156-315.81 Check Point Certified Security Expert R81.20 Questions and Answers

ThreatCloud is a collaboration platform for all the Check Point customers to share information about malicious and benign files that all of the customers can benefit from as it makes emulation of known files unnecessary. ThreatCloud is a cloud-based service that collects and analyzes threat intelligence from multiple sources, such as Check Point products, third-party vendors, open sources, and customers. ThreatCloud provides real-time updates and feeds to Check Point products, such as SandBlast, which is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment. By integrating with ThreatCloud, a Threat Emulation appliance can benefit from the shared information about malicious and benign files, and avoid emulating files that are already known to be safe or harmful. This can improve the performance and efficiency of the Threat Emulation appliance. The other options are either incorrect or not relevant to ThreatCloud or Threat Emulation. 

The three types of tracking available for Threat Prevention Policy are Alert, SNMP trap, and Mail. These tracking options can be configured in the Threat Prevention tab of the SmartConsole, under the Policy section. The tracking options determine how the system notifies the administrator of events that match the policy rules. References: Configuring Threat Prevention Policy

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality. According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

• Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.
• OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.
• Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

References: What is an API Gateway?, How to use Check Point API with Postman quick guide, Home - Check Point Developers, Introduction to RESTful APIs and JSON format, Checkpoint API tutorial, part 1 - getting started

The FWD daemon uses TCP port 256 to do a Full Synchronization between gateway cluster members. This port is also used for other synchronization types, such as Delta Synchronization and Accelerated Synchronization. The FWD daemon is responsible for synchronizing the connections table, NAT table, and VPN keys between cluster members. References: ClusterXL Administration Guide, SK25977 - Ports Used by Check Point Software

Each instance of VRRP running on a supported interface may monitor the link state of other interfaces. The monitored interfaces do not have to be running VRRP.

If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has, then the backup platform will begin to send out its own HELLO packet.

Once the master sees this packet with a priority greater than its own, then it releases the VIP.

References:

Capsule Connect and Capsule Workspace are both components of Check Point's remote access solution, but they serve different purposes and have distinct features:

A. Capsule Connect provides a Layer 3 VPN, which allows remote users to connect securely to their corporate network. It typically provides network-level access, allowing users to access resources on the corporate network. On the other hand, Capsule Workspace provides a secure workspace environment, including a virtual desktop with usable applications. It is more focused on providing application-level access to users in a secure manner.

B. This statement is partially true. Capsule Workspace is designed to provide secure access to a wide range of applications and resources, not limited to specific applications.

C. Capsule Connect does provide business data isolation by creating a secure VPN tunnel for remote users, ensuring that their network traffic is isolated from the public internet.

D. Capsule Connect usually requires an installed application or VPN client on the client device to establish a secure connection to the corporate network. This statement is not entirely accurate because an installed application or client is typically required.

Therefore, option A is the correct answer as it accurately distinguishes between Capsule Connect and Capsule Workspace based on their primary functionalities.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

To see the cluster status in CLI expert mode, you can use the command cphaprob stat. This command displays the status of the Check Point High Availability cluster. It provides information about the state of the cluster members, such as "Active," "Standby," or "Collision."

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

https://resources.checkpoint.com/datasheet/certified-security-expert-ccse-r8120-course-overview

Dynamic log distribution is a feature that allows you to configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy. This means that each log is sent to only one Log Server and the load is balanced between the primary Log Servers. If all the primary Log Servers are disconnected, the logs are distributed between the backup Log Servers. If no Log Servers are connected, the gateway writes the logs locally. This feature improves the performance and reliability of logging and reduces the network traffic and disk space consumption. You can enable this feature on the SmartConsole -> Gateways & Servers -> Logs -> Dynamic Log Distribution1.

The other options are incorrect because they do not describe the dynamic log distribution feature. Option B is wrong because the Management High Availability does not store the logs dynamically on the member with the most available disk space, but rather synchronizes the logs between the members using the cpd process2. Option C is wrong because the dynamic log distribution feature does not synchronize the logs between the primary and secondary management server, but rather distributes the logs between the Log Servers. Option D is wrong because the dynamic log distribution feature does not save disk space in case of a firewall cluster, but rather distributes the logs between the Log Servers. The firewall cluster members do not store local logs, but rather send them to the Log Servers3.

 The CPM process handles connection from SmartConsole R81. The CPM process is the main process of the Security Management Server and the Multi-Domain Security Management Server. It is responsible for managing the database, handling policy installation, communicating with SmartConsole clients, and providing REST API services. The CPM process runs on port 19009 and uses the CPD process as a proxy for communication with other processes.

References:

• Check Point Processes and Daemons, section “CPM”
• Check Point R81, section “SmartConsole”
• Check Point R81.20, section “REST API”

A minimal effort upgrade is a process of upgrading the Security Gateway software without changing the configuration or policy. It is done by using the CPUSE (Check Point Update Service Engine) tool, which is available in the Gaia Portal or CLI. The CPUSE tool performs a pre-upgrade verification to check the compatibility and readiness of the system for the upgrade. If the verification passes, the CPUSE tool installs the new software package and reboots the system. During the reboot, there is a short network downtime, but it does not affect the existing connections. All connections that were initiated before the upgrade will be handled normally by the upgraded gateway. The minimal effort upgrade preserves the existing configuration and policy, so there is no need to reinstall the policy or reconfigure the gateway after the upgrade.

References:

• Check Point Upgrade Path and Management Servers and Security Gateways Compatibility Maps, section “Minimal Effort Upgrade”
• INSTALLATION AND UPGRADE GUIDE R81, page 21-22

The methods of SandBlast Threat Emulation deployment are Cloud, Appliance, and Private. SandBlast Threat Emulation is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior for malicious indicators. SandBlast Threat Emulation can be deployed in three different methods: Cloud, Appliance, and Private. Cloud method is when the files are sent to the Check Point cloud service for emulation and analysis. This method does not require any additional hardware or software on the customer’s side, and provides the fastest updates and feeds from ThreatCloud. Appliance method is when the files are sent to a dedicated appliance on the customer’s network for emulation and analysis. This method provides more control and privacy for the customer, and supports more file types and sizes. Private method is when the files are sent to a private cloud service on the customer’s network for emulation and analysis. This method provides the highest level of control and privacy for the customer, and supports customizing the emulation environment and scenarios.

The lowest gateway version supported by R81.20 management server is R77.30. According to the Check Point Release Map1, you can upgrade to R81.20 from R77.30, R80, R80.10, R80.20.M1, R80.20, R80.20SP, R80.20.M2, R80.20 3.10, R80.30, R80.30 3.10, R80.30SP, R80.40, R81 and R81.20. However, to upgrade from R77.30, R80 and R80.10, you first need to upgrade to R80.40. For more information, you can refer to the Check Point R81.20 (Titan) Release Home page2 or the Certified Security Expert (CCSE) R81.20 Course Overview3.

The configuration file that contains the structure of the Security Server showing the port numbers, corresponding protocol name, and status is $FWDIR/conf/fwauthd.conf. This file is used for configuring authentication services in Check Point Security Servers.

References: Check Point documentation or training materials related to Security Server configuration.

The responsibility of SOLR process on R81.20 management server is to generate indexes of data written to the database. SOLR is an open source search platform that provides fast and scalable indexing and querying capabilities. SOLR is used by the R81.20 management server to index data such as logs, objects, policies, tasks, and events, and to enable quick and efficient searches on this data by SmartConsole and SmartView applications. 

The Correlation Unit in Check Point Security Management performs several actions, but it does not assign a severity level to the event. The Correlation Unit is responsible for identifying patterns in logs, marking logs that are part of larger patterns, generating events based on the Event policy, and adding new log entries to ongoing events. However, assigning a severity level to an event is typically done through the Event policy configuration, not by the Correlation Unit.

References: Check Point Certified Security Expert R81 Study Guide

 CPUSE offline upgrade is the best upgrade method when the management server is not connected to the Internet. CPUSE (Check Point Upgrade Service Engine) is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the management server using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

The feature that provides Full Layer3 VPN –IPSec VPN, giving users network access to all mobile applications, is the correct answer.

Capsule Connect/VPN is used to establish secure VPN connections for mobile devices, and the Full Layer3 VPN (IPSec VPN) option provides comprehensive network access.

References: Check Point documentation or training materials related to Mobile Access Methods and VPN configurations.

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. Packet tagging is a feature that allows the Endpoint Identity Agent to add a tag to the packets sent by the user’s device, which contains the user’s identity information. This way, the Security Gateway can identify the user without requiring additional authentication methods. Computer authentication is a feature that allows the Endpoint Identity Agent to authenticate the user’s device using a certificate, which ensures that only authorized devices can access the network resources. The Full Endpoint Identity Agent supports both packet tagging and computer authentication, as well as other features such as Single Sign-On (SSO), Multi-Factor Authentication (MFA), and VPN.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 15
• Endpoint Identity Agent - Check Point CheckMates
• Check Point Identity Agent - All flavors for Windows OS in a single package (Full, Light, v1 and v2 for Terminal Server)

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions. Security Gateway is the device that inspects and filters network traffic according to the security policies. 

After installing a new multicore CPU to replace the existing single core CPU, the administrator is required to perform one additional task, which is to increase the number of kernel instances using cpconfig. This is because by default, only one kernel instance is enabled on a Security Gateway. To take advantage of multiple cores, the administrator needs to configure more kernel instances according to the number of cores available on the CPU. References: Configuring CoreXL

 You can enable Multi-Version Cluster (MVC) by running set cluster member mvc on on the Check Point Security Gateway Cluster Member1. MVC is a feature that allows you to upgrade a Security Gateway Cluster to a higher version without downtime2. It works by upgrading one cluster member at a time, while the other cluster members continue to operate with the lower version2. MVC supports upgrading from R80.40 and above to R81 and above2. To use MVC, you need to do the following steps2:

• Enable MVC on each cluster member by running set cluster member mvc on in Clish and rebooting the gateway.
• Install the higher version on one cluster member using CPUSE or ISO image.
• Install policy on the upgraded cluster member and verify that it works properly.
• Repeat the previous steps for the remaining cluster members until all of them are upgraded.
• Disable MVC on each cluster member by running set cluster member mvc off in Clish and rebooting the gateway.

References: Multi-Version Cluster (MVC) - Check Point Software, Multi-Version Cluster (MVC) - Check Point CheckMates

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

• 1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”
• 2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1
• 3, Check Point Certified Security Expert R81, page 5
• 5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”

The component that is not required to communicate with the Web Services API is the API key. The Web Services API uses a session ID token for authentication, which is obtained by sending a login request with a valid username and password. The other components are required for sending requests and receiving responses from the Web Services API. The content-type specifies the format of the data being sent or received, such as JSON or XML. The request payload contains the data and parameters for the API call, such as command name, object name, etc. References: [Web Services API Reference Guide]

Check Point Capsule is a suite of solutions designed to provide comprehensive mobile security and secure access. The components of Check Point Capsule include:

Capsule Docs (Option A): A component that secures document sharing and protects sensitive data.

Capsule Cloud (Option B): A component that provides cloud-based security services.

Capsule Workspace (Option D): A component that provides secure workspace on mobile devices.

Option C, "Capsule Enterprise," is not a recognized component of Check Point Capsule based on the available information. Therefore, it is the correct answer as the component that is NOT part of Check Point Capsule.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

 What is the default shell for the command line interface? The default shell for the command line interface is Clish. Clish is a shell that provides a menu-based interface for configuring various system settings, such as network interfaces, routing, DNS, NTP, SNMP, SSH, etc. Clish also provides help and completion features for easier navigation. To switch from Clish to Expert mode, which allows running Linux commands, use the command expert. References: Gaia Administration Guide R81, page 29.

SmartEvent Unit is not a blade option when configuring SmartEvent. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. SmartEvent Unit is not a valid component or blade of SmartEvent.

 For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

The default port used by the AMON server when using CPSTAT is 18192. CPSTAT is a command-line tool that allows administrators to monitor various statistics and status information about Check Point products and components, such as CPU usage, memory usage, policy installation, cluster state, etc. CPSTAT uses AMON (Advanced Monitoring) protocol to communicate with AMON server, which is a daemon that runs on Security Gateways or Management Servers and collects and provides AMON data. By default, AMON server listens on TCP port 18192 for incoming CPSTAT requests.

AppWiki is the Check Point feature that enables application scanning and the detection. AppWiki is an easy to use tool that lets you search and filter Check Point’s Web 2.0 Applications Database to find out information about internet applications, including social network widgets; filter by a category, tag, or risk level; and search for a keyword or application1. AppWiki helps you to identify and control the applications on your network, and to apply granular policies based on the application type, risk, and characteristics1. AppWiki is integrated with the Check Point Application Control Software Blade, which provides the industry’s strongest application security and identity control to organizations of all sizes1.

References: 1: AppWiki | Check Point Software

 The order of NAT priorities is determined by the type of NAT rule that is applied to the traffic. There are three types of NAT rules in Check Point: static NAT, IP pool NAT, and hide NAT12.

• Static NAT: This type of NAT rule maps a single IP address to another single IP address. It is usually used to allow external hosts to access internal servers or devices. Static NAT has the highest priority among the NAT rules, and it is applied before the security policy is enforced12.
• IP pool NAT: This type of NAT rule maps a range of IP addresses to another range of IP addresses. It is usually used to balance the load among multiple servers or devices. IP pool NAT has the second highest priority among the NAT rules, and it is applied after the security policy is enforced12.
• Hide NAT: This type of NAT rule hides a group of IP addresses behind a single IP address or an interface. It is usually used to allow internal hosts to access external resources. Hide NAT has the lowest priority among the NAT rules, and it is applied after the security policy is enforced12.

Therefore, the order of NAT priorities is: static NAT, IP pool NAT, hide NAT.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 209 2: Check Point R81 Security Engineering Guide - Check Point Software, page 163

 A best practice before starting to troubleshoot using the fw monitor tool is to disable SecureXL. SecureXL is a performance acceleration solution that optimizes the packet flow through the Security Gateway. However, SecureXL can also bypass some inspection points and cause some packets to be invisible to fw monitor. Therefore, disabling SecureXL can ensure that fw monitor captures all the relevant packets for troubleshooting purposes. References: Check Point Security Expert R81 Course, fw monitor, SecureXL

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red exclamation mark indicates that one or more blades on the gateway have an issue that needs attention. The issue could be related to configuration, license, policy, or other factors. Deyra can hover over the icon to see more details about the problem. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

One of the major features in R81 SmartConsole is concurrent administration. This feature allows multiple administrators to work on the same Security Policy simultaneously, without blocking each other or creating conflicts. Concurrent administration improves the efficiency and productivity of security management operations1.

However, not all of the options given are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. The correct answer is B. AdminA and AdminB are editing the same rule at the same time. This is not possible because concurrent administration uses a locking mechanism to prevent multiple administrators from modifying the same rule or object at the same time. When an administrator clicks on a rule or an object, it becomes locked and a lock icon appears next to it. The lock icon shows the name of the administrator who is working on that rule or object, and prevents other administrators from editing it until it is unlocked12.

Therefore, the other options are possible considering that AdminA, AdminB and AdminC are editing the same Security Policy. Option A is possible because a lock icon shows that a rule or an object is locked and will be available when the administrator who locked it finishes working on it or logs out of SmartConsole12. Option C is possible because a lock icon next to a rule informs that any administrator is working on this particular rule, and hovering over the lock icon will show the name of that administrator12. Option D is possible because AdminA, AdminB and AdminC are editing three different rules at the same time, which does not create any conflicts or blockages12.

 What can cause Vanessa unnecessary problems, if she didn’t check all requirements for migration to R81, is missing an installed R77.20 Add-on on Security Management Server. R77.20 Add-on is a package that adds new features and enhancements to R77 Security Management Server, such as support for new appliances, Gaia OS features, VPN features, etc. One of the requirements for migrating to R81 from R77 Security Management Server is to have R77.20 Add-on installed on the server. If Vanessa did not check this requirement and tried to migrate without R77.20 Add-on, she would encounter errors and failures during the migration process. The other options are either not relevant or not problematic for migration to R81. 

The way SSL VPN and IPSec VPN are different is that IPSec VPN uses an additional virtual adapter; SSL VPN uses the client network adapter only. SSL VPN and IPSec VPN are two types of VPN technologies that provide secure remote access to network resources over the internet. SSL VPN uses SSL/TLS protocol to establish an encrypted tunnel between the client and the server, and does not require any additional software or hardware on the client side. IPSec VPN uses IPSec protocol to establish an encrypted tunnel between the client and the server, and requires a dedicated virtual adapter on the client side to handle the IPSec traffic. The other options are either incorrect or not relevant to SSL VPN and IPSec VPN.

The correct command to verify the CPUSE (Check Point Update Service Engine) version is:

Option B is incorrect because it uses the "[Expert@HostName:0]#" prompt, which is typically used for expert mode commands, but the CPUSE version can be checked using the "show installer status build" command in standard mode.

Option C is incorrect because it uses the "[Expert@HostName:0]#" prompt, and while it includes the "build" parameter, it's not the standard command to check the CPUSE version.

Option D is incorrect because it uses the "HostName:0>" prompt, but it lacks the "show" command and uses "build" instead of "status build."

References: Check Point Certified Security Expert R81 documentation

Gateway API is NOT an example of a Check Point API. Check Point API is a general term that refers to various application programming interfaces (APIs) that allow external applications to interact with Check Point products and services using standard methods such as HTTP(S) requests and JSON objects. There are several types of Check Point APIs, such as Management API, Threat Prevention API, OPSEC SDK, etc. Management API is an API that allows external applications to configure, manage, and monitor Check Point management server using web services. Threat Prevention API is an API that allows external applications to send files or URLs to Check Point Threat Prevention products for scanning and analysis using web services. OPSEC SDK is an API that allows external applications to integrate with Check Point OPSEC products using C/C++ libraries and protocols. Gateway API is not a valid or existing type of Check Point API.

The cloud-based SandBlast Mobile application that is used to register new devices and users is Check Point Gateway. Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

 Office mode is a feature that allows a security gateway to assign a remote client an IP address from a network that is protected by the security gateway. This way, the remote client can access resources on the internal network as if it was physically connected to it. The IP address is assigned to the remote client after the user authenticates for a tunnel, and it is routable, meaning that it can be reached by other hosts on the network. Office mode is useful for scenarios where the remote client needs to use applications that rely on IP addresses, such as VoIP or file sharing12.

References: 1: Support, Support Requests, Training … - Check Point Software 2: Gaia R81.20 Administration Guide - Check Point Software

 In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources. 

 The most ideal Synchronization Status for Security Management Server High Availability deployment is Synchronized. Security Management Server High Availability deployment is a feature that allows two or more Security Management Servers to provide redundancy and load balancing for managing security policies and logs. Synchronization Status is a parameter that indicates how up-to-date the databases of the Security Management Servers are with each other. Synchronization Status can have one of the following values: Synchronized, Lagging, Never been synchronized, or Collision. Synchronized means that the databases of all Security Management Servers are identical and have no conflicts. This is the most ideal status as it ensures consistency and reliability of security management. Lagging means that one or more Security Management Servers have not received all the updates from other Security Management Servers, and their databases are outdated. Never been synchronized means that one or more Security Management Servers have never synchronized their databases with other Security Management Servers, and their databases are independent. Collision means that one or more Security Management Servers have received conflicting updates from other Security Management Servers, and their databases have discrepancies. 

NAT Templates are generated to achieve high session rate for NAT. These templates store the NAT attributes of connections matched by rulebase so that similar new connections can take advantage of this information and do NAT without the expensive rulebase lookup. These are enabled by default and work only if Accept Templates are enabled1. According to the web search results, NAT Templates are a feature of SecureXL that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2. NAT Templates are supported for Static NAT and Hide NAT using the existing SecureXL Templates mechanism1. NAT Templates are disabled by default on Check Point Security Gateway R80.10 and below, but they are not relevant to SecureXL in versions R80.20 and above, as all template handling has moved to the Firewall1. NAT Templates can be enabled or disabled by setting the relevant kernel parameters in $FWDIR/boot/modules/fwkern.conf file1.

References: SecureXL NAT Templates in R80.20 and lower - Check Point Software, SecureXL - Check Point Software

The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2. References: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet – LazyAdmins

SmartEvent does not use matching a log against local exclusions to identify events. Local exclusions are filters that are applied to logs before they are sent to the SmartEvent server. They are used to reduce the amount of logs that are forwarded by the Security Gateways or Log Servers, and to avoid sending irrelevant or sensitive logs. Local exclusions do not affect the event detection process, which is performed by the SmartEvent Correlation Unit on the SmartEvent server. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide, SK120193 - How to configure Local Log Filtering on Security Gateway / Cluster / VSX

Running the command fw unloadlocal on the Security Management Server will remove the installed Security Policy from the local firewall module. This command is useful for troubleshooting purposes when there is a problem with the policy installation or enforcement. However, it will also expose the Security Management Server to potential attacks, so it should be used with caution. References: Training & Certification | Check Point Software, R81 CCSA & CCSE exams released featuring Promo for… - Check Point …

According to the Check Point website, GAiA Software update packages can be imported and installed offline in situation where the Security Gateway with GAiA does not have access to Internet. This allows you to manually download the packages from another device and transfer them to the Security Gateway using a USB drive or other media. The other situations are either not relevant or not possible. References: Offline Software Updates

 According to the Check Point website, Vanessa needs to fill in the following details in the System Restore window before she can click OK button and test the backup: Server, Protocol, Username, Password, Path, Comment, All Members. These details specify the source and destination of the backup file, as well as the scope of the restore operation. The other options are either missing or incorrect details. References: System Restore

You can locate the file via SmartConsole > Command Line. According to the CLISH documentation1, when you save the configuration with the “save configuration config.txt” command, the file is stored in a temporary location on the management server. To access the file, you need to use SmartConsole and go to Command Line > View File > config.txt2. Alternatively, you can also use the “show configuration” command in CLISH to view the current configuration2.

References: : CLISH - SourceForge : Summary of Gaia Clish Commands - Check Point Software

The valid range for VRID value in VRRP configuration is 1 - 255. VRID stands for Virtual Router ID, and it is a number that identifies a virtual router in a VRRP cluster. A VRRP cluster consists of one or more routers that share a virtual IP address and provide redundancy and load balancing for network traffic. Each router in the cluster must have a unique VRID value, and the VRID value must match the VRID value configured on the interface that connects to the VRRP cluster. The VRID value can be any number from 1 to 255, inclusive. 

 The number of cores that can be used in a Cluster for Firewall-kernel on the new device with 4 cores is 4. Cluster is a feature that allows two or more Security Gateways to provide high availability and load balancing for network traffic. Firewall-kernel is a component of the Security Gateway that performs packet inspection according to security policies. The number of cores that can be used for Firewall-kernel in a Cluster depends on the number of cores available on each device in the Cluster. The Cluster will use the lowest common denominator of cores among all devices in the Cluster for Firewall-kernel. Therefore, if one device has 2 cores and another device has 4 cores, the Cluster will use 2 cores for Firewall-kernel on each device. However, if both devices have 4 cores, the Cluster will use 4 cores for Firewall-kernel on each device.

The best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic is: Pamela should check SecureXL status on DMZ Security gateway and if it’s turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, this also means that some traffic might not be seen by fw monitor, which is a tool that captures packets at different inspection points in the Firewall kernel. Therefore, to ensure that fw monitor captures all traffic, SecureXL should be turned OFF before using fw monitor. The other suggestions are either incorrect or less effective in capturing traffic. 

 In ClusterXL Load Sharing Multicast Mode, every member of the cluster receives all of the packets sent to the cluster IP address. This mode uses multicast MAC addresses to distribute packets to all cluster members. Each member decides whether to accept or reject the packet based on a load balancing algorithm. This mode provides better performance and scalability than Unicast mode, but requires a switch that supports multicast MAC addresses. 

Secure Network Distributor (SND) is a relevant feature of the Security Gateway because it is used to distribute packets among Firewall instances. SND is a technology that improves the performance and scalability of the Security Gateway by using multiple cores to handle concurrent connections. SND consists of two components: SND driver and Firewall instances. SND driver is responsible for receiving packets from network interfaces and distributing them to Firewall instances based on a load balancing algorithm. Firewall instances are responsible for inspecting packets according to security policies and forwarding them to their destinations. The other options are either incorrect or not related to SND.

The default commands that appear when right-clicking the IP address, source or destination, in an event in SmartEvent are ping, whois, nslookup, and Telnet. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent has a feature that allows administrators to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in an event provides a list of default and customized commands that can be executed on the IP address of the active cell. The default commands are ping, whois, nslookup, and Telnet. Ping is a command that tests the connectivity and latency between two hosts by sending packets and measuring the response time. Whois is a command that queries a database for information about the owner and registrar of a domain name or an IP address. Nslookup is a command that queries a DNS server for information about a domain name or an IP address, such as its IP address, name server, mail server, etc. Telnet is a command that establishes a remote connection to another host using the Telnet protocol. 

Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

According to the Check Point R81 training course, the Proxy ARP feature for Manual NAT in R81.20 requires the configuration of the local.arp file on the Security Gateway. This file contains the mapping of IP addresses to MAC addresses for NATed hosts. The other options are either incorrect or irrelevant. References: Certified Security Expert (CCSE) R81.20 Course Overview

 The statement that is most correct regarding about “CoreXL Dynamic Dispatcher” is: The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores. CoreXL Dynamic Dispatcher is a feature that allows the Security Gateway to dynamically assign connections to the most available CoreXL FW instance, based on the CPU core utilization. This improves the performance and load balancing of the Security Gateway, especially when handling connections with different processing requirements. The other statements are either incorrect or describe the CoreXL Static Dispatcher mechanism, which assigns connections based on a hash function of the Source IP, Destination IP, and IP Protocol type.

To enable VMAC mode on a cluster member, you need to set the value of the global kernel parameter fwha_vmac_global_param_enabled to 1. This can be done on-the-fly using the command fw ctl set int fwha_vmac_global_param_enabled 1 on all cluster members. This command does not require a reboot or a policy installation. VMAC mode allows the cluster to use a virtual MAC address for its virtual IP addresses, which reduces the number of gratuitous ARP packets sent upon failover and avoids ARP cache issues on some routers and switches. References: How to enable ClusterXL Virtual MAC (VMAC) mode

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction. 

Ken can use either of the two commands lock database override or unlock database to obtain a configuration lock from another administrator on R81 Security Management Server via CLI. These commands allow him to override the existing lock and gain exclusive access to the database. He can also use the WebUI to perform the same action. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

 For Stateful Mode configuration, chain modules marked with 2 will not apply. Stateful Mode configuration is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. Chain modules are firewall kernel modules that perform various security functions, such as VPN, IPS, QoS, etc. Each chain module is associated with a key, which specifies the type of traffic applicable to the chain module. The key can be one of the following values: 0 for all packets, 1 for stateful packets, 2 for stateless packets, and 3 for no match packets. For Stateful Mode configuration, only chain modules with key 0 or 1 will apply, as they handle all packets or stateful packets. Chain modules with key 2 will not apply, as they handle stateless packets, which are not relevant for Stateful Mode configuration.

The formats in which Threat Emulation forensics reports can be viewed in are PDF, HTML, and XML. Threat Emulation is a feature that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior. Threat Emulation generates forensics reports that provide detailed information about the emulated files, such as verdict, severity, activity summary, screenshots, network activity, registry activity, file activity, and process activity. These reports can be viewed in PDF, HTML, or XML formats from SmartConsole or SmartView.

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

The purpose of a SmartEvent Correlation Unit is to evaluate logs from the log server component to identify patterns/threats and convert them to events. The SmartEvent Correlation Unit is a software module that runs on the SmartEvent server or on a dedicated server. It applies correlation rules and logic to the logs received from various sources, such as security gateways, endpoints, or third-party devices. It then generates events that represent security incidents or trends that require attention or action. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

Check Point's SecureXL technology, which is responsible for acceleration, has certain limitations and conditions under which acceleration may not occur. In this context, the question is asking about factors that will NOT affect acceleration.

Option B, "A 5-tuple match," will not affect acceleration. A 5-tuple match refers to the matching of source IP, source port, destination IP, destination port, and protocol. SecureXL can accelerate traffic that matches these criteria, but it's not a factor that hinders acceleration.

Options A, C, and D can all affect acceleration:

Option A mentions "Connections destined to or originated from the Security gateway," which implies that SecureXL acceleration can apply to these connections.

Option C mentions "Multicast packets," and SecureXL may have limitations in handling multicast traffic efficiently.

Option D mentions "Connections that have a Handler (ICMP, FTP, H.323, etc.)," and certain protocols (such as FTP) may require special handling and might not be fully accelerated by SecureXL.

References: Check Point Certified Security Expert R81 Study Guide

NAT (Network Address Translation) is one item that will not be configured on the R81 Security Management Server when setting up an externally managed log server. NAT is a technique that allows devices with private IP addresses to communicate with devices with public IP addresses by translating the private addresses to public ones. NAT is not relevant for configuring an externally managed log server, which requires only the IP address, SIC (Secure Internal Communication), and FQDN (Fully Qualified Domain Name) of the log server. References: Check Point Security Expert R81 Course, Logging and Monitoring Administration Guide

 The command used to activate Multi-Version Cluster mode is set cluster member mvc on in Clish. Multi-Version Cluster mode is a feature that allows cluster members to run different versions of Check Point software during a cluster upgrade. This reduces downtime and simplifies the upgrade process. To enable Multi-Version Cluster mode, the command set cluster member mvc on must be executed on each cluster member in Clish3. The other options are not valid commands for activating Multi-Version Cluster mode. References: 3: Check Point Software, Getting Started, Multi-Version Cluster.

 SecureXL is a technology that improves the performance of the Security Gateway by offloading CPU-intensive operations to a dedicated hardware or software module. SecureXL uses templates to accelerate traffic processing based on predefined patterns and conditions. SecureXL supports three types of templates: Accept Templates, Drop Templates, and NAT Templates3.

• Accept Templates are used to accelerate traffic that matches an Accept rule in the Security Policy. Accept Templates bypass most of the inspection stages and send packets directly to the network interface.
• Drop Templates are used to accelerate traffic that matches a Drop rule in the Security Policy. Drop Templates drop packets without sending them to the firewall kernel for inspection.
• NAT Templates are used to accelerate traffic that requires Network Address Translation (NAT). NAT Templates perform NAT operations without sending packets to the firewall kernel.

Therefore, the correct answer is B.

References: 3: SecureXL for R80.20 and higher

Central Licensing is the preferred and recommended method of licensing because it simplifies the license management process and reduces the risk of license issues. Central Licensing ties to the IP address of the management server and is not dependent on the IP of any gateway in the event it changes. This means that you can easily add, remove, or replace gateways without affecting your license status. Central Licensing also allows you to view and manage all your licenses from one central location using SmartConsole or SmartUpdate. Central Licensing is supported with Gaia and is not the only option when deploying Gaia. Central Licensing does not tie to the IP address of a gateway and cannot be changed to any gateway if needed. References: Check Point R81 Licensing and Contract Administration Guide, page 7

The mechanism that can ensure that the Security Gateway can communicate with the Management Server with ease in situations with overwhelmed network resources is called Management Data Plane Separation (MDPS)1. MDPS is a feature that allows a Security Gateway to have isolated Management and Data networks. The network system of each domain (plane) is independent and includes interfaces, routes, sockets, and processes. The Management Plane is a domain that accesses, provisions, and monitors the Security Gateway. The Data Plane is a domain that handles all other traffic1. MDPS has the following benefits2:

• It improves the performance and stability of the Security Gateway by separating the management traffic from the data traffic.
• It enhances the security of the Security Gateway by preventing any packet from crossing between the planes.
• It simplifies the network configuration and troubleshooting by having separate routing tables for each plane. MDPS is supported on Check Point Appliances with R80.40 and higher versions1. It is also supported on Quantum Maestro and Quantum Scalable Chassis with R81.20 and higher versions3. MDPS can be configured using Gaia Clish commands or Gaia Portal1. References: Management Data Plane Separation (MDPS) - Check Point Software, Tip of the Week: Management Data Plane Separation - Check Point CheckMates, Management Data Plane Separation (MDPS) on Maestro R81.20 - Check Point Software

Threat Extraction (Answer B): Threat Extraction always delivers a file, but it removes potentially malicious content from the file before delivering it to the user. It is designed to provide a safe version of the file quickly, taking less than a second to complete.

Threat Emulation (Option A): Threat Emulation does not deliver the original file to the user until it has been thoroughly analyzed for threats. It may take more than 3 minutes to complete the analysis. The emphasis here is on safety and thorough inspection, which may result in a longer processing time.

Therefore, Option B correctly describes the main difference between Threat Extraction and Threat Emulation.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

ClusterXL supports Dynamic Routing for both Unicast and Multicast traffic. Dynamic Routing protocols, such as OSPF, BGP, or PIM, can be configured on cluster members to exchange routing information with other routers. ClusterXL supports two modes of operation for Dynamic Routing: New Mode and Legacy Mode. References: ClusterXL Administration Guide, SK98226 - ClusterXL New Mode Overview

To add a file to the Threat Prevention Whitelist, you need two items:

B. Object Name and MD5 signature

You need the Object Name to identify the file or object you want to whitelist, and the MD5 signature to specify the unique hash value of that file. The MD5 signature ensures that the specific file you want to whitelist is identified accurately.

References: Check Point Certified Security Expert R81 Study Guide, Threat Prevention Administration Guide.

The correct command to store the GAIA configuration in a file is save configuration 1. This will create a file with the current system level configuration in the home directory of the current user1. The other commands are incorrect because they either do not exist or do not save the configuration to a file. References: 1: Backing up Gaia system level configuration(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk102234)

 The extended master key extension/session hash is a feature introduced in TLS 1.3 to prevent a Man-in-the-Middle attack/disclosure of the client-server communication. It works by generating a unique session hash for each connection, which is derived from the master key and other parameters. This session hash is then used to authenticate the application data and the end-of-handshake messages, ensuring that no one can tamper with or eavesdrop on the communication. References: Check Point Security Expert R81 Course, TLS 1.3 RFC

Multiple administrators can connect to a Security Management Server at the same time. Each administrator has their own username and works in a session that is independent of other administrators. This allows for collaboration and simultaneous management tasks by different administrators.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The command cpinfo –y all displays information about all the hotfixes that are installed on the gateway1. This command also shows the hotfix ID, description, installation date, and status for each hotfix2. The other commands are not valid options for this task. The command cpinfo –h all shows the hardware information of the gateway3. The commands cpinfo –o hotfix and cpinfo –l hotfix do not exist and will return an error message.

References: Hotfix installer - Configuration Manager, How to keep your Security Gateways up to date, Solved: Does it always need to have the higher hotfix vers…

In R81.20, dbedit scripts are being replaced by the mgmt_cli utility for managing and configuring security policies and objects. Here's an explanation of each option:

A. dbedit is not supported in R81.20: This is not entirely accurate. While dbedit is still available and functional in R81.20, it is being phased out in favor of mgmt_cli for policy and object management.

B. dbedit is fully supported in R81.20: This statement is not accurate because although dbedit can still be used, it is not the primary recommended tool for policy management in R81.20.

C. You can use dbedit to modify threat prevention or access policies, but not create or modify layers: This statement is partially true, but it does not provide the complete picture. You can use dbedit for some policy-related tasks, but it's not the primary tool for policy management in R81.20.

D. dbedit scripts are being replaced by mgmt_cli in R81.20: This is the correct and recommended approach. mgmt_cli is the primary tool for managing security policies and objects in R81.20, and it is gradually replacing dbedit for these tasks.

Therefore, option D is the most accurate and recommended answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more), rather than determining their maliciousness. By cleaning the file before it enters the organization, Threat Extraction preemptively prevents both known and unknown threats, providing better protection against zero-day attacks1. Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast2. The other options are either incorrect or irrelevant to the mechanism behind Threat Extraction. References: Threat Extraction (CDR) - Check Point Software, Check Point Document Threat Extraction Technology

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

The fw tab -s command lists all tables in Gaia. The fw tab command displays information about the firewall tables, such as connections, NAT translations, SAM rules, etc. The -s option shows a summary of all tables. References: fw tab - Check Point Support Center

The statement that is not true about Delta synchronization is Using UDP Multicast or Broadcast on port 8161. Delta synchronization is a mechanism that transfers only the changes in the kernel tables between cluster members, instead of sending the entire tables. It uses UDP Multicast or Broadcast on port 8116, not 81612. The other statements are true about Delta synchronization. References: Check Point R81 ClusterXL Administration Guide

 SecureXL is a technology that accelerates the performance of the Check Point Security Gateway by offloading CPU-intensive operations from the Firewall kernel to the SecureXL device. SecureXL can handle various types of traffic, such as TCP, UDP, ICMP, non-IP, VPN, NAT, etc. SecureXL can also work with various features, such as CoreXL, ClusterXL, QoS, etc.

One way to indicate that SecureXL is enabled is to use the fwaccel commands in clish. Clish is a command-line shell that provides a user-friendly interface for configuring and managing Check Point products. The fwaccel commands are used to control and monitor SecureXL operations, such as enabling or disabling SecureXL, viewing SecureXL statistics, managing SecureXL templates, etc. For example, the command fwaccel stat shows the status of SecureXL, such as whether it is on or off, how many packets are accelerated or not accelerated, etc.

The other options are not valid indicators of SecureXL being enabled:

• A. Dynamic objects are available in the Object Explorer: Dynamic objects are objects that represent IP addresses that change over time, such as VPN clients, DHCP clients, etc. Dynamic objects are available in the Object Explorer regardless of whether SecureXL is enabled or not.
• B. SecureXL can be disabled in cpconfig: Cpconfig is a command-line tool that allows you to configure various settings of Check Point products, such as administrator password, GUI clients, SNMP extension, etc. SecureXL can be disabled in cpconfig only if it was enabled before. Therefore, this option does not indicate that SecureXL is enabled.
• D. Only one packet in a stream is seen in a fw monitor packet capture: Fw monitor is a command-line tool that allows you to capture and analyze network traffic passing through the Security Gateway. Fw monitor shows the traffic at different inspection points in the Firewall kernel. If SecureXL is enabled, some packets may be accelerated by SecureXL and bypass the Firewall kernel inspection. Therefore, fw monitor may not see all packets in a stream. However, this does not mean that only one packet in a stream will be seen by fw monitor. Some packets may still go through the Firewall kernel inspection and be seen by fw monitor. Therefore, this option does not indicate that SecureXL is enabled.

Therefore, the correct answer is C.

References: How to enable/disable Check Point SecureXL via CLI, Part 3 - SecureXL, What is SecureXL?, Clish - Command Line Interface Shell, sk30583: What is FW Monitor?

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

At least 20GB is the recommended size of the root partition when installing a dedicated R81 SmartEvent server. The root partition is the primary partition that contains the operating system files and other essential files for booting and running the system. The SmartEvent server requires at least 20GB of free space on the root partition to install and operate properly. If the root partition size is less than 20GB, you may encounter errors or performance issues with SmartEvent. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

Implicit MEP (Multicast Ethernet Point) options refer to the way multicast traffic is handled within a network. In this case, the question is asking about an implicit MEP option, and the correct answer is:

A. Primary-backup: This is an implicit MEP option where one switch (primary) forwards multicast traffic while the other switch (backup) does not forward the traffic. It is used to ensure redundancy in case the primary switch fails.

B. Source address-based, C. Round-robin, and D. Load Sharing are not implicit MEP options; they are different methods of handling multicast traffic and do not describe the concept of primary-backup.

Therefore, option A is the correct answer as it represents an implicit MEP option.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: https:// /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

In SmartEvent, the administrator can configure different types of automatic reactions, which include:

• Mail notifications
• Blocking the source of the event
• Blocking the event activity
• Running an external script
• Sending an SNMP trap

So, the correct answer is "Mail, Block Source, Block Event Activity, External Script, SNMP Trap."

References: Check Point documentation or training materials related to SmartEvent configuration and automatic reactions.

CPM stands for Check Point Management, which is a process that runs on the Security Management server and controls the management operations, such as policy installation, object creation, configuration backup, etc. CPM also controls other processes that are related to the management functions, such as:

• web_services: This process is responsible for providing web services for the communication between SmartConsole and the Security Management server. It handles requests from SmartConsole clients and forwards them to CPM or other processes.
• dle_server: This process is responsible for managing the log files and indexes. It handles queries from SmartLog and SmartEvent and provides log data to CPM or other processes.
• object_Store: This process is responsible for storing and retrieving objects from the database. It handles requests from CPM or other processes and provides object data.

Therefore, the correct answer is D.

The other options are incorrect because:

• A. Object-Store, Database changes, CPM Process and web-services: This option includes some processes that are controlled by CPM, such as Object-Store, CPM Process, and web-services, but it also includes Database changes, which is not a process but an action performed by CPM or other processes.
• B. web-services, CPMI process, DLEserver, CPM process: This option includes some processes that are controlled by CPM, such as web-services, DLEserver, and CPM process, but it also includes CPMI process, which is not a process but a protocol used by CPM or other processes to communicate with each other.
• C. DLEServer, Object-Store, CP Process and database changes: This option includes some processes that are controlled by CPM, such as DLEServer and Object-Store, but it also includes CP Process and database changes, which are not processes but a generic term for any Check Point process and an action performed by CPM or other processes respectively.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

The cpmq set command enables or disables multi-queue per interface. Multi-queue is a feature that allows distributing the network traffic among several CPU cores, improving the throughput and performance of the Security Gateway. References: Multi-Queue

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

 Check Point Central Deployment Tool (CDT) communicates with the Security Gateway / Cluster Members over Check Point SIC using TCP port 18191 by default. CDT is a tool that allows you to perform simultaneous configuration changes on multiple gateways or clusters using predefined commands or scripts. References: Check Point Central Deployment Tool (CDT)

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

References:

SecureXL Templating is a feature that accelerates the processing of packets that belong to the same connection or session by creating a template for the first packet and applying it to the subsequent packets. SecureXL Templating is precluded by factors that prevent the creation of a template, such as source port ranges, encrypted connections, NAT, QoS, etc. References: SecureXL Mechanism

To fully enable Dynamic Dispatcher on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled without Firewall Priority Queues. Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Dynamic Dispatcher can improve the throughput and scalability of the Security Gateway, especially for traffic that is not accelerated by SecureXL. The other commands are not valid or do not enable Dynamic Dispatcher. References: R81 Performance Tuning Administration Guide

Suspicious Activity Rules Solution

Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).

The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity rules are Firewall rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation.

References:

When configuring Management HA, you have to take into consideration that the Database revisions will not be synchronized between the management servers. Database revisions are snapshots of the database that are created manually or automatically when installing a policy or saving changes. They are stored locally on each management server and are not replicated by Management HA. The other options are either not true or not relevant to Management HA. References: Check Point R81 Installation and Upgrade Guide

To change the number of firewall instances used by CoreXL, the cpconfig command must be used, followed by a reboot. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The number of firewall instances determines how many cores are dedicated to CoreXL. The cpconfig command allows the administrator to configure various settings on the Security Gateway, including the number of firewall instances. After changing this setting, a reboot is required for the changes to take effect. The other commands are either incorrect or do not require a reboot.

The benefit of fw monitor over tcpdump is that with fw monitor, you can see the inspection points, which cannot be seen in tcpdump. Inspection points are the locations in the firewall kernel where packets are inspected by the security policy and other software blades. Fw monitor allows you to capture packets at different inspection points and see how they are processed by the firewall. Tcpdump, on the other hand, is a generic packet capture tool that only shows the packets as they enter or leave the network interface. References: Check Point Security Expert R81 Course, fw monitor, tcpdump

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

• A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.
• B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.
• D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

References: ClusterXL R81.20 Administration Guide, ClusterXL Administration Guide R80.40, sk25977 - Ports used by Check Point software

The secure application for Mail/Calendar for mobile devices in Check Point is called "Capsule Workspace." Capsule Workspace provides secure access to email and calendar data on mobile devices while maintaining security policies and controls.

References: Check Point Certified Security Expert R81 documentation and learning resources.

Management HA is a feature that allows the Security Management server to have one or more backup Standby Security Management servers that are ready to take over in case of failure1. The Active Security Management server is the one that handles all the management operations, such as policy installation, object creation, configuration backup, etc. The Standby Security Management servers are synchronized with the Active Security Management server and store the same data, such as databases, certificates, CRLs, etc. The Standby Security Management servers can also perform some operations, such as fetching a Security Policy or retrieving a CRL1.

To make changes to the system, such as editing objects or policies, the administrator needs to connect to the Active Security Management server. This is because the Active Security Management server is the only one that can modify the data and synchronize it with the Standby Security Management servers. The administrator can use SmartConsole to connect to the Active Security Management server by entering its IP address or hostname1. The administrator can also use SmartDashboard to connect to the Active Security Management server by selecting Policy > Management High Availability. This shows information about the Security Management server that includes its peers - displayed with the name, status and type of Security Management server1.

The other options are incorrect because:

• A. secondary Smartcenter: This is a synonym for a Standby Security Management server, which cannot be used to make changes to the system.
• C. connect virtual IP of Smartcenter HA: This is not a valid option because there is no virtual IP for Smartcenter HA. Each Security Management server has its own IP address and hostname.
• D. primary Smartcenter: This is a synonym for the Active Security Management server, but it is not the correct term to use. The term primary implies that there is only one Active Security Management server, which is not true. The administrator can put the Active Security Management server on standby and promote a Standby Security Management server to active at any time1.

References: How to Configure Management HA

 User-mode processes are processes that run in the user space of the operating system, as opposed to kernel-mode processes that run in the kernel space. User-mode processes are usually less privileged and have less access to system resources than kernel-mode processes. Check Point products use both user-mode and kernel-mode processes to provide various functionalities and services.

The following are some of the user-mode processes that can be seen on the management server and gateway:

• fwd: This process is responsible for policy installation, logging, and communication with other Check Point components. It runs on both the management server and gateway.
• cpd: This process is responsible for licensing, certificate management, and communication with SmartConsole. It runs on both the management server and gateway.
• cpwd: This process is responsible for monitoring and restarting other processes. It runs on both the management server and gateway.

The following is a user-mode process that can only be seen on the management server:

• fwm: This process is responsible for managing the security policy database, compiling the security policy, and generating reports. It runs only on the management server.

Therefore, the correct answer is B.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

Mobile Access encrypts all traffic using HTTPS for web-based applications and 3DES or RC4 algorithm for native applications. For end users to access the native applications, they need to install the SSL Network Extender, which is a lightweight VPN client that creates a secure SSL tunnel to the Mobile Access gateway. The SSL Network Extender supports various types of native applications, such as email clients, file sharing, and remote desktop. References: Mobile Access Administration Guide, SSL Network Extender

 SecureXL templates are a mechanism to accelerate the rate of connection establishment by grouping connections that match a particular service and whose sole differentiating element is the source port. SecureXL templates enable even the very first packets of a TCP handshake to be accelerated, without waiting for the Firewall kernel to create a connection entry. The first packets of the first connection on the same service will be forwarded to the Firewall kernel, which will then create a template of the connection. The template will contain all the relevant information for the connection, such as source and destination IP addresses, destination port, NAT information, policy decision, etc. The template will be used by SecureXL to handle subsequent connections on the same service, without involving the Firewall kernel. This reduces the CPU load and increases the throughput.

There are three types of SecureXL templates: Accept, Drop, and NAT. Accept templates are used for connections that are allowed by the Firewall policy. Drop templates are used for connections that are blocked by the Firewall policy. NAT templates are used for connections that require NAT translation. Deny templates are not a valid type of SecureXL template.

References: SecureXL NAT Templates in R80.20 and lower, Part 3 - SecureXL, Security Gateway Performance Optimization - Part 5 - SecureXL

The API command to create a new host with the name "New Host" and IP address "192.168.0.10" is:

This command adds a host object with the specified name and IP address to the Check Point configuration.

References: Check Point documentation or training materials related to API commands.

Firewall Management (fwm) is available on any management product, including Multi-Domain and on products that requite direct GUI access, such as SmartEvent, It provides the following:

– GUI Client communication

– Database manipulation

– Policy Compilation

– Management HA sync

The command used to display status information for various components is show sysenv all. This command provides comprehensive status information about the system's environment and various components, including hardware and software components. It can be useful for troubleshooting and monitoring the system's health.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.:

The Audit Log is a feature that records all the actions performed by R81 SmartConsole administrators, such as logging in, logging out, publishing, installing policy, creating objects, modifying rules, etc. You can see and search records of action done by R81 SmartConsole administrators by following these steps:

• In SmartConsole, go to Logs & Monitor view.
• In the left pane, select Open Audit Log View.
• In the right pane, you will see a table that shows all the audit log records. You can filter, sort, group, or search the records by using the toolbar options.
• You can also double-click on a record to see more details in a pop-up window. References: R81 Logging and Monitoring Administration Guide

The Check Point TE appliance in Recommended Mode includes 2(OS) images. One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version. References: [Check Point R81 Threat Emulation Administration Guide]

References:

The CPM process is the core process of the Security Management Server that handles all management operations. It listens to TCP-port 19009 by default. References: CPM process

Threat Simulator is not a component of Check Point SandBlast. Check Point SandBlast is a solution that provides advanced protection against zero-day threats using four components: Threat Emulation, Threat Extraction, Threat Cloud, and Threat Prevention. References: Check Point SandBlast Network

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via the cpm process. The cpm process is the main management process that handles database operations, policy installation, and communication with GUI clients via TCP port 190093. The other options are either incorrect or irrelevant to the log flow. References: Certified Security Expert (CCSE) R81.20 Course Overview, Check Point Ports Used for Communication by Various Check Point Modules

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer's configuration and environment settings.

References:

 The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345. 

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

References: VPN Administration Guide

SmartView is a web-based application that allows you to view and analyze logs, reports, and events from multiple Check Point products. You can access SmartView by using the following URL:

You need to use HTTPS protocol and the default port 443. You also need to enter the IP address of the Security Management Server that hosts the SmartView application. You cannot use the host name of the Security Management Server or a different port number. References: SmartView R81 Administration Guide

To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. You can enable them by using the command fw ctl multik set_mode 9. This command sets the SecureXL mode to 9, which means that Priority Queues are enabled and Dynamic Dispatcher is fully enabled. References: SecureXL Mechanism

The correct command to observe the Sync traffic in a VRRP environment is fw monitor –e “accept dst=224.0.0.18;”. This command captures the packets that have the destination IP address of 224.0.0.18, which is the multicast address used by VRRP for synchronization. The other commands are either not valid or not specific to VRRP Sync traffic. References: [Check Point R81 ClusterXL Administration Guide], Check Point R81 Performance Tuning Administration Guide

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

PDP is not a valid CPVIEW view. CPVIEW is a command-line tool that shows the status of different system parameters, such as CPU, memory, disk, network, and firewall. The valid views are IDA, RAD, VPN, FW, QoS, and others. PDP is a process that handles identity awareness and authentication. References: Check Point R81 Gaia Administration Guide, Check Point Identity Awareness Administration Guide R81

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation. References: CPD process

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References: R81 Mobile Access Administration Guide

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution. References: SandBlast Mobile Architecture

The fw ctl affinity -l -a -r -v command is the most accurate CLI command to get info about assignment (FW, SND) of all CPUs in your SGW. This command displays the affinity settings of all interfaces and processes in a verbose mode, including the Firewall (FW) and Secure Network Distributor (SND) instances. References: CoreXL Administration Guide

References:

 The cphaprob -a if command displays the interface status of all cluster members, including the interface name, IP address, state, monitor mode, and sync status. References: cphaprob - Check Point Support Center

SmartEvent Processes use two Check Point Protocols: ELA (Event Log Agent) and CPLOG (Check Point Log). ELA collects logs from Security Gateways and forwards them to the Log Server. CPLOG is used by the Log Server to communicate with the SmartEvent Server. References: [SmartEvent Architecture]

 The attributes that SecureXL will check after the connection is allowed by Security Policy are Source address, Destination address, Source port, Destination port, Protocol. These are the five tuple parameters that define a connection and are used by SecureXL to accelerate the traffic. The other options are either missing some of the parameters or include irrelevant ones, such as MAC addresses1. References: Check Point R81 SecureXL Administration Guide

The three components for Check Point Capsule are Capsule Workspace, Capsule Docs, and Capsule Cloud. Capsule Workspace is a secure container app that allows users to access corporate data and applications from their mobile devices. Capsule Docs is a solution that protects documents with encryption and granular access control. Capsule Cloud is a cloud-based security service that enforces security policies on devices that are outside the corporate network. References: Check Point Capsule

Check Point’s FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark.

References:

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, "SecurID."

Options A, C, and D are not standard authentication methods for mobile devices in this context.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The Management API supports three methods of communication: mgmt_cli command, SmartConsole GUI dialog box, and Gaia CLI. Sending API commands over an http connection using web-services is not a supported method. References: Check Point Management APIs

The least amount of CPU cores required to enable CoreXL is 2. CoreXL is a technology that improves the performance of Security Gateways by using multiple CPU cores to process traffic in parallel. CoreXL requires at least two CPU cores, one for SND (Secure Network Distributor) and one for a Firewall instance. The other options are either too few or too many CPU cores for enabling CoreXL. References: [Check Point R81 SecureXL Administration Guide], [Check Point R81 Performance Tuning Administration Guide]

NAT rules are prioritized in the following order:

• Automatic Static NAT: This is the highest priority NAT rule and it translates the source or destination IP address to a different IP address without changing the port number. It is configured in the network object properties.
• Automatic Hide NAT: This is the second highest priority NAT rule and it translates the source IP address and port number to a different IP address and port number. It is configured in the network object properties.
• Manual/Pre-Automatic NAT: This is the third highest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase before the automatic NAT rules.
• Post-Automatic/Manual NAT rules: This is the lowest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase after the automatic NAT rules.

 In R81, IPS is managed by the Threat Prevention Policy. The Threat Prevention Policy is a unified policy that allows you to configure and enforce IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction settings in one place. References: Threat Prevention Administration Guide

 Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions . References: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

 Gaia has two default user accounts that cannot be deleted: Admin and Monitor. Admin is a superuser account that has full access to all Gaia features and commands. Monitor is a read-only account that can view Gaia configuration and status but cannot make any changes. Both accounts have predefined passwords that can be changed by the Admin user. References: [Check Point R81 Gaia Administration Guide], page 29

SRC: GAIA R81.20 Administration Guide User Management -> Users These users are created by default and cannot be deleted: admin and monitor

The User Directory Software Blade allows you to create user definitions on an LDAP server, such as Active Directory, and use them in your security policy. You can also integrate with other user authentication methods, such as SecurID, RADIUS, or TACACS+, but you cannot create user definitions on those servers.

The references are:

• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 13
• Check Point R81 Quantum Security Gateway Guide, page 139
• Check Point R81 Identity Awareness Administration Guide, page 9

 The command ‘fw sam -I dport 22’ will delete all of the SSH connections of a gateway by adding a temporary rule to the Security Policy that blocks traffic with destination port 22. The other commands are not valid or do not have the same effect. References: Check Point R81 Command Line Interface Reference Guide, page 101.

The main stages of a policy installation are Verification, Compilation, Transfer, and Commit. Verification is the stage where the policy is checked for syntax errors and conflicts. Compilation is the stage where the policy is translated into a binary format that can be executed by the Security Gateway. Transfer is the stage where the policy is sent from the Security Management Server to the Security Gateway. Commit is the stage where the policy is activated on the Security Gateway3. References: Check Point R81 Security Management Guide

The Check Point software blade that provides protection from zero-day and undiscovered threats is Threat Emulation. Threat Emulation is a sandboxing technology that inspects files for malicious behavior in a virtual environment before they reach the end user. Threat Emulation can detect and block malware that tries to evade traditional signature-based solutions by using unknown or obfuscated techniques. Threat Emulation can also generate forensic reports and provide actionable intelligence on the malware origin and behavior. 

 Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. Permanent VPN tunnels are always active and prevent VPN tunnel negotiation failures due to idle time or traffic volume. You can configure permanent VPN tunnels in SmartConsole by selecting the Permanent Tunnel option in the VPN Community Properties window.

 Packet filtering, stateful inspection, and application layer firewall are technologies used to deny or permit network traffic based on different criteria. Packet filtering is a basic firewall technology that examines the header of each packet and compares it to a set of rules to decide whether to allow or drop it. Stateful inspection is an advanced firewall technology that tracks the state and context of each connection and applies security rules based on the connection information. Application layer firewall is a firewall technology that inspects the content and behavior of applications and protocols at the application layer of the OSI model and enforces granular policies based on the application identity, user identity, and content type. References: Check Point R81 Firewall Administration Guide, page 9-10

Based on the image provided by the user, we can infer that rule 1 and object webserver are locked by another administrator. This is because they have red lock icons next to them, which indicate that they are being edited by another administrator in another session. The lock icons prevent other administrators from modifying these objects until the changes are published or discarded by the original administrator. The lock icons also show the name of the administrator who locked the objects when hovered over with the mouse cursor.

The other options are incorrect because:

• Rule 7 was not created by the ‘admin’ administrator in the current session, but by another administrator in another session. This is because it has a blue lock icon next to it, which indicates that it was added by another administrator in another session. The blue lock icon prevents other administrators from deleting this rule until the changes are published or discarded by the original administrator.
• 8 changes have not been made by administrators since the last policy installation, but in the current session by the ‘admin’ administrator. This is because there is a yellow number 8 next to the Install Policy button, which indicates that there are 8 unpublished changes in the current session by the ‘admin’ administrator. These changes will be published or discarded when the ‘admin’ administrator clicks on Publish or Discard buttons.
• The rules 1, 5 and 6 can be edited by the ‘admin’ administrator, but only after unlocking them from another administrator who locked them in another session. This is because they have red lock icons next to them, which indicate that they are being edited by another administrator in another session. The ‘admin’ administrator can unlock these rules by right-clicking on them and selecting Unlock from the menu. However, this will discard the changes made by the original administrator who locked them.

The Endpoint Policy Management License is required for managing the Endpoint Security Suite, which includes blades such as the Remote Access VPN. The IPSec VPN License is installed on the VPN Gateway and is a basic requirement for a Remote Access VPN solution. The MobileAccessLicense is required on the Security Gateway for the following Remote Access solutions.

The verified answer is D. 1. Enable Mobile Access blade on the Security Gateway object and complete the wizard 2. Configure Mobile Access parameters in Security Gateway object 3. Add a rule in the Access Control Policy and install policy 4. Connect to the Mobile Access Portal

The basic configuration steps for the Check Point Mobile Access VPN blade are as follows1:

• Enable Mobile Access blade on the Security Gateway object and complete the wizard: This step activates the Mobile Access blade on the selected gateway and guides you through the initial configuration, such as defining the portal name, the certificate, and the authentication methods.
• Configure Mobile Access parameters in Security Gateway object: This step allows you to customize the Mobile Access settings, such as defining the supported applications, the access roles, the client settings, and the advanced options.
• Add a rule in the Access Control Policy and install policy: This step creates a rule that allows the traffic from the Mobile Access portal to the protected resources and installs the policy on the gateway.
• Connect to the Mobile Access Portal: This step verifies that the Mobile Access portal is accessible and functional from a web browser or a mobile device.

The other options are incorrect because they do not follow the correct order or include the necessary steps.

References:

• Mobile Access Administration Guide R81 - Check Point Software1

From SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path. Firewall Path is the path that handles packets that are not processed by SecureXL and are sent to the Firewall kernel for inspection. Accelerated Path is the path that handles packets that are processed by SecureXL and bypass the Firewall kernel. Medium Path is the path that handles packets that are partially processed by SecureXL and partially by the Firewall kernel1. References: Check Point R81 Performance Tuning Administration Guide

 The command switch to specify the Gaia API context is mgmt_cli --context gaia_api . This switch allows the user to execute Gaia OS commands through the management API. The Gaia API context is different from the default management API context, which is used to execute commands related to the security policy and objects1. References: Check Point R81 Management API Reference Guide

When running a query on your logs, to find records for user Toni with machine IP of 10.0.4.210 but exclude her tablet IP of 10.0.4.76, you would use the following query syntax:

“Toni” AND 10.0.4.210 NOT 10.0.4.76

This query will match logs that contain the exact phrase “Toni” and the IP address 10.0.4.210, but not the IP address 10.0.4.76. The quotation marks around “Toni” ensure that only logs with that exact word are matched, not variations like Toni? or To**. The AND operator combines two conditions that must both be true, while the NOT operator excludes logs that match a certain condition. References: [SmartLog User Guide]

The component of Management that is used for indexing is SOLR1. SOLR is an open source enterprise search platform that provides indexing and searching capabilities for various types of data2. Check Point uses SOLR to index logs, objects, policies, and other data that are stored in the Security Management Server or the Multi-Domain Security Management Server3. SOLR enables fast and efficient searches in SmartConsole, SmartLog, SmartView, and other applications3. SOLR also supports advanced features such as full-text search, faceted search, highlighting, spell checking, and geospatial search2. References: Check Point R81.20 Known Limitations - Check Point Software, SOLR - The Enterprise Search Platform, Check Point R81.20 Logging and Monitoring Administration Guide - Check Point Software

 The solution that multi-queue is intended to provide is to improve the efficiency of CoreXL Kernel Instances. Multi-queue is a feature that allows each CoreXL Kernel Instance to process traffic from multiple interfaces, instead of being bound to a single interface. This improves the load balancing and performance of the Security Gateway, especially when there are high traffic volumes or asymmetric routing1. References: 1: Check Point Software, Getting Started, Multi-Queue.

QoS global properties are the settings that apply to all QoS rules and QoS interfaces on the Security Gateway. They include the following options12:

• Weight: This is the relative importance of a QoS rule compared to other QoS rules. A higher weight means a higher priority. The default weight is 1, and the maximum weight is 1000.
• Authenticated timeout: This is the time period in seconds that a connection remains in the QoS rule after the last packet is sent or received. The default timeout is 600 seconds, and the minimum timeout is 60 seconds.
• Schedule: This is the time period in which a QoS rule is active. You can define a schedule for each day of the week, or use the default schedule of always active.
• Rate: This is not a valid option for QoS global properties. Rate is an option for QoS rule action, which defines the maximum bandwidth allocated for a QoS rule. The rate can be specified in Kbps, Mbps, or percentage of interface speed.

References: 1: QoS R81.20 Administration Guide - Check Point Software 2: QoS R81 Administration Guide - Check Point Software

With SecureXL enabled, accelerated packets will pass through the following: Network Interface Card and the Acceleration Device. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. Accelerated packets are packets that match certain criteria and can be handled by SecureXL without involving the Firewall kernel. These packets bypass the OSI Network Layer, OS IP Stack, and Check Point Firewall Kernel, and are processed directly by the Network Interface Card and the Acceleration Device. The other options are either incorrect or describe non-accelerated packets. 

The command to show SecureXL status is fwaccel stat. This command displays information about SecureXL acceleration, such as the number of accelerated and non-accelerated connections, the reason for non-acceleration, and the SecureXL device name and mode. The other commands are either invalid or show different statistics.

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is three. One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members. This configuration provides optimal performance and security for Mobile Access traffic. 

 According to the Check Point R81 training course, the medium path is available only when CoreXL is enabled. CoreXL is a performance-enhancing technology that allows multiple CPU cores to process traffic simultaneously. The medium path handles packets that require deeper inspection or content awareness, such as IPS, Anti-Virus, or URL Filtering. The other paths are either available regardless of CoreXL or not valid terms. References: Certified Security Expert (CCSE) R81.20 Course Overview

The Implicit Clean-up Rule is another name for the Clean-up Rule, which is the last rule in every policy layer. The Clean-up Rule defines the default action for traffic that does not match any of the preceding rules in the layer. The default action is to drop the traffic and log it, but it can be changed by the administrator. References: Training & Certification | Check Point Software, Check Point Resource Library

The command that lists all interfaces using Multi-Queue is cpmq get. Multi-Queue is a feature that allows network interfaces to use multiple transmit and receive queues, which improves the performance and scalability of the Security Gateway by distributing the network load among several CPU cores. Cpmq is a command that allows administrators to configure and manage Multi-Queue settings on network interfaces. Cpmq get lists all interfaces using Multi-Queue and shows their queue count and core distribution. 

The SmartEvent R81 Web application for real-time event monitoring is called SmartEventWeb. SmartEventWeb is a web-based interface that allows administrators to view and analyze security events from various sources, such as logs, reports, incidents, and indicators. SmartEventWeb provides dashboards, widgets, filters, and drill-down options to help administrators gain insights into their security posture. The other options are either incorrect or refer to different applications.

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services. You can use an API to:

• Use an automated script to perform common tasks

• Integrate Check Point products with 3rd party solutions

• Create products that use and enhance the Check Point solution

References:

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network. References: Security Gateway R81 Administration Guide:

Proxy ARP is a technique that allows a device to respond to ARP requests on behalf of another IP address. Proxy ARP is required for Manual Static NAT when the translated IP address does not belong to one of the firewall’s interfaces. This is because the firewall needs to intercept the packets destined to the translated IP address and forward them to the original IP address after applying the NAT rule. Without Proxy ARP, the packets would not reach the firewall and the NAT would not work. Proxy ARP is not required for Automatic Static NAT or Automatic Hide NAT, because these types of NAT use IP addresses that belong to the firewall’s interfaces. Proxy ARP is also not required for Manual Hide NAT, because this type of NAT does not change the destination IP address of the packets, only the source IP address. References: Check Point R81 Security Management Administration Guide, page 115

The options that are given on features, when editing a Role on Gaia Platform are Read/Write, Read Only, and None. These options determine the level of access that a user has to a specific feature or command in Gaia. If a user has Read/Write access to a feature, they can view and modify the settings of that feature. If a user has Read Only access to a feature, they can only view the settings of that feature, but not change them. If a user has None access to a feature, they cannot view or modify the settings of that feature. 

The back end database for Check Point R81 Management uses PostgreSQL, which is an open source relational database management system2. MongoDB, MySQL, and DBMS are not used by Check Point R81 Management. References: 2: Check Point Software, Getting Started, Database.

 The Anti-Virus feature of the Threat Prevention policy blocks traffic from infected websites by matching logs against ThreatCloud information about the reputation of the website. ThreatCloud is a collaborative network that collects and analyzes threat data from millions of sources worldwide. It assigns a reputation score to each website based on its malicious activity and behavior. If a website has a low reputation score, it is considered infected and blocked by the Anti-Virus blade. References: Training & Certification | Check Point Software, CCSE section

The valid SecureXL paths in R81.20 are F2F (Slow path), Accelerated Path, Medium Path and F2V1. SecureXL is a technology that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2. SecureXL uses different paths to process packets, depending on the type and state of the connection3. The SecureXL paths are3:

• F2F (Slow path): This path handles packets that require a full inspection by the Firewall kernel. It is the slowest path, but it supports all features and blades. Examples of packets that use this path are packets that belong to a new connection, packets that match a rule with UTM blades, or packets that require address translation.
• Accelerated Path: This path handles packets that belong to an established connection that does not require any further inspection by the Firewall kernel. It is the fastest path, but it supports only a limited set of features and blades. Examples of packets that use this path are packets that match an accept rule with no UTM blades, or packets that match a rule with SecureXL acceleration enabled.
• Medium Path: This path handles packets that belong to an established connection that requires some inspection by the Firewall kernel, but not a full inspection. It is faster than the F2F path, but slower than the Accelerated path. It supports more features and blades than the Accelerated path, but less than the F2F path. Examples of packets that use this path are packets that match a rule with IPS or Anti-Bot blades, or packets that require NAT templates.
• F2V: This path handles packets that are encapsulated or decapsulated by the VPN kernel. It is faster than the F2F path, but slower than the Accelerated path. It supports VPN features such as encryption, decryption, encapsulation, and decapsulation. References: R81.x Security Gateway Architecture (Logical Packet Flow) - Check Point CheckMates, SecureXL Mechanism in R80.10 and above - Check Point Software, SecureXL - Check Point Software

 How many interfaces can you configure to use the Multi-Queue feature? You can configure up to 5 interfaces to use the Multi-Queue feature. Multi-Queue is a performance enhancement feature that allows distributing the network traffic among multiple CPU cores, instead of using a single core for all traffic. Multi-Queue can be enabled on interfaces that have high traffic load and support multiple receive/transmit queues. Multi-Queue can be configured via SmartConsole or via CLI with the command sim affinity -m. References: R81 Performance Tuning Administration Guide, page 18.

 One of the requirements for a successful upgrade using the Advanced Upgrade with Database Migration is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. This is to ensure that there is enough space to copy the log files from the source machine to the target machine during the upgrade process. References: Advanced Upgrade with Database Migration

Implied rules are predefined rules that are automatically added to the Access Control rulebase by the Security Management Server. Implied rules allow the control connections that are essential for the functionality and security of the Check Point products, such as communication between the Security Gateway and the Security Management Server, synchronization between cluster members, logging, VPN, and ICMP. Implied rules are not visible in the SmartConsole, but they can be viewed and modified using the Global Properties window.

The references are:

• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 12
• Check Point R81 Quantum Security Gateway Guide, page 141
• Check Point R81 Firewall Administration Guide, page 21

 In the Network policy layer, the default action for the Implied last rule is drop all traffic. However, in the Application Control policy layer, the default action is accept all traffic. The Implied last rule is a rule that is automatically added at the end of each policy layer and defines what to do with traffic that does not match any of the user-defined rules. The default actions for each policy layer can be changed in the Global Properties or in the layer properties. References: R81 Security Management Administration Guide, page 30.