156-215.81 Check Point Certified Security Administrator R81.20 Questions and Answers

To increase security, the administrator has modified the Core protection ‘Host Port Scan’ from ‘Medium’ to ‘High’ Predefined Sensitivity. The administrator should install the Threat Prevention Policy after Publishing the changes3. The Threat Prevention Policy defines how the Security Gateway inspects and protects against threats such as port scans, bot attacks, and zero-day exploits4. References: Check Point R81 Firewall Administration Guide, Check Point R81 Threat Prevention Administration Guide

Since Bob and Joe both have Administrator Roles on their Gaia Platform and they both are logged in on different interfaces, they will both be able to make changes. Gaia allows multiple administrators to log in simultaneously and perform different tasks without locking the database or logging out each other. References: Gaia R81.20 Administration Guide, page 18.

Gaia includes Check Point Upgrade Service Engine (CPUSE), which can directly receive updates for licensed Check Point products for the Gaia operating system and the Gaia operating system itself. CPUSE is an advanced tool that automates software updates and upgrades on Gaia platforms. It can download and install packages such as hotfixes, Jumbo Hotfix Accumulators, minor versions, major versions, and OS updates.References: [CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)], [Check Point R81]

To provide updated malicious data signatures to all Threat Prevention blades, the Threat Prevention gateway does share the data to the ThreatCloud for use by other Threat Prevention blades. The ThreatCloud is a collaborative network and cloud-driven knowledge base that delivers real-time dynamic security intelligence to security gateways. The Threat Prevention gateway can send and receive updates from the ThreatCloud about new threats and malicious data signatures. References: [Check Point R81 Threat Prevention Administration Guide]

 To use Application objects in a rule, the “Applications & URL Filtering” blade should be enabled on the policy layer where the rule is being created. Enabling the “Application Control” blade on a gateway is not enough3.

References: 3: Check Point R81 Security Management Administration Guide, page 102.

One of the major features in R80.x SmartConsole is concurrent administration, which allows multiple administrators to work on the same Security Policy at the same time12. However, only one administrator can edit a rule at a time. If AdminA and AdminB are editing the same rule at the same time, it will cause a conflict and prevent them from saving their changes12. Therefore, the correct answer is B. AdminA and AdminB are editing the same rule at the same time.

SmartLog is a unified log viewer that provides fast and easy access to logs from all Check Point components3. It allows the administrator to query for any log field, such as the IP address of the tablet, and filter the results by time, severity, blade, action, and more4. SmartView Tracker is a legacy tool that displays network activity logs from Security Gateways and other Check Point devices. It does not support remote connection to the wireless controller or querying for specific IP addresses. References: SmartLog, SmartLog Queries, [SmartView Tracker]

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

RADIUS protocol uses UDP (User Datagram Protocol) to communicate with the gateway. UDP is a connectionless protocol that does not require a handshake or acknowledgment before sending or receiving data2.

References: 2: [Check Point R81 Identity Awareness Administration Guide], page 14.

LDAP (Lightweight Directory Access Protocol) is a protocol that allows accessing and maintaining distributed directory information services over a network. User Directory integration is a feature of Identity Awareness that allows Check Point products to use LDAP servers as identity sources. When configuring LDAP with User Directory integration, changes applied to a User Directory template are reflected immediately for all users who are using that template. A User Directory template defines the settings for connecting to an LDAP server and retrieving user information3. References: Check Point R81 Identity Awareness Administration Guide

Service blades must be attached to a Security Gateway. A Security Gateway is a device that enforces security policies on traffic that passes through it. A service blade is a software module that provides a specific security function, such as firewall, VPN, IPS, etc. A Security Gateway can have one or more service blades attached to it, depending on the license and hardware capabilities. The other options are incorrect. A management container is a virtualized environment that hosts a Security Management Server or a Log Server. A management server is a device that manages security policies and distributes them to Security Gateways. A Security Gateway container is not a valid term in Check Point terminology. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 CloudGuard Administration Guide]

 Packet filtering is a technique that controls the flow of network data by examining the headers of packets and applying a set of rules to accept or reject them. Packet filtering has some advantages, such as efficiency, cost-effectiveness, ease of use, and transparency3. However, it also has some disadvantages, such as low security and no screening above the network layer4. Packet filtering firewalls cannot inspect the payload of packets or the application layer protocols, which makes them vulnerable to attacks that exploit higher-level vulnerabilitie

The three deployment considerations for a secure network are Remote, Standalone, and Distributed3. Remote deployment means that the Security Management Server and Security Gateway are installed on different machines. Standalone deployment means that the Security Management Server and Security Gateway are installed on the same machine. Distributed deployment means that there are multiple Security Gateways managed by one or more Security Management Servers3. Therefore, the correct answer is C. Remote, Standalone, and Distributed.

CloudGuard is not a valid deployment option for R80. CloudGuard is a product name for Check Point’s cloud security solutions, not a deployment mode. The valid deployment options for R80 are all-in-one (stand-alone), distributed, and bridge mode. In an all-in-one deployment, the Security Management Server and Security Gateway are installed on the same machine. In a distributed deployment, the Security Management Server and Security Gateway are installed on separate machines. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own3References: CloudGuard, [Part 4 - Installing Security Gateway], [Deployment Options]

The answer is B because Geo policy shared policy is used to create policy for traffic to or from a particular location based on the source or destination country. DLP shared policy is used to prevent data loss by inspecting files and data for sensitive information. Mobile Access software blade is used to provide secure remote access to corporate resources from various devices. HTTPS inspection is used to inspect encrypted web traffic for threats and compliance4References: Check Point R81 Geo Policy Administration Guide, [Check Point R81 Data Loss Prevention Administration Guide], [Check Point R81 Mobile Access Administration Guide], [Check Point R81 HTTPS Inspection Administration Guide]

Threat Extraction is the Security Blade that needs to be enabled in order to sanitize and remove potentially malicious content from files, before those files enter the network. It can strip out active content, embedded objects, and other risky elements from documents and deliver a safe version of the file to the user. References: Remote Access VPN R81.20 Administration Guide, page 18.

The port used for full synchronization between cluster members is TCP port 2654. This port is used by the Firewall Kernel to send and receive synchronization data, such as connection tables, NAT tables, and VPN keys4. UDP port 8116 is used by the Cluster Control Protocol (CCP) for internal communications between cluster members4. References: How does the Cluster Control Protocol function in working and failure scenarios for gateway clusters?

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud123. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications2. Capsule Docs protects business documents everywhere they go with encryption and access control1. Capsule Cloud provides cloud-based security services to protect mobile users from threats3. References: Check Point Capsule, Check Point Capsule Workspace, Mobile Secure Workspace with Capsule

When doing a Stand-Alone Installation, you would install the Security Management Server with none of the other Check Point architecture components. A Stand-Alone Installation is a type of installation that combines the Security Management Server and the Security Gateway on one computer or appliance3, p. 14. SmartConsole, SecureClient, and SmartEvent are not Check Point architecture components, but software applications that can be installed separately. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Installation and Upgrade Guide R81]

From SmartConsole, go to the Log & Monitor and filter for the IP address of the tablet is the correct answer. This is because the Log & Monitor view in SmartConsole allows you to view and analyze logs and events from various sources, such as Security Gateways, Security Management Servers, and SmartEvent Servers. You can use filters to search for specific logs and events based on different criteria, such as source IP, destination IP, action, time, etc. References: [Logging and Monitoring Administration Guide R80.20]

Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of his work. This is because SmartConsole uses a session mechanism that allows users to work offline and save their changes locally until they are ready to publish them to the Management13. If Tom loses connectivity, he can resume his session when he reconnects and continue working on his Rule Base changes. He does not need to reboot his SmartConsole computer, clear the cache, or restore changes. His changes will not be lost since he lost connectivity. References: Check Point R81 Security Management Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

While enabling the Identity Awareness blade, the Identity Awareness wizard does not automatically detect the Windows domain because the SmartConsole machine is not part of the domain. The SmartConsole machine needs to be a member of the Windows domain or have access to a domain controller in order to detect the domain automatically2.

References: 2: Check Point R81 Identity Awareness Administration Guide, page 10.

The default shell of Gaia CLI is clish, which stands for Check Point command line interface shell1. It provides a user-friendly interface to configure and manage Check Point products. References: Check Point Gaia Administration Guide

 To ensure that VMAC mode is enabled, you should run the command fw ctl get int fwha_vmac_global_param_enabled on all cluster members and check that the result of the command returns the value 11. This command shows the current value of the global kernel parameter fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled or disabled. VMAC mode is a feature that associates a Virtual MAC address with each Virtual IP address of the cluster, which reduces the need for Gratuitous ARP packets and improves failover performance1. The other options are incorrect. Option A is not a valid command. Option C is a command to show the status of cluster interfaces, not VMAC mode2. Option D is a command to show the value of a different global kernel parameter, fwha_vmac_global_param_enabled, which controls whether VMAC mode is enabled for all interfaces or only for non-VLAN interfaces1. References: How to enable ClusterXL Virtual MAC (VMAC) mode, cphaprob

The method to update the trusted log server regarding the policy and configuration changes performed on the Security Management Server is Save Policy. Saving a policy updates the trusted log server with the latest policy and configuration changes3. References: Check Point R81 Logging and Monitoring Administration Guide

 Log query results can be exported to Comma Separated Value (csv) file format. CSV is a file format that stores tabular data in plain text. It is compatible with various applications, such as Excel, Google Sheets, etc. The other options are not valid file formats for exporting log query results.

References: 1: Gaia Roles 2: Gaia Default Users 3: Anti-Virus : [Exporting Logs]

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own. In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties34 References: Part 4 - Installing Security Gateway, Deployment Options

SmartConsole is a unified graphical user interface that allows administrators to manage multiple Check Point security products from a single console. More than one administrator can log into the Security Management Server with SmartConsole with write permission at the same time. Every administrator works in a session that is independent of the other administrators. The changes made by one administrator are not visible to others until they are published2. References: Check Point R81 SmartConsole R81 User Guide

 Only one user can have read/write access in Gaia Operating System at one time2. This is to prevent conflicts and errors when multiple users try to modify the same configuration settings. References: Check Point Gaia Administration Guide

The R80.10 management server can manage gateways with versions R76 and higher34. Versions lower than R76 are not supported by the R80.10 management server. References: Check Point R80.10 Release Notes, Free Check Point CCSA Sample Questions and Study Guide

When logging in for the first time to a Security Management Server through SmartConsole, a fingerprint is saved to the SmartConsole cache and is available for future Security Management Server authentications. The fingerprint is a unique identifier of the Security Management Server that is used to verify its identity and prevent man-in-the-middle attacks. The SmartConsole cache is a local folder on the client machine that stores temporary files and settings.

References: Check Point Security Management Administration Guide R81, p. 25-26

The Full Identity Agent allows packet tagging and computer authentication2. Packet tagging is a feature that enables the Security Gateway to identify the source user and machine of each packet, regardless of NAT or routing. Computer authentication is a feature that enables the Security Gateway to authenticate machines that are not associated with any user, such as servers or unattended workstations. The other options are incorrect. Endpoint Security Client is not an Identity Agent, but a software that provides endpoint security features such as firewall, antivirus, VPN, etc. Light Agent is an Identity Agent that does not require installation and runs on a web browser, but it does not support packet tagging or computer authentication. System Agent is not an Identity Agent, but a software that provides system information and health monitoring for endpoints. References: Check Point Identity Agent for Microsoft Windows 10

The statement that is true regarding Gaia command line is that all configuration changes should be made in CLISH and expert-mode should be used for OS-level tasks. CLISH is the default shell of Gaia CLI that provides a limited set of commands for basic configuration and troubleshooting. Expert mode is an advanced shell that allows running Linux commands and accessing the file system. Configuration changes should not be done in expert-mode, as they may cause inconsistencies or errors in the system. The other statements are false regarding Gaia command line. 

The default Gaia user that has full read/write access is admin3. The admin user is the superuser that can perform any administrative task on the Gaia system, such as configuring network settings, installing software updates, managing licenses, creating snapshots, and more. The admin user can also access the Gaia Portal, which is a web-based interface for managing Gaia settings and features. References: Check Point R81 Gaia Administration Guide

In a Distributed deployment, the Security Gateway and the Security Management software are installed on different computers or appliances2. This allows for better scalability and performance. References: Check Point Security Management Administration Guide R81

USB media created with Check Point ISOMorphic is the most recommended installation method for Check Point appliances, as it provides a fast and easy way to install the Gaia operating system and the latest software version4. SmartUpdate installation requires an existing Gaia installation and does not support fresh installations4. DVD media created with Check Point ISOMorphic is less convenient than USB media, as it requires burning the image to a DVD and inserting it into the appliance4. Cloud based installation is not applicable for Check Point appliances, as it is intended for cloud environments such as AWS or Azure4.

References: INSTALLATION AND UPGRADE GUIDE R81.10, Chassis R81 Installation and Upgrade Guide, Check Point R81.10

Logs & Monitor is the SmartConsole tab that is used to monitor network and security performance. This tab allows you to view and analyze logs and events from various sources, such as Security Gateways, Security Management Servers, and SmartEvent Servers. You can also use this tab to generate reports and troubleshoot issues. References: [Logging and Monitoring Administration Guide R80.20]

Two basic rules that Check Point recommends for building an effective security policy are Cleanup Rule and Stealth Rule. A Cleanup Rule is a rule that is placed at the end of the rule base and drops or logs any traffic that does not match any of the previous rules2. A Stealth Rule is a rule that is placed at the top of the rule base and protects the Security Gateway from direct access by unauthorized users3. The other options are not basic rules for building a security policy, but rather types or categories of rules.

The command fwaccel stat shows the status of SecureXL, including whether Drop Templates are enabled or not1. References: Check Point SecureXL R81 Administration Guide

The correct answer is B because Threat Extraction always delivers a file and takes less than a second to complete2. Threat Extraction removes exploitable content from files and delivers a clean and safe file to the user2. Threat Emulation analyzes files in a sandbox environment and delivers a verdict of malicious or benign2. Threat Emulation can take more than 3 minutes to complete depending on the file size and complexity2. References: Check Point R81 Threat Prevention Administration Guide

The snapshot option would allow you to make a backup copy of the OS and Check Point configuration, without stopping Check Point processes. A snapshot is a full system backup, including network interfaces, routing tables, and Check Point products and configuration. The other options require stopping Check Point processes or do not backup the OS.

References: Check Point Security Management Administration Guide R81, p. 15-16

 Alerts can be viewed in SmartView Monitor, which is a graphical tool that provides real-time information about the network and security activities, such as traffic, VPN tunnels, threats, and performance4.

References: 4: Check Point R81 Security Management Administration Guide, page 25.

 Check Point technologies that deny or permit network traffic are packet filtering, stateful inspection, and application layer firewall1, p. 15-16. Packet filtering is a basic firewall technique that examines packets based on their source and destination addresses and ports2, p. 13. Stateful inspection is an advanced firewall technique that tracks the state and context of network connections and inspects packets based on their content and sequence2, p. 13. Application layer firewall is a firewall technique that operates at the application layer of the OSI model and inspects packets based on their application protocols and data2, p. 14. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

The two ordered layers that make up the Access Control Policy Layer are Network and Threat Prevention. Network layer contains rules that define how traffic is inspected and handled by the Security Gateway. Threat Prevention layer contains rules that define how traffic is inspected by the Threat Prevention Software Blades2. References: Check Point R81 Security Management Administration Guide

 RADIUS Accounting gets identity data from requests generated by the accounting client. RADIUS Accounting is a feature that allows tracking and measuring resource usage of network services by users. The accounting client, which is usually a network access server (NAS), sends accounting requests to a RADIUS server with information about user sessions, such as start and stop times, bytes transmitted and received, IP addresses, etc. The RADIUS server records this information in a database for billing, auditing, or reporting purposes. One of the mandatory attributes that the accounting client must include in every accounting request is the User-Name attribute, which identifies the user who is accessing the network service.

Multi-domain management server is a valid deployment option for R81, not R80. R80 supports multi-domain security management, which is a centralized management solution for large-scale, distributed environments with many different domain networks1. References: Multi-Domain Security Management Administration Guide R80

Once a certificate is revoked from the Security Gateway by the Security Management Server, the certificate information is stored on the Certificate Revocation List (CRL)1, p. 47. The CRL is a list of certificates that have been revoked before their expiration date4. References: Check Point CCSA - R81: Practice Test & Explanation, Free Check Point CCSA Sample Questions and Study Guide

 Identity Awareness is a software blade that lets an administrator easily configure network access and auditing based on three items: network location, the identity of a user, and the identity of a machine. These items are used to identify and authenticate users and machines, and to enforce identity-based policies. Network location refers to the IP address or subnet of the source or destination of the traffic. The identity of a user can be obtained from various sources, such as Active Directory, LDAP, or Captive Portal. The identity of a machine can be verified by using Secure Domain Logon or Identity Agent. 

If a network administrator has identified a malicious host on the network and instructed you to block it, but you cannot make any firewall policy changes at this time, you can use Suspicious Activity Monitoring (SAM) rules to block this traffic. SAM rules are temporary rules that allow you to block or limit traffic from specific sources or destinations without modifying the security policy. SAM rules are created and managed by SmartView Monitor and are enforced by the security gateway for a specified duration. Anti-Bot protection, Anti-Malware protection, and Policy-based routing are not tools that can be used to block traffic without changing the firewall policy. References: [Check Point R81 SmartView Monitor Administration Guide]

Bridge Mode is a deployment option for Check Point Security Gateway that allows it to act as a transparent bridge between two network segments, without changing the IP addressing scheme. Bridge Mode supports most of the security features, such as Data Loss Prevention, Antivirus, Application Control, etc. However, Bridge Mode does not support NAT, because NAT requires modifying the IP addresses or ports of the packets, which contradicts the transparent nature of Bridge Mode1. References: Check Point R81 Security Gateway Technical Administration Guide

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given. DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1. DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES. 3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

• What is DES encryption, and why was it replaced?
• Data Encryption Standard - Wikipedia
• What is 3DES encryption?
• [What is AES encryption and how does it work?]

 A Security Policy is created in SmartConsole, stored in the Security Management Server, and distributed to the various Security Gateways. SmartConsole is a graphical user interface that allows administrators to create and edit security policies. The Security Management Server is a central server that stores and manages the security policies. The Security Gateways are devices that enforce the security policies on the network traffic.

References: : Check Point R81 Security Gateway Administration Guide, page 9.

There are two default users on Gaia Platform and neither can be deleted. The two default users are admin and monitor. The admin user has full access to the Gaia configuration and management tools, such as CLI and WebUI. The monitor user has read-only access to the Gaia configuration and management tools, and can only view the system status and settings. These two users cannot be deleted, but their passwords can be changed.References: [Gaia Administration Guide], [Gaia Overview]

The following cannot be configured in an Access Role Object: Time4. An Access Role Object is a way to define a group of users based on four criteria: Networks, Users, Machines, and Locations5. Networks are IP addresses or network objects that represent the source or destination of the traffic. Users are user accounts or user groups from an identity source such as LDAP or RADIUS. Machines are endpoints that are identified by MAC addresses or certificates. Locations are geographical regions based on IP addresses. References: Check Point R81 Firewall Administration Guide, Check Point R81 Identity Awareness Administration Guide

 From the Gaia web interface, the operation that CANNOT be performed on a Security Management Server is Verify a Security Policy. This operation can only be done from SmartConsole4. References: Check Point R81 SmartConsole Online Help

A Check Point Software license consists of two components, the Software Blade and the Software Container. There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security1. A Software Blade is a specific security function that can be enabled or disabled on a Software Container. A Software Container is a platform that runs one or more Software Blades. Security Management is a container that manages the security policy and configuration of Security Gateways. Security Gateway is a container that enforces the security policy on network traffic. Endpoint Security is a container that protects endpoints from threats and data loss. References: Check Point Licensing and Contract Operations User Guide

 The type of Check Point license that ties the package license to the IP address of the Security Management Server is Central license. A Central license is a license that is installed on the Security Management Server and applies to all the Security Gateways that are managed by it. The Central license is based on the IP address of the Security Management Server and cannot be transferred to another Security Management Server with a different IP address.References: [Check Point R81 Licensing Guide], [Managing and Installing license via SmartUpdate]

To view the policy installation history for each gateway, an administrator would use the Installation history tool1, p. 22. The Installation history tool shows the date and time of each policy installation, the name of the administrator who installed it, and the status of the installation3. Revisions, Gateway installations, and Gateway history are not valid tools in SmartConsole. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point SmartConsole R81 Help

 Identity Awareness is the Check Point software blade that provides visibility of users, groups and machines while also providing access control through identity-based policies. Identity Awareness enables administrators to define granular access rules based on user or machine identity, rather than just IP addresses. Identity Awareness also allows administrators to monitor user activity and generate reports based on user or machine identity.

Check Point licenses come in two forms: central and local. Central licenses are attached to the Security Management Server and are distributed to managed Security Gateways. Local licenses are attached directly to a specific Security Gateway.

Logs are not automatically forwarded to a new Log Server. SmartConsole must be used to manually configure each gateway to send its logs to the server. After adding a new Log Server and establishing the SIC trust with the SMS, the administrator must use SmartConsole to assign the Log Server to each gateway in the Logs and Masters section of the gateway properties2. The other options are not correct, as gateways can send logs to both SMS and Log Server, Log Servers are not proprietary log archive servers, and gateways will not detect the new Log Server after the next policy install.

If the NAT property ‘Translate destination on client side’ is not enabled in Global properties, nothing needs to be configured on the client side, because the Gateway takes care of all details necessary. The Gateway translates the destination IP address before sending the packet to the client, so the client does not need to know about the NAT rule or add any host route or ARP entry.

References: Check Point Security Engineering Study Guide, p. 136-137

The CDT utility supports all upgrades, including major version upgrades, Jumbo HFA’s, and hotfixes3. References: Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent

 src:192.168.1.1 AND dst:172.26.1.1 AND action:Drop is the correct log query to show only dropped packets with source address of 192.168.1.1 and destination address of 172.26.1.1. The AND operator means that all conditions must be true for the query to match. The OR operator means that any condition can be true for the query to match3. The other queries will either show packets that are not dropped or packets that have different source or destination addresses.

The Security Management Server does not display policies and logs on the administrator’s workstation. That is the function of the SmartConsole, which is a separate component that connects to the Security Management Server. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 4.

SmartView is the web application for real-time event monitoring in SmartEvent R80 and above. It provides a unified view of security events across the network and allows for quick investigation and response34. References: SmartEvent R80.40 Administration Guide, SmartView

 If AdminB sees a lock icon on a rule, it means that the rule is locked by AdminA and will be made available if the session is published. A session is a set of changes made by an administrator in SmartConsole. A session can be published to save and share the changes with other administrators, or discarded to cancel the changes and unlock the objects1.

References: 1: Check Point R81 Security Management Administration Guide, page 18.

When LDAP is integrated with Check Point Security Management, it is then referred to as User Directory. User Directory is a feature that allows administrators to manage users and user groups from an external LDAP server, such as Active Directory2.

References: 2: Check Point R81 Identity Awareness Administration Guide, page 9.

SmartView Monitor is the tool that allows you to monitor the top bandwidth on SmartConsole. SmartView Monitor is a graphical tool that displays real-time network and security performance data, such as traffic, throughput, connections, CPU usage, memory usage, etc. You can use SmartView Monitor to identify the top bandwidth consumers and optimize your network performance.References: [SmartView Monitor], [Monitoring Network Traffic]

The correct answer is A because renaming the hostname of the Standby member to match exactly the hostname of the Active member is not a recommended step to prevent data loss. The hostname of the Standby member should be different from the hostname of the Active member1. The other steps are necessary to ensure a smooth failover and synchronization between the Active and Standby Security Management Servers2. References: Check Point R81.20 Administration Guide, 156-315.81 Checkpoint Exam Info and Free Practice Test

An Endpoint identity agent uses a username/password or Kerberos ticket for user authentication3, p. 28. An Endpoint identity agent is a lightweight client installed on endpoint computers that communicates with Identity Awareness gateways and provides reliable identity information. An Endpoint identity agent does not use a shared secret, a token, or a certificate for user authentication. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Identity Awareness Administration Guide R81]

 The statement that information on a user is hidden, yet distributed across several servers is not an advantage to using multiple LDAP servers. LDAP (Lightweight Directory Access Protocol) is a protocol that allows access to a centralized directory service that stores information about users, groups, devices, etc. Using multiple LDAP servers can provide advantages such as faster access time, compartmentalization, and high availability, but not hiding information. Information on a user is not hidden by using multiple LDAP servers, but rather replicated or partitioned across them. Replication means that the same information is copied to all LDAP servers, while partitioning means that different information is stored on different LDAP servers. Both methods aim to improve performance and reliability, not security or privacy.References: [LDAP Integration], [LDAP]

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References: Check Point Security Management Administration Guide R81, p. 9

The SmartCenter that should be connected to for making changes is the active SmartCenter. The active SmartCenter is the one that is currently synchronizing its configuration with the secondary SmartCenter and handling the communication with the gateways . The primary SmartCenter is the one that was initially configured as the main server, but it may become inactive if a failover occurs. The virtual IP of SmartCenter HA is used to access the SmartConsole, not to make changes. References: [Security Management Server High Availability (HA) R81 Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation], [How to configure ClusterXL High Availability on Security Management Server]

With URL Filtering, only the host portion of the URL is sent to the Check Point Online Web Service for analysis. The host portion is the part of the URL that identifies the web server, such as www.example.com.  The Check Point Online Web Service uses this information to categorize the URL and return the appropriate action to the Security Gateway3. The other options are not sent to the Check Point Online Web Service for analysis, as they may contain sensitive or irrelevant data.

The backups are stored in Check Point appliances as *.tgz files under /var/CPbackup. This is the default location for backup files created by the backup command. Therefore, the correct answer is B. Saved as *.tgz under /var/CPbackup

The order of NAT priorities is Static NAT, IP pool NAT, and hide NAT. Static NAT has the highest priority because it is a one-to-one mapping of a private IP address to a public IP address. IP pool NAT has the second highest priority because it is a one-to-many mapping of a private IP address to a pool of public IP addresses. Hide NAT has the lowest priority because it is a many-to-one mapping of multiple private IP addresses to a single public IP address1.

References: 1: Check Point R81 Security Gateway Administration Guide, page 23.

 The correct answer is A because session unique identifiers are passed to the web api using the X-chkp-sid http header option1. The X-chkp-sid header is used to authenticate and authorize API calls1. The other options are not related to session unique identifiers. References: Check Point R81 Security Management Administration Guide

There are three types of software containers: security management, Security Gateway, and endpoint security. A software container is a set of software blades that provide specific functionality. A security management container manages the security policy and configuration for one or more Security Gateways. A Security Gateway container enforces the security policy on the network traffic. An endpoint security container protects the data and network access of an endpoint device2. The other options are not valid types of software containers. References: Software Containers

The destination server for Security Gateway logs depends on a Security Management Server configuration. This is true because the Security Management Server defines the log servers that receive logs from the Security Gateways. The log servers can be either the Security Management Server itself or a dedicated Log Server12. References: Check Point R81 Logging and Monitoring Administration Guide, Check Point R81 Quantum Security Gateway Guide

The option that allows all encrypted and non-VPN traffic that matches the rule is Accept all encrypted traffic. This option enables you to allow traffic to any destination that is encrypted, regardless of whether it is part of a VPN community or not2. Therefore, the correct answer is B. Accept all encrypted traffic. 

The INSPECT Engine is a technology that extracts detailed information from packets and stores that information in state tables. It enables stateful inspection and application layer filtering12 References: INSPECT Engine, Stateful Inspection

The answer is A because an identity server uses a shared secret for user authentication. A shared secret is a passphrase that is known by both the identity server and the user. The identity server sends a challenge to the user, who encrypts it with the shared secret and sends it back. The identity server then verifies the response and authenticates the user12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Identity Server

CPUSE - Check Point Upgrade Service Engine is the tool that allows for the automatic updating of the Gaia OS and Check Point products installed on the Gaia OS. CPUSE is a web-based tool that simplifies the installation of software updates, hotfixes, and upgrade packages on Gaia OS2. The other options are not valid tools for updating Gaia OS and Check Point products.

The steps to configure the HTTPS Inspection Policy are as follows34:

• Go to Manage & Settings > Blades > HTTPS Inspection > Policy.
• Click on New HTTPS Inspection Rule or select an existing rule and click on Edit Rule.
• Define the Source, Destination, and Action for the rule. The action can be either Inspect, Bypass, or Ask.
• Click on OK and then on Install Policy to apply the changes. References: HTTPS Inspection R81 Administration Guide, Check Point CCSA - R81: Practice Test & Explanation

When a Security Gateway sends its logs to an IP address other than its own, it means that the Security Gateway and the Log Server are installed on different machines. This is a characteristic of a Distributed deployment3. Therefore, the correct answer is A

The type of NAT that is a one-to-one relationship where each host is translated to a unique address is Static NAT. Static NAT maps an unregistered IP address to a registered IP address on a one-to-one basis3. This means that for each internal host, there is a corresponding external address that represents it3. Therefore, the correct answer is B

When an encrypted packet is decrypted, this happens in the security policy4. The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy. References: Check Point R81 VPN Administration Guide

The difference between SSL VPN and IPSec VPN is that IPSec VPN requires installation of a resident VPN client and SSL VPN requires only an installed browser5 . IPSec VPN uses a pre-shared key or certificates to authenticate the endpoints and encrypts the data at the network layer. SSL VPN uses SSL/TLS protocols to authenticate the endpoints and encrypts the data at the application layer. References: Check Point Remote Access VPN Administration Guide R81, [Free Check Point CCSA Sample Questions and Study Guide]

The user ID (UID) of a user that has all the privileges of a root user is 0. The root user is the superuser account that can perform any action on the system, such as changing file ownership, binding to network ports below 1024, or executing any command. The root user is identified by the UID 0, not by the name “root”, which is just a convention. It is possible to have another user account with the name “root”, but not with the same UID 0. 

ThreatWiki is a tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed3. ThreatWiki is a web-based service that collects information about files from various sources, such as Check Point customers, partners, and researchers. Administrators can use ThreatWiki to view file reputation, upload files for analysis, and download indicators of compromise3. Whitelist Files, AppWiki, and IPS Protections are not tools that provide a list of trusted files. References: Threat Prevention R80.40 Administration Guide

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. The Full Identity Agent is a client-side software that provides full identity awareness features, such as user authentication, computer authentication, packet tagging, identity caching, and identity sharing. The other types of Endpoint Identity Agents are Custom, Complete, and Light, which have different features and capabilities. 

The Advanced Networking Blade is NOT subscription-based and therefore does not have to be renewed on a regular basis1011. The Advanced Networking Blade provides advanced routing capabilities such as BGP, OSPF, VRRP, and multicast routing10. The other blades are subscription-based and require annual renewal to receive updates and support from Check Point1012.

References: Check Point License Guide, IPS Software Blade contracts, Product Catalog

Application Control/URL filtering database library is known as AppWiki. AppWiki is an application classification and identification database that enables administrators to control access to thousands of applications and millions of websites. References: [Check Point R81 Application Control Administration Guide], [Check Point AppWiki]

The Transport layer of the TCP/IP model is responsible for managing the flow of data between two hosts to ensure that the packets are correctly assembled and delivered to the target application. It also provides error detection and correction, flow control, and multiplexing. The Transport layer uses protocols such as TCP and UDP.

References: Check Point Security Engineering Study Guide, p. 10-11

By default, the SIC certificates issued by R80 Management Server are based on the SHA-256 algorithm1. SHA-256 is a secure hash algorithm that produces a 256-bit digest. SHA-200, MD5, and SHA-128 are not valid algorithms for SIC certificates. References: SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)

Each cluster, at a minimum, should have at least three interfaces4. These are:

• A sync interface for synchronizing state information between cluster members.
• A cluster interface for sending and receiving cluster control packets.
• A production interface for handling regular traffic that passes through the cluster4. References: Check Point R80.20 – How to configure Cluster firewalls – First Time Setup

A standalone deployment is when the security management server and Security Gateway are installed on the same appliance. This is suitable for small or branch office environments1

Stateful Inspection is a firewall technology that inspects both the header and the payload of each packet and keeps track of the state and context of each connection. Packet Filtering is a firewall technology that inspects only the header of each packet and does not keep track of the state or context of each connection. A benefit that Stateful Inspection offers over Packet Filtering is that only one rule is required for each connection, whereas Packet Filtering requires two rules for each connection (one for each direction). Stateful Inspection also offers other benefits over Packet Filtering, such as enhanced security, performance, and flexibility. Stateful Inspection does not offer unlimited connections because of virtual memory usage, nor does it avoid using memory to record the protocol used by the connection.References: [Stateful Inspection], [Packet Filtering], [Firewall Technologies]

The Hit count feature will work independently from logging and track the hits even if the Track option is set to “None”1, p. 23. When you enable Hit Count, the Security Management Server collects the data from supported Security Gateways and displays the number of connections that each rule matches in SmartConsole3. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Security Management Administration Guide R81

The main objective when using Application Control is to ensure security and privacy of information4. Application Control enables administrators to control access to web applications and web sites based on risk level, user identity, and other criteria. It also provides visibility into web usage and application activity. References: Check Point R81 Application Control Administration Guide

The Check Point software blade that monitors Check Point devices and provides a picture of network and security performance is Monitoring. The Monitoring Software Blade presents a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events. It centrally monitors Check Point devices and alerts security administrators to changes to gateways, endpoints, tunnels, remote users and security activities234. References: Monitoring Software Blade, Check Point Integrated Security Architecture, Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

When using Automatic Hide NAT, Source Port Address Translation (PAT) is enabled by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

Detailed Log is not a valid tracking log option in R80.x3. The tracking log options in R80.x are Log, Full Log, and Extended Log45. References: Where is ‘full log’ option in track column, LOGGINGAND MONITORING R80, Logging and Monitoring Administration Guide R80.20

Resource is NOT an objects category in SmartConsole1, p. 18. The objects categories in SmartConsole are Network Object, Host, Network, Group, Gateway, Cluster, VPN Community, Service, Time Object, Access Role, Custom Application / Site, Data Center Object, Limit. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point SmartConsole R81 Help]

 The product that correlates logs and detects security threats, providing a centralized display of potential attack patterns from all network devices is SmartEvent. SmartEvent is a software blade that analyzes logs from various sources such as Security Gateways, Endpoint Security Servers, Identity Awareness Servers, etc. and generates security events based on predefined or custom rules. SmartEvent provides a graphical interface for viewing and managing security events in real-time or historical mode. References: [Check Point R81 SmartEvent Administration Guide]

A central license is automatically attached to a Security Gateway when it is installed. A local license requires an administrator to designate a gateway for attachment1, p. 8. References: Check Point CCSA - R81: Practice Test & Explanation

 In Office mode, a Security Gateway assigns a remote client to an IP address once the user connects and authenticates. Office mode allows a remote client to get an IP address from the internal network of the organization. The IP address is assigned during the IKE negotiation, after the user has successfully authenticated with the Security Gateway3. The other options are not correct timings for assigning an IP address in Office mode. References: Office Mode

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. You can add Accounting and/or Suppression to each of these options1. Accounting enables you to track the amount of data that is sent or received by a specific rule. Suppression enables you to reduce the number of logs that are generated by a specific rule. Therefore, the correct answer is C. Accounting/Suppression. References: Logging and Monitoring Administration Guide R80 - Check Point Software

The Threat Prevention policy is a unified policy that manages three software blades: IPS, Anti-Virus, and Threat Emulation7. The Threat Prevention policy enables you to configure settings and actions for detecting and preventing various types of threats, such as malware, exploits, botnets, etc. Application Control and URL Filtering are not part of the Threat Prevention policy, but they are part of a separate policy that controls access to applications and websites based on categories, users, groups, and machines

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red “X” in the status column indicates that one or more blades on the Security Gateway have a problem that requires attention. The other options are not correct, as they do not match the status shown in the image. If the SmartCenter Server cannot reach this Security Gateway, the status column would show a yellow triangle with an exclamation mark. If the VPN software blade is reporting a malfunction, the blades column would show a red “X” on the VPN icon. If the Security Gateway’s MGNT NIC card is disconnected, the IP column would show “N/A” instead of the IP address.

References: Remote Access VPN R81 Administration Guide, Check Point R81.10

Accept all encrypted traffic is the option that will match a connection regardless of its association with a VPN community2. This option allows encrypted traffic from any VPN peer, even if it is not defined in a VPN community2. References: Site to Site VPN in R80.x - Tutorial for Beginners

 It is possible to have more than one administrator connected to a Security Management Server at once, but objects edited by one administrator will be locked for editing by others until the session is published. This feature is called concurrent administration and it allows multiple administrators to work on the same security policy at the same time. However, when one administrator edits an object, such as a gateway, a rule, or a network, that object is locked for other administrators until the change is published or discarded. The lock icon shows which objects are being edited by other administrators and prevents conflicts or overwrites.References: [Concurrent Administration], [SmartConsole Overview]

Certificate based Authentication is the only authentication method available between two Security Gateway managed by the same SMS. This is because certificate based authentication provides stronger security and easier management than pre-shared secret authentication. The other options are either incorrect or irrelevant for this scenario. References: [Check Point R80.10 - Part 6 - Certificate Based Authentication]

 DLP and Geo Policy are examples of Shared Policies. Shared Policies are policies that can be shared with other policy packages to save time and effort when managing multiple gateways with similar security requirements. Shared Policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers. Other types of policies include Inspection Policies, Unified Policies, and Standard Policies. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

The components of Check Point Capsule are Capsule Docs, Capsule Cloud, and Capsule Workspace123. There is no Capsule Enterprise component. Capsule Docs protects business documents everywhere they go. Capsule Cloud protects mobile users outside the enterprise security perimeter. Capsule Workspace creates a secure business environment on mobile devices. References: Check Point Capsule Datasheet, Check Point Capsule Workspace Datasheet, Mobile Secure Workspace with Capsule

Verification Error. Rule 4 (Web Inbound) hides Rule 6 (Webmaster access) is the correct answer. This is because Rule 4 has a broader source and destination than Rule 6, and both rules have the same service (HTTP). Therefore, Rule 6 will never be matched, and the Webmaster access will be denied. References: Check Point R80.10 - Part 3 - Rule Base Order