last rule in the rulebase and is used to drop and log explicitly unmatched traffic97. To improve the rulebase performance, noise traffic that is logged in the Clean-up rule should be included in the Noise rule so it is matched and dropped higher up in the rulebase8. The other options are not valid purposes of the Clean-up Rule.

References: Using Intune device cleanup rules, Security policy fundamentals, Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

When using Automatic Hide NAT, Source Port Address Translation (PAT) is enabled by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

The answer is C because inline layer can be defined as a rule action in a policy layer. Inline layer is a sub-policy that contains additional rules that are applied only if the parent rule matches. Ordered layer is a policy layer that contains rules that are applied in order, from top to bottom. One policy can be either inline or ordered, but not both. Pre-R80 Gateways do support ordered layers, but not inline layers5 References: Check Point R81 Policy Layers and Sub-Policies, [Check Point R81 Security Gateway Administration Guide]

The main objective when using Application Control is to ensure security and privacy of information4. Application Control enables administrators to control access to web applications and web sites based on risk level, user identity, and other criteria. It also provides visibility into web usage and application activity. References: Check Point R81 Application Control Administration Guide

 ThreatWiki is a web-based tool that provides statistics on detected threats, such as attack types, sources, destinations, and severity. It also allows the administrator to search for specific threats and view their details and mitigation methods. The other options are not tools for viewing statistics on detected threats. References: [ThreatWiki], [ThreatWiki - Threat Emulation]

The default shell of the Gaia CLI is cli.sh, which provides a limited set of commands for basic configuration and troubleshooting. To change from the cli.sh shell to the advanced shell (also known as expert mode) to run Linux commands, the administrator needs to execute the command ‘expert’ in the cli.sh shell

The correct command to show detailed information about VPN tunnels is vpn tu.

vpn tu is an interactive command that provides detailed VPN tunnel status and allows you to clear specific VPN-related connections.

vpn tu tlist (Option B) is not a valid command.

cat $FWDIR/conf/vpn.conf (Option A) only displays configuration settings but does not provide real-time VPN tunnel details.

cpview (Option D) is a general system monitoring tool and does not focus specifically on VPN tunnels.

Thus, the correct answer is C. vpn tu.

 The Security Gateways collect logs and send them to the log server. The Security Gateways are the components that enforce the security policy on network traffic and generate logs for each connection that matches a rule with a tracking option. The log server is the component that receives and stores the logs from the Security Gateways and provides a centralized interface for viewing and analyzing them. The log server can be either a dedicated server or integrated with the Security Management Server. References: [Check Point R81 Security Management Administration Guide]

Central licensing is the preferred licensing model because it ties the package license to the IP-address of the Security Management Server and has no dependency on the gateway. This allows for easier management and distribution of licenses across multiple gateways1.

References: 1: Check Point R81 Security Management Administration Guide, page 14.

Threat Extraction is the Security Blade that needs to be enabled in order to sanitize and remove potentially malicious content from files, before those files enter the network. It can strip out active content, embedded objects, and other risky elements from documents and deliver a safe version of the file to the user. References: Remote Access VPN R81.20 Administration Guide, page 18.

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3 . The other files are not related to proxy arp configuration. References: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA - R81: Practice Test & Explanation]

To optimize drops, you can use Priority Queues and fully enable Dynamic Dispatcher on the Security Gateway23. Priority Queues are a mechanism that prioritizes part of the traffic when the Security Gateway is stressed and needs to drop packets. Dynamic Dispatcher is a feature that dynamically assigns new connections to a CoreXL FW instance based on the utilization of CPU cores. To enable both features, you need to run the command fw ctl multik set_mode 9 on the Security Gateway4. Therefore, the correct answer is C. fw ctl multik set_mode 9. References: CoreXL Dynamic Dispatcher - Check Point Software, Firewall Priority Queues in R80.x / R81.x - Check Point Software, Separate Config for Dynamic Dispatcher and Priority Queues

The User Directory is used to obtain identification and security information about network users. It can be integrated with external user databases such as LDAP, RADIUS, or TACACS+. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 9.

Plug-and-play (Trial) and Evaluation licenses are considered temporary because they expire after a certain period of time3. Plug-and-play licenses are valid for 15 days, while Evaluation licenses are valid for 30 days. References: Check Point Licensing and Contract Operations User Guide

The default shell of Gaia CLI is clish, which stands for Check Point command line interface shell1. It provides a user-friendly interface to configure and manage Check Point products. References: Check Point Gaia Administration Guide

 The GUI tool that can be used to view and apply Check Point licenses is SmartUpdate. SmartUpdate is a centralized tool that allows you to manage licenses, software packages, and hotfixes for multiple gateways and clusters12. cpconfig, Management Command Line, and SmartConsole are not tools for license management. References: Check Point R81 SmartUpdate Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

Captive Portal is an authentication method used for Identity Awareness4. Captive Portal is a web-based authentication method that redirects users to a browser-based login page when they try to access the network. Users must provide their credentials to access the network resources. Captive Portal can be used for guest users or users who are not identified by other methods4. SSL, PKI, and RSA are not authentication methods used for Identity Awareness, but rather encryption or certificate technologies. References: Identity Awareness Reference Architecture and Best Practices

Most Check Point deployments use Gaia, which is a unified operating system for all Check Point appliances, open servers, and virtualized gateways. However, some product deployments utilize special Check Point code, such as Scalable Platforms (formerly known as Maestro), which are high-performance security gateways that can scale up to 1.5 Tbps of firewall throughput. Scalable Platforms use a special version of Gaia OS called Gaia Embedded, which is planned to be unified with Gaia OS in R81.102. References: Check Point R81 Release Notes

 The two types of NAT supported by the Security Gateway are hide NAT and static NAT. Hide NAT translates many source IP addresses into one IP address, usually the external interface of the gateway. Static NAT translates one source IP address into another IP address, usually a public IP address34. The other options are not valid types of NAT. References: Network Address Translation (NAT), Check Point CCSA - R81: Practice Test & Explanation

This answer is correct because a standalone deployment is a valid option for installing a Check Point Security Gateway and a Security Management Server on the same machine1. This option is suitable for small or medium-sized networks that do not require high availability or load balancing1.

The other answers are not correct because they are either invalid or irrelevant options for deployment. CloudSec deployment is not a valid option, but it might be confused with CloudGuard, which is a Check Point solution for securing cloud environments2. Disliked deployment is not a valid option, but it might be a typo for Distributed deployment, which is a valid option for installing a Check Point Security Gateway and a Security Management Server on separate machines1. Router only deployment is not a valid option, but it might be confused with Router mode, which is a configuration option for a Check Point Security Gateway that enables it to act as a router and forward packets between interfaces3.

Gaia R81.20 Administration Guide

CloudGuard Network Security

Configuring Router Mode in Gaia Clish

Capsule Connect provides a Layer 3 VPN that allows users to access corporate resources securely from their mobile devices2. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications3. Capsule Workspace also provides a desktop with usable applications such as email, calendar, contacts, documents, and web applications3. References: Check Point Capsule Connect, Check Point Capsule Workspace

Automatic Hide NAT rules are created by the administrator when they configure NAT for network objects or groups in the object properties. Automatic Hide NAT rules allow multiple private IP addresses to share a single public IP address when accessing external networks. Source Port Address Translation (PAT) is enabled by default for Automatic Hide NAT rules, which means that the Security Gateway assigns a unique source port number for each connection from the same source IP address. This allows the Security Gateway to keep track of the connections and translate the reply packets correctly. 

The policy type that is used to enforce bandwidth and traffic control rules is QoS. QoS stands for Quality of Service and is a software blade that allows administrators to prioritize network traffic according to various criteria such as source, destination, service, application, user, etc. QoS can also limit the bandwidth consumption of certain traffic types or guarantee a minimum bandwidth for critical applications. References: [Check Point R81 QoS Administration Guide]

Back up and restores can be accomplished through SmartConsole, WebUI, or CLI12. These are the methods to perform system backup and restore, which save and restore the Gaia OS configuration and the Security Management Server database1. WebUI, CLI, or SmartUpdate are not valid methods, as SmartUpdate is used to install software packages and patches, not to back up or restore the system3. CLI, SmartUpdate, or SmartBackup are not valid methods, as SmartBackup is a feature of SmartProvisioning that allows backing up and restoring the configuration of Security Gateways and VSX clusters4. SmartUpdate, SmartBackup, or SmartConsole are not valid methods, as SmartConsole is used to configure and manage the Security Policy, not to back up or restore the system5.

References: System Backup and Restore feature in Gaia, Check Point R81.10, INSTALLATION AND UPGRADE GUIDE R81.10, SmartProvisioning R81.10 Administration Guide, QUANTUM SECURITY MANAGEMENT R81

The Check Point software blade that monitors Check Point devices and provides a picture of network and security performance is Monitoring. The Monitoring Software Blade presents a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events. It centrally monitors Check Point devices and alerts security administrators to changes to gateways, endpoints, tunnels, remote users and security activities234. References: Monitoring Software Blade, Check Point Integrated Security Architecture, Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

The most likely reason for Vanessa’s authentication failure is that she is using the wrong details for SmartConsole. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. She needs to use the credentials that were defined during the initial configuration of the Security Management Server, or the ones that were assigned to her by the administrator12. The other options are not valid reasons for this error. References: SmartConsole Login, Check Point CCSA - R81: Practice Test & Explanation

 Gaia has two default user accounts that cannot be deleted. They are Admin and Monitor. Admin is the user account that has full administrative privileges and can access both WebUI and CLI. Monitor is the user account that has read-only privileges and can access only WebUI2. The other options are not default user accounts in Gaia.

Two basic rules that Check Point recommends for building an effective security policy are Cleanup Rule and Stealth Rule. A Cleanup Rule is a rule that is placed at the end of the rule base and drops or logs any traffic that does not match any of the previous rules2. A Stealth Rule is a rule that is placed at the top of the rule base and protects the Security Gateway from direct access by unauthorized users3. The other options are not basic rules for building a security policy, but rather types or categories of rules.

When logging in for the first time to a Security Management Server through SmartConsole, a fingerprint is saved to the SmartConsole cache and is available for future Security Management Server authentications. The fingerprint is a unique identifier of the Security Management Server that is used to verify its identity and prevent man-in-the-middle attacks. The SmartConsole cache is a local folder on the client machine that stores temporary files and settings.

References: Check Point Security Management Administration Guide R81, p. 25-26

The Transport layer of the TCP/IP model is responsible for managing the flow of data between two hosts to ensure that the packets are correctly assembled and delivered to the target application. It also provides error detection and correction, flow control, and multiplexing. The Transport layer uses protocols such as TCP and UDP.

References: Check Point Security Engineering Study Guide, p. 10-11

 The answer is A because Identity Awareness commands are used to support identity sharing between Security Gateways. Policy Decision Point (PDP) is the Security Gateway that collects identities from various sources and shares them with other gateways. Policy Enforcement Point (PEP) is the Security Gateway that enforces the policy based on the identities received from the PDP12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Security Management Administration Guide

Identity Sharing is a feature that allows Security Gateways to acquire and share identities with other Security Gateways, enabling identity-based access control across different network segments or domains13. Management servers, users, and administrators do not share identities with Security Gateways.

References: Identity Awareness R81.10 Administration Guide, Check Point R81.10

The Publish operation sends the modifications made via SmartConsole in the private session and makes them public is the correct answer. This is because publishing is the process of saving your changes to the database and making them available to other administrators. Publishing also allows you to install policies on Security Gateways. References: [Publishing Changes]

When a Security Gateway sends its logs to an IP address other than its own, it means that the Security Gateway and the Log Server are installed on different machines. This is a characteristic of a Distributed deployment3. Therefore, the correct answer is A

URL Filtering is a blade that enables administrators to control access to millions of websites by category, users, groups, and machines. URL Filtering can be used to improve organizational security, decrease legal liability, and control data security by preventing users from accessing malicious or inappropriate websites. However, URL Filtering cannot be used to control bandwidth issues, such as limiting the amount of traffic or prioritizing certain applications over others3. For that purpose, other blades such as QoS (Quality of Service) or SecureXL are more suitable. References: Check Point R81 URL Filtering Administration Guide

The correct answer is A because detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature of the Check Point URL Filtering and Application Control Blade3. This feature is part of the Check Point Anti-Virus and Anti-Bot Blades3. The other options are features of the Check Point URL Filtering and Application Control Blade3. References: Check Point R81 URL Filtering and Application Control Administration Guide

Domain-based— VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

This statement is not true because a VPN domain is not a service or user, but a host or network that can send or receive VPN traffic through a VPN Gateway1. This is the definition given in the Site to Site VPN R81 Administration Guide1. The other statements are true according to the same guide1.

Remote Access VPN R81.20 Administration Guide

Site to Site VPN R81 Administration Guide

DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud

NAT (Network Address Translation) is a technique that modifies the IP addresses or ports of packets that pass through a security gateway. NAT can be configured in two ways: Automatic or Manual. Automatic NAT means that the NAT rules are generated automatically by the security gateway based on the NAT properties of network objects. Manual NAT means that the NAT rules are defined explicitly by the administrator in the NAT policy. Proxy ARP (Address Resolution Protocol) is a technique that allows a security gateway to answer ARP requests on behalf of other hosts. Proxy ARP is needed when a host on one network segment tries to communicate with a host on another network segment that has a different IP address than its own. In some scenarios, an administrator will need to manually define Proxy ARP for NAT to work properly. One such scenario is when they configure a Manual Static NAT which translates to an IP address that does not belong to one of the firewall’s interfaces2. References: Check Point R81 Network Address Translation Administration Guide

This answer is correct because the vpn tu command is used for VPN tunnel management and shows detailed information about VPN tunnels, such as the tunnel ID, peer IP, encryption domain, and status1. This command will bring up a menu for you to choose from, such as list all IPsec SAs, delete all IPsec SAs, or delete IPsec SA for given peer1.

The other answers are not correct because they either show different information or do not exist as commands. The cat $FWDlR/conf/vpn.conf command shows the VPN configuration file, which contains the VPN domains, communities, and encryption settings2. The vpn tu tlist command does not exist, but it might be confused with the vpn tunnelutil tlist command, which shows the tunnel utilization statistics3. The cpview command shows the Check Point real-time performance monitoring tool, which displays various system and network parameters, such as CPU, memory, disk, interfaces, and VPN4.

How to use the “vpn tu” command for VPN tunnel management

New VPN daemons in R81.10 / R81.20 - Check Point CheckMates

Remote Access VPN R81.20 Administration Guide - Check Point Software

Remote Access VPN R81 Administration Guide - Check Point Software

The command show config-state can be used to verify if there are unsaved changes in GAiA that will be lost with a reboot . The other commands are not valid in GAiA. References: [Check Point GAiA Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation]

When a gateway requires user information for authentication, it queries servers for user information in the following order: first the internal user database, then the generic external user profile, and finally LDAP servers in order of priority. The internal user database is a local database that stores user information on the Security Gateway or Security Management Server. The generic external user profile is a predefined profile that allows users to authenticate with any external server that supports RADIUS or TACACS protocols. LDAP servers are external servers that use the Lightweight Directory Access Protocol to store and retrieve user information. The gateway queries LDAP servers according to the priority that is defined in the LDAP Account Unit object properties. 

 In R80 Management, apart from using SmartConsole, objects or rules can also be modified using a complete CLI and API interface using SSH and custom CPCode integration. This allows you to automate tasks, integrate with third-party tools, and create custom scripts . 3rd Party integration of CLI and API for Gateways or Management prior to R80 is not relevant for R80 Management. A complete CLI and API interface for Management with 3rd Party integration is not a specific option. References: [Check Point R81 Security Management Administration Guide], [Check Point Learning and Training Frequently Asked Questions (FAQs)]

 Once a license is activated, a Service Contract file should be installed. This file contains information about the license expiration date, support level, and other details3. The other options are not valid file names.

References: 3: Check Point R81 Security Management Administration Guide, page 15.

 The type of Check Point license that ties the package license to the IP address of the Security Management Server is Central license. A Central license is a license that is installed on the Security Management Server and applies to all the Security Gateways that are managed by it. The Central license is based on the IP address of the Security Management Server and cannot be transferred to another Security Management Server with a different IP address.References: [Check Point R81 Licensing Guide], [Managing and Installing license via SmartUpdate]

The answer is A because an identity server uses a shared secret for user authentication. A shared secret is a passphrase that is known by both the identity server and the user. The identity server sends a challenge to the user, who encrypts it with the shared secret and sends it back. The identity server then verifies the response and authenticates the user12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Identity Server

The reason why querying logs now are very fast is that Indexing Engine indexes logs for faster search results. Indexing Engine is a component of R81 Management that creates and maintains an index of log data, which enables quick and efficient log searches4. The other options are not related to the speed of log querying. The amount of logs being stored may vary depending on the log retention settings. New Smart-1 appliances may have improved hardware specifications, but they do not affect the log querying process directly. SmartConsole queries results from the Security Management Server, not from the Security Gateway.

References: 1: HTTPS Inspection 2: Browser-Based Authentication 3: URL Filtering 4: Indexing Engine

 It is Best Practice to have an Explicit CleanUp rule at the end of each policy layer. This rule will log and drop any traffic that does not match any of the preceding rules in the layer1, p. 23. References: Check Point CCSA - R81: Practice Test & Explanation

RADIUS protocol uses UDP (User Datagram Protocol) to communicate with the gateway. UDP is a connectionless protocol that does not require a handshake or acknowledgment before sending or receiving data2.

References: 2: [Check Point R81 Identity Awareness Administration Guide], page 14.

Gaia can be managed through CLI, WebUI, and SmartDashboard1, p. 17-18. CLI is a command-line interface that allows administrators to configure and monitor Gaia using commands and scripts. WebUI is a web-based interface that allows administrators to configure and monitor Gaia using a browser. SmartDashboard is a graphical user interface that allows administrators to manage security policies and objects for Gaia devices. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Gaia Administration Guide R81], [Check Point Security Management Administration Guide R81]

The four policy types available for each policy package are Access Control, Threat Prevention, NAT, and HTTPS Inspection. Access Control is the policy type that defines the basic firewall rules. Threat Prevention is the policy type that enables the protection against various types of attacks, such as IPS, Anti-Virus, Anti-Bot, etc. NAT is the policy type that defines the network address translation rules. HTTPS Inspection is the policy type that allows the inspection of encrypted traffic1. The other options are not valid policy types for each policy package.

The Stealth Rule is used to prevent users from directly connecting to a Security Gateway. It is usually placed at the top of the rule base, before any other rule that allows traffic to the Security Gateway1, p. 32. References: Check Point CCSA - R81: Practice Test & Explanation

 Application Control is the software blade that enables Access Control policies to accept, drop, or limit web site access based on user, group, and/or machine. Application Control allows you to define granular rules for applications, web sites, web categories, web content types, and users. You can also use Application Control to monitor and block risky applications and web usage. References: [Application Control Administration Guide R80.40]

A standalone deployment is when the security management server and Security Gateway are installed on the same appliance. This is suitable for small or branch office environments1

 Stateful Inspection and Proxies are two different technologies for implementing firewall security. Stateful Inspection is a technique that inspects packets at the network layer and maintains a state table that tracks the status of each connection. Proxies are applications that act as intermediaries between clients and servers, and inspect packets at the application layer. The competition between stateful inspection and proxies was based on performance, protocol support, and security. When it comes to performance, stateful inspection was significantly faster than proxies, because it did not have to process the payload of each packet and could handle more concurrent connections1. References: Check Point R81 Security Gateway Technical Administration Guide

A shared policy is a set of rules that can be used in multiple policy packages. It allows the administrator to create a common security policy for different gateways or domains, and avoid duplication and inconsistency. The other options are not advantages of a shared policy. References: [Shared Policies Overview], [Shared Policies Best Practices]

In Check Point Gaia WebUI, different icons are used to indicate various system states.

Eyeglasses (A) typically represent "view-only" access.

Pencil (B) represents "edit" or read/write access, meaning the user can modify configurations.

Padlock (C) is often used to indicate locked or restricted settings.

Book (D) does not indicate access permissions.

Therefore, the correct answer is "Pencil" (B), which represents that read/write access is enabled in the WebUI.

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work. This is because SmartConsole uses a session mechanism that allows users to work offline and save their changes locally until they are ready to publish them to the Management13. If Tom loses connectivity, he can resume his session when he reconnects and continue working on his Rule Base changes. He does not need to reboot his SmartConsole computer, clear the cache, or restore changes. His changes will not be lost since he lost connectivity. References: Check Point R81 Security Management Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

When a policy package is installed, user and objects databases are also distributed to the target installation Security Gateways14. The user and objects databases contain information about network objects, users, groups, services, VPN domains, and more14. Therefore, the correct answer is A. User and objects databases.

The icon in the WebUI that indicates that read/write access is enabled is the Pencil icon . The Pencil icon appears next to the name of the device when it is in Read/Write mode, which allows making changes to the configuration. The Padlock icon indicates that read-only access is enabled, which prevents making changes to the configuration. The Book icon indicates that online help is available, which provides information and guidance on using the WebUI. The Eyeglasses icon indicates that a view-only mode is enabled, which allows viewing the configuration without logging in.

References: Gaia R81.10 Administration Guide, WebUI Overview

Resource is NOT an objects category in SmartConsole1, p. 18. The objects categories in SmartConsole are Network Object, Host, Network, Group, Gateway, Cluster, VPN Community, Service, Time Object, Access Role, Custom Application / Site, Data Center Object, Limit. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point SmartConsole R81 Help]

The Windows Security Event that will NOT map a username to an IP address in Identity Awareness is Kerberos Ticket Timed Out. This event occurs when a Kerberos ticket expires and is not renewed, which means that the user is no longer active on the network. Identity Awareness does not use this event to map a username to an IP address, as it does not indicate a valid user session. The other events are used by Identity Awareness to map a username to an IP address, as they indicate a successful user authentication or activity on the network.

References: [Kerberos Ticket Expiration and Renewal], [Identity Awareness AD Query]

The command fwaccel stat shows the status of SecureXL, including whether Drop Templates are enabled or not1. References: Check Point SecureXL R81 Administration Guide

 Security Gateway software blades must be attached to a Security Gateway container. A Security Gateway container is a logical object that represents a physical or virtual machine that runs the Security Gateway software. A software blade is a modular security feature that can be enabled or disabled eway container. A software blade can provide functions such as firewall, VPN, IPS, anti-virus, anti-bot, application control, URL filtering, etc.References: [Security Gateway Containers], [Software Blades]

Quick Mode Complete is the message that indicates IKE Phase 2 has completed successfully2. IKE Phase 2 is also known as Quick Mode or Child SA in IKEv1 and IKEv2 respectively. Aggressive Mode and Main Mode are part of IKE Phase 1, which establishes the IKE SA. IKE Mode is not a valid term for IKE negotiation. References: How to Analyze IKE Phase 2 VPN Status Messages, IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges, Understand IPsec IKEv1 Protocol

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References: Check Point Security Management Administration Guide R81, p. 9

 Snapshot is the backup utility that captures the most information and tends to create the largest archives. Snapshot creates an image of the entire system, including operating system files, configuration files, databases, and logs. It can be used to restore the system in case of a failure or corruption. Backup creates a compressed file that contains configuration files and databases, but not operating system files or logs. It can be used to restore configuration settings and policies. Database Revision creates a backup of only the database files that store policies and objects. It can be used to revert to a previous revision of the database. Migrate export creates a compressed file that contains configuration files, databases, and logs, but not operating system files. It can be used to migrate data from one machine to another with different hardware or software versions.References: [Backup and Restore], [Database Revision Control], [Migrate Tools], [Hewlett Packard Enterprise Support Center]

 URL Filtering employs a technology called UserCheck, which educates users on web usage policy in real time. UserCheck is a feature that allows the firewall to interact with the users and inform them about the web usage policy and its violations. UserCheck can also allow users to request access to blocked websites or report false positives. UserCheck helps users understand and comply with the web usage policy and reduces the workload of the administrators.

While enabling the Identity Awareness blade, the Identity Awareness wizard does not automatically detect the Windows domain because the SmartConsole machine is not part of the domain. The SmartConsole machine needs to be a member of the Windows domain or have access to a domain controller in order to detect the domain automatically2.

References: 2: Check Point R81 Identity Awareness Administration Guide, page 10.

According to the Learn More About Threat Signatures4, to quickly review when Threat Prevention signatures were last updated, you can use the IPS Protections tool. This tool shows you the date and time of the last update, as well as the number of signatures and their categories. References: Learn More About Threat Signatures

The way that the objects can be manipulated using the new API integration in R80 Management is JSON. JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans and machines to read and write. The R80 Management API uses JSON as the primary data format for requests and responses. Therefore, the correct answer is B. JSON.

The scenario where it is a valid option to transfer a license from one hardware device to another is from a 4400 Appliance to a 2200 Appliance. This is because both appliances are Check Point products and have the same license type (Central License). You can transfer a license from one hardware device to another if they have the same license type and vendor3. Therefore, the correct answer is A. From a 4400 Appliance to a 2200 Appliance. 

The command that shows the installed licenses is cplic print. This command displays the license information on a Check Point server or Security Gateway. It shows the license type, expiration date, attached blades, etc. The other options are incorrect. print cplic is not a valid command. fwlic print is not a valid command. show licenses is not a valid command. References: [How to check license status on SecurePlatform / Gaia from CLI]

 src:192.168.1.1 AND dst:172.26.1.1 AND action:Drop is the correct log query to show only dropped packets with source address of 192.168.1.1 and destination address of 172.26.1.1. The AND operator means that all conditions must be true for the query to match. The OR operator means that any condition can be true for the query to match3. The other queries will either show packets that are not dropped or packets that have different source or destination addresses.

The Shared policies feature allows administrators to share a policy with other policy packages3. This can save time and effort when managing multiple gateways with similar security requirements. Shared policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers4. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartConsole R81 Resolved Issues

 The correct answer is A because session unique identifiers are passed to the web api using the X-chkp-sid http header option1. The X-chkp-sid header is used to authenticate and authorize API calls1. The other options are not related to session unique identifiers. References: Check Point R81 Security Management Administration Guide

Certificate based Authentication is the only authentication method available between two Security Gateway managed by the same SMS. This is because certificate based authentication provides stronger security and easier management than pre-shared secret authentication. The other options are either incorrect or irrelevant for this scenario. References: [Check Point R80.10 - Part 6 - Certificate Based Authentication]

The Online Activation method is available for Check Point manufactured appliances. The administrator uses the Online Activation method by using the Gaia First Time Configuration Wizard, the appliance connects to the Check Point User Center and downloads all necessary licenses and contracts. This method requires internet access and a valid User Center account. References: [Check Point Licensing and Contract Operations User Guide], [Check Point R81 Gaia Installation and Upgrade Guide]

 SmartUpdate is the application that is used for the central management and deployment of licenses and packages. SmartUpdate allows administrators to manage licenses, software updates, and hotfixes for multiple Security Gateways and cluster members from one central location2. SmartProvisioning is an application that enables centralized management of network devices. SmartLicense is a feature that simplifies license management by using a cloud-based portal. Deployment Agent is a component that enables automatic deployment of software packages3.

 In hide NAT, the source IP address is translated. Hide NAT is also known as many-to-one NAT or PAT (Port Address Translation). It maps multiple private IP addresses to one public IP address by using different port numbers. Hide NAT allows outbound connections from the private network to the public network, but not inbound connections from the public network to the private network. In static NAT, the source or destination IP address is translated depending on the direction of the traffic. Static NAT is also known as one-to-one NAT or bi-directional NAT. It maps one private IP address to one public IP address and allows both outbound and inbound connections. In simple NAT, there is no translation of IP addresses. Simple NAT is also known as routing mode or transparent mode. It allows traffic to pass through the NAT device without any modification. There is no hide NAT for destination IP address translation5678 References: What Is Network Address Translation (NAT)?, Network address translation, Network Address Translation Definition, Network Address Translation (NAT)

When an encrypted packet is decrypted, this happens in the security policy4. The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy. References: Check Point R81 VPN Administration Guide

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

The Status Attention means that at least one Software Blade has a minor issue, but the gateway works1. For example, this could indicate a license expiration warning, a policy installation failure, or a blade activation problem2. References: Check Point R81 SmartConsole Guide, Check Point R81 Security Management Administration Guide

Correlation Unit is the SmartEvent component that creates events. It analyzes logs received from Security Gateways and Servers, and generates security events according to the definitions in the Consolidation Policy. References: [SmartEvent R80.40 Administration Guide], [Correlation Unit]

The R80.10 management server can manage gateways with versions R76 and higher34. Versions lower than R76 are not supported by the R80.10 management server. References: Check Point R80.10 Release Notes, Free Check Point CCSA Sample Questions and Study Guide

Once a certificate is revoked from the Security Gateway by the Security Management Server, the certificate information is stored on the Certificate Revocation List (CRL)1, p. 47. The CRL is a list of certificates that have been revoked before their expiration date4. References: Check Point CCSA - R81: Practice Test & Explanation, Free Check Point CCSA Sample Questions and Study Guide

Secure Internal Communication (SIC) is handled by the CPD process3. CPD is the Check Point Daemon that runs on all Check Point modules and handles internal licensing and SIC operations. SIC is a mechanism that ensures secure communication between Check Point components using certificates and encryption. References: Check Point R81 Security Management Administration Guide

The IPS (Intrusion Prevention System) Software Blade provides comprehensive protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities. The other options are not related to this function.

References: : [Check Point R81 Threat Prevention Administration Guide], page 9.

There are two default users on Gaia Platform and neither can be deleted. The two default users are admin and monitor. The admin user has full access to the Gaia configuration and management tools, such as CLI and WebUI. The monitor user has read-only access to the Gaia configuration and management tools, and can only view the system status and settings. These two users cannot be deleted, but their passwords can be changed.References: [Gaia Administration Guide], [Gaia Overview]

If there is an Accept Implied Policy set to “First”, Jorge cannot see any logs because Log Implied Rule was not selected on Global Properties. The Log Implied Rule option enables logging for all implied rules, such as DHCP, anti-spoofing, and cleanup rules.

References: : Check Point R81 Security Management Administration Guide, page 103.

In Check Point Gaia OS, the default command-line shell is Clish (B).

Clish (Command Line Shell) is a restricted shell used in Gaia for role-based administration. It controls user access and limits the number of available commands.

Expert mode (C) is an elevated shell that provides full system root access, but it is not the default shell. Users must explicitly enter expert mode.

Bash (D) is the underlying Linux shell, but it is not the default.

Admin (A) is not a shell but rather a user role in Gaia.

Thus, the correct answer is B. Clish.

The steps to configure the HTTPS Inspection Policy are as follows34:

Go to Manage & Settings > Blades > HTTPS Inspection > Policy.

Click on New HTTPS Inspection Rule or select an existing rule and click on Edit Rule.

Define the Source, Destination, and Action for the rule. The action can be either Inspect, Bypass, or Ask.

Click on OK and then on Install Policy to apply the changes. References: HTTPS Inspection R81 Administration Guide, Check Point CCSA - R81: Practice Test & Explanation

The commands you could use to set the IP to 192.168.80.200/24 and default gateway to 192.168.80.1 after the initial installation on Check Point appliance are:

set interface Mgmt ipv4-address 192.168.80.200 mask-length 24. This command sets the IPv4 address and subnet mask of the Management interface.

set static-route default nexthop gateway address 192.168.80.1 on. This command sets the default gateway for IPv4 routing.

save config. This command saves the configuration changes.

References: [Check Point R81 Gaia CLI Reference Guide], [Check Point R81 Gaia Administration Guide]

The correct answer is D because the command save configuration  stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1. References: Gaia R81.10 Administration Guide

To provide updated malicious data signatures to all Threat Prevention blades, the Threat Prevention gateway does share the data to the ThreatCloud for use by other Threat Prevention blades. The ThreatCloud is a collaborative network and cloud-driven knowledge base that delivers real-time dynamic security intelligence to security gateways. The Threat Prevention gateway can send and receive updates from the ThreatCloud about new threats and malicious data signatures. References: [Check Point R81 Threat Prevention Administration Guide]

The type of NAT that is a one-to-one relationship where each host is translated to a unique address is Static NAT. Static NAT maps an unregistered IP address to a registered IP address on a one-to-one basis3. This means that for each internal host, there is a corresponding external address that represents it3. Therefore, the correct answer is B

 Identity Awareness is a software blade that lets an administrator easily configure network access and auditing based on three items: network location, the identity of a user, and the identity of a machine. These items are used to identify and authenticate users and machines, and to enforce identity-based policies. Network location refers to the IP address or subnet of the source or destination of the traffic. The identity of a user can be obtained from various sources, such as Active Directory, LDAP, or Captive Portal. The identity of a machine can be verified by using Secure Domain Logon or Identity Agent. 

The types of VPN communities are Meshed, Star, and Combination. A Meshed community is a group of Security Gateways that have VPN connections between every pair of members. A Star community has one Security Gateway as the center and other Security Gateways or hosts as satellites. A Combination community is a group of Meshed and Star communities. References: [Check Point R81 Site-to-Site VPN Administration Guide]

The steps you will need to do in SmartConsole in order to get the connection working behind the Internet Security Gateway are:

Define an accept rule in Security Policy. This rule allows the traffic from your internal networks to pass through the Security Gateway.

Define automatic NAT for each network to NAT the networks behind a public IP. This option translates the private IP addresses of your internal networks to a public IP address assigned by your ISP router. This way, your internal networks can communicate with the Internet using a valid IP address.

Publish and install the policy. This step applies the changes you made to the Security Gateway and activates the security and NAT rules.

References: Check Point R81 Quantum Security Gateway Guide

According to the Hewlett Packard Enterprise Support Center3, the snapshot command uses the command line to create an image of the OS. A snapshot is a point-in-time copy of a disk partition that can be used to restore the system in case of a failure or corruption. References: Hewlett Packard Enterprise Support Center

The Check Point software blade that provides Application Security and identity control is Application Control3 . Application Control enables network administrators to identify, allow, block, or limit usage of thousands of applications and millions of websites3 . Therefore, the correct answer is D. Application Control

The fwm process is responsible for managing the communication between the SmartConsole and the Security Management Server. It can only be seen on a Management Server12. References: Check Point Processes and Daemons, Check Point CCSA - R81: Practice Test & Explanation

SmartConsole, SmartEvent GUI client, and SmartView Web Application allow viewing of billions of consolidated logs and shows them as prioritized security events1. SmartView Web Application is a web-based interface that provides access to SmartEvent reports and dashboards2. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartEvent Administration Guide

 Bridge Mode Check Point Security Gateway does not support NAT. Bridge Mode is a deployment option that allows the Security Gateway to inspect traffic without being a routing hop. In Bridge Mode, the Security Gateway does not have an IP address and cannot perform NAT1. Therefore, the correct answer is C. NAT. 

CPUSE - Check Point Upgrade Service Engine is the tool that allows for the automatic updating of the Gaia OS and Check Point products installed on the Gaia OS. CPUSE is a web-based tool that simplifies the installation of software updates, hotfixes, and upgrade packages on Gaia OS2. The other options are not valid tools for updating Gaia OS and Check Point products.

 The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

The Sticky Decision Function (SDF) can only be changed for Load Sharing implementations, not for High Availability implementations4. References: Check Point ClusterXL R81 Administration Guide