Checkpoint 156-315.81 Check Point Certified Security Expert R81.20 Exam Practice Test

To determine the cause of a cluster gateway showing "Down" despite running "clusterXL_admin up" on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

References: Check Point documentation or training materials related to High Availability and ClusterXL.

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

The configuration file that contains the structure of the Security Server showing the port numbers, corresponding protocol name, and status is $FWDIR/conf/fwauthd.conf. This file is used for configuring authentication services in Check Point Security Servers.

References: Check Point documentation or training materials related to Security Server configuration.

The most recommended way to install patches and hotfixes is CPUSE (Check Point Update Service Engine). CPUSE is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the target device using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

 A best practice before starting to troubleshoot using the fw monitor tool is to disable SecureXL. SecureXL is a performance acceleration solution that optimizes the packet flow through the Security Gateway. However, SecureXL can also bypass some inspection points and cause some packets to be invisible to fw monitor. Therefore, disabling SecureXL can ensure that fw monitor captures all the relevant packets for troubleshooting purposes. References: Check Point Security Expert R81 Course, fw monitor, SecureXL

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

SecureXL is a technology that improves the performance of Security Gateway by offloading the processing of some packets from the Firewall kernel to the SecureXL device driver1. SecureXL can handle packets in three different paths, depending on the type and state of the packet2:

• Firewall Path: This is the slowest path, where packets are processed by the Firewall kernel and all the inspection blades. This path is used for packets that require full inspection, such as the first packet of a connection, packets that match a rule with a UTM blade, or packets that are not eligible for acceleration.
• Accelerated Path: This is the fastest path, where packets are processed by the SecureXL device driver and bypass the Firewall kernel. This path is used for packets that belong to an established connection that is marked for acceleration, and do not require any further inspection by the Firewall or other blades.
• Medium Path: This is a hybrid path, where packets are processed by both the SecureXL device driver and the Firewall kernel, but skip some inspection steps. This path is used for packets that belong to an established connection that is not marked for acceleration, but do not require full inspection by all the blades.

The other options are not correct because:

• A. Initial Path; Medium Path; Accelerated Path: There is no such thing as Initial Path in SecureXL terminology. The initial packet of a connection is always handled by the Firewall Path.
• B. Layer Path; Blade Path; Rule Path: These are not paths of traffic flow, but components of the unified policy in R80 and above versions. The Layer Path refers to the order of layers in the policy, the Blade Path refers to the order of blades within a layer, and the Rule Path refers to the order of rules within a blade3.
• C. Firewall Path; Accept Path; Drop Path: These are not paths of traffic flow, but possible actions that the Firewall can take on a packet. The Firewall Path is one of the paths of traffic flow, but the Accept Path and Drop Path are not. The Accept Path means that the packet is allowed to pass through the Firewall, and the Drop Path means that the packet is blocked by the Firewall4.

References: Part 3 - SecureXL, What is CoreXL & SecureXL, SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above, QUANTUM 7000 SECURITY GATEWAY

In R81, the Mobile Access policy is created and modified in SmartConsole. SmartConsole is the management interface for configuring and managing various security policies, including Mobile Access policies.

References: Check Point Certified Security Expert R81 documentation and learning resources.

 Security Checkup Summary can be easily conducted within Views. Views is a feature in SmartConsole that allows you to create customized dashboards and reports based on various security data sources, such as logs, events, audit trails, and more. You can use Views to perform a Security Checkup Summary, which is a comprehensive analysis of your network security posture and potential risks. You can use predefined templates or create your own views to generate the summary. References: Check Point Security Expert R81 Course, Views Administration Guide

NAT (Network Address Translation) is one item that will not be configured on the R81 Security Management Server when setting up an externally managed log server. NAT is a technique that allows devices with private IP addresses to communicate with devices with public IP addresses by translating the private addresses to public ones. NAT is not relevant for configuring an externally managed log server, which requires only the IP address, SIC (Secure Internal Communication), and FQDN (Fully Qualified Domain Name) of the log server. References: Check Point Security Expert R81 Course, Logging and Monitoring Administration Guide

 The port used for SmartConsole to connect to the Security Management Server is CPMI port 18191/TCP. CPMI stands for Check Point Management Interface, which is a proprietary protocol that enables secure communication between the SmartConsole and the Security Management Server. CPMI uses SSL encryption and authentication to protect the data exchange. References: Check Point Security Expert R81 Course, SK52421 - Ports used by Check Point software

The secure application for Mail/Calendar for mobile devices in Check Point is called "Capsule Workspace." Capsule Workspace provides secure access to email and calendar data on mobile devices while maintaining security policies and controls.

References: Check Point Certified Security Expert R81 documentation and learning resources.

When traffic from source 192.168.1.1 is going to and the Application Control Blade on the gateway is inspecting the traffic with acceleration enabled, it is handled by the Slow Path.

A. Slow Path

The Slow Path is responsible for handling traffic that requires full inspection by various security blades, including the Application Control Blade. Acceleration may offload some processing to the Medium Path or Fast Path, but the Slow Path is still involved in deeper inspection.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on traffic acceleration and processing paths.

 SecureXL templates are a mechanism to accelerate the rate of connection establishment by grouping connections that match a particular service and whose sole differentiating element is the source port. SecureXL templates enable even the very first packets of a TCP handshake to be accelerated, without waiting for the Firewall kernel to create a connection entry. The first packets of the first connection on the same service will be forwarded to the Firewall kernel, which will then create a template of the connection. The template will contain all the relevant information for the connection, such as source and destination IP addresses, destination port, NAT information, policy decision, etc. The template will be used by SecureXL to handle subsequent connections on the same service, without involving the Firewall kernel. This reduces the CPU load and increases the throughput.

There are three types of SecureXL templates: Accept, Drop, and NAT. Accept templates are used for connections that are allowed by the Firewall policy. Drop templates are used for connections that are blocked by the Firewall policy. NAT templates are used for connections that require NAT translation. Deny templates are not a valid type of SecureXL template.

References: SecureXL NAT Templates in R80.20 and lower, Part 3 - SecureXL, Security Gateway Performance Optimization - Part 5 - SecureXL

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

 For ClusterXL to work properly, one of the mandatory requirements is that the Magic MAC number must be unique per cluster node. The Magic MAC number is a MAC address that is used by ClusterXL to hide the physical MAC addresses of the cluster members from the network. This way, the cluster can present a single virtual MAC address to the network, and avoid ARP issues when a failover occurs. The Magic MAC number is derived from the Cluster Virtual IP address, which must also be unique per cluster. 

Implicit MEP (Multicast Ethernet Point) options refer to the way multicast traffic is handled within a network. In this case, the question is asking about an implicit MEP option, and the correct answer is:

A. Primary-backup: This is an implicit MEP option where one switch (primary) forwards multicast traffic while the other switch (backup) does not forward the traffic. It is used to ensure redundancy in case the primary switch fails.

B. Source address-based, C. Round-robin, and D. Load Sharing are not implicit MEP options; they are different methods of handling multicast traffic and do not describe the concept of primary-backup.

Therefore, option A is the correct answer as it represents an implicit MEP option.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

When an encrypted packet is received by a Check Point Security Gateway, it is decrypted according to the security policy. The security policy defines the rules and settings for encryption and decryption of traffic, such as the encryption algorithm, the encryption domain, the pre-shared secret or certificate, etc. The security policy is enforced by the Firewall kernel, which is responsible for decrypting the packets before passing them to the inbound chain for further inspection. The inbound chain consists of various inspection modules that apply security checks and actions on the decrypted packets. The outbound chain is the reverse process, where the packets are inspected and then encrypted according to the security policy before being sent out.

References: Check Point Firewall Security Solution, Check Point R81 Cyber Security Platform, Check Point VPN Administration Guide R81

 CPUSE offline upgrade is the best upgrade method when the management server is not connected to the Internet. CPUSE (Check Point Upgrade Service Engine) is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the management server using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

Threat Extraction (Answer B): Threat Extraction always delivers a file, but it removes potentially malicious content from the file before delivering it to the user. It is designed to provide a safe version of the file quickly, taking less than a second to complete.

Threat Emulation (Option A): Threat Emulation does not deliver the original file to the user until it has been thoroughly analyzed for threats. It may take more than 3 minutes to complete the analysis. The emphasis here is on safety and thorough inspection, which may result in a longer processing time.

Therefore, Option B correctly describes the main difference between Threat Extraction and Threat Emulation.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

The blades of Threat Prevention in Check Point include:

Intrusion Prevention System (IPS)

AntiVirus

AntiBot

SandBlast Threat Emulation/Extraction

So, the correct answer is D, which includes all the mentioned blades.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

SmartView Monitor is a GUI client that is supported in R81. It allows you to monitor the network and security performance of your Security Gateways and devices5. You can use it to view real-time statistics, alerts, logs, reports, and graphs6. The other GUI clients are not supported in R81 because:

• A. SmartProvisioning was replaced by SmartLSM in R80.20 and later versions7. SmartLSM is a unified solution for managing large-scale deployments of Security Gateways8.
• B. SmartView Tracker was replaced by SmartLog in R80 and later versions9. SmartLog is a powerful log analysis tool that enables fast and easy access to log data from multiple Security Gateways10.
• D. SmartLog is not a GUI client, but a web-based application that runs on the Security Management Server or Log Server10. You can access it from any web browser or from SmartConsole.

References: SmartView Monitor R81 Help, SmartView Monitor R81 Administration Guide, What’s New in Check Point R80.20, SmartLSM R81 Help, What’s New in Check Point R80, SmartLog R81 Help

The command vpn tu tlist shows detailed information about VPN tunnels, such as the peer IP address, encryption domain, IKE phase 1 and phase 2 status, encryption algorithm, and tunnel uptime. The command vpn tu is an interactive tool that allows users to list, delete, or reconnect VPN tunnels. The command cpview is a real-time performance monitoring tool that shows various statistics about the system and network. References: VPN Administration Guide, SK97638 - What is cpview Utility and How to Use it

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

The Correlation Unit in SmartEvent architecture has the function of analyzing each log entry as it arrives at the log server according to the Event Policy. When it identifies a threat pattern, it forwards an event to the SmartEvent Server. This is an essential function in threat detection and analysis, as it helps in identifying and alerting about security threats based on the configured policies.

Option A correctly describes the function of the Correlation Unit, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The Check Point daemon that monitors the other daemons is cpwd (Check Point Watchdog). It is responsible for monitoring the health and status of various Check Point daemons and processes running on the Security Gateway. If any daemon or process stops responding or encounters an issue, cpwd can restart it to ensure the continued operation of the Security Gateway.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Dynamic Dispatch is a feature that enhances CoreXL performance by dynamically assigning new connections to CoreXL FW instances based on their CPU utilization1. To enable Dynamic Dispatch on Security Gateway without enabling Firewall Priority Queues (FPQ), you need to run the command fw ctl multik set_mode 4 in Expert mode and reboot2. This command will set the CoreXL mode to Dynamic Dispatcher without FPQ. The other options are not correct because:

• A. fw ctl Dyn_Dispatch on: This command does not exist and will return an error message.
• B. fw ctl Dyn_Dispatch enable: This command does not exist and will return an error message.
• D. fw ctl multik set_mode 1: This command will set the CoreXL mode to Static Dispatcher without FPQ, which is the default mode2. This mode will use a static hash function to assign new connections to CoreXL FW instances based on their IP addresses and protocol.

References: CoreXL Dynamic Dispatcher, To fully enable Dynamic Dispatcher on a Security Gateway, Running Dynamic Dispatch / Dynamic Split / Dynamic Balancing on VSEC/IaaS in Vmware, Dynamic Balancing for CoreXL

Threat Emulation downloads packages by default once per day. The packages contain updates for the Threat Emulation engine, signatures, and images. The download frequency can be changed in the Threat Prevention policy settings. References: Threat Emulation Administration Guide, Threat Prevention R81 Release Notes

To deploy a TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway, you can utilize Check Point Cloud Services. In this scenario, you can leverage cloud-based email security services provided by Check Point without the need for an on-premises Security Gateway.

Option C correctly states that you can use only Check Point Cloud Services for this scenario, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The command cpinfo -y all can be used to have cpinfo display all installed hotfixes. Cpinfo is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The -y parameter is used to specify which sections of data to include in the cpinfo output. The value all means to include all sections, including the hotfixes section, which shows the list of hotfixes installed on the system. References: Check Point Security Expert R81 Course, cpinfo Utility

The Correlation Unit in Check Point Security Management performs several actions, but it does not assign a severity level to the event. The Correlation Unit is responsible for identifying patterns in logs, marking logs that are part of larger patterns, generating events based on the Event policy, and adding new log entries to ongoing events. However, assigning a severity level to an event is typically done through the Event policy configuration, not by the Correlation Unit.

References: Check Point Certified Security Expert R81 Study Guide

In a Cpinfo (Checkpoint information) command, various information is collected from a Security Gateway. However, firewall logs are NOT collected from a Security Gateway in a Cpinfo.

A. Firewall logs

The Cpinfo command typically collects information such as configuration and database files, system message logs, OS and network statistics, but it does not include firewall logs. Firewall logs are usually obtained separately using other methods or tools.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on Cpinfo.

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality. According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

• Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.
• OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.
• Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

References: What is an API Gateway?, How to use Check Point API with Postman quick guide, Home - Check Point Developers, Introduction to RESTful APIs and JSON format, Checkpoint API tutorial, part 1 - getting started

The cvpnd_restart command is used to restart the daemon after making modifications to the $CVPNDIR/conf/cvpnd.C file. The cvpnd daemon is responsible for managing the communication between the Check Point components and the Content Vectoring Protocol (CVP) server. The CVP server is an external server that provides content inspection and filtering services for Check Point gateways. The $CVPNDIR/conf/cvpnd.C file contains the configuration settings for the cvpnd daemon, such as the CVP server IP address, port number, timeout value, and debug level. References: Check Point Security Expert R81 Course, Content Inspection Using ICAP, cvpnd daemon debug file

 The cpinfo command is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The cpinfo output can be used for troubleshooting or sent to Check Point support for analysis. The -x parameter is used to get information about the specified Virtual System on a VSX gateway. A Virtual System is a virtualized firewall instance that runs on a VSX gateway and has its own security policy and objects. References: Check Point Security Expert R81 Course, cpinfo Utility, VSX Administration Guide

To see the cluster status in CLI expert mode, you can use the command cphaprob stat. This command displays the status of the Check Point High Availability cluster. It provides information about the state of the cluster members, such as "Active," "Standby," or "Collision."

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The purpose of a SmartEvent Correlation Unit is to evaluate logs from the log server component to identify patterns/threats and convert them to events. The SmartEvent Correlation Unit is a software module that runs on the SmartEvent server or on a dedicated server. It applies correlation rules and logic to the logs received from various sources, such as security gateways, endpoints, or third-party devices. It then generates events that represent security incidents or trends that require attention or action. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

Check Point's SecureXL technology, which is responsible for acceleration, has certain limitations and conditions under which acceleration may not occur. In this context, the question is asking about factors that will NOT affect acceleration.

Option B, "A 5-tuple match," will not affect acceleration. A 5-tuple match refers to the matching of source IP, source port, destination IP, destination port, and protocol. SecureXL can accelerate traffic that matches these criteria, but it's not a factor that hinders acceleration.

Options A, C, and D can all affect acceleration:

Option A mentions "Connections destined to or originated from the Security gateway," which implies that SecureXL acceleration can apply to these connections.

Option C mentions "Multicast packets," and SecureXL may have limitations in handling multicast traffic efficiently.

Option D mentions "Connections that have a Handler (ICMP, FTP, H.323, etc.)," and certain protocols (such as FTP) may require special handling and might not be fully accelerated by SecureXL.

References: Check Point Certified Security Expert R81 Study Guide

The correct command to verify the CPUSE (Check Point Update Service Engine) version is:

Option B is incorrect because it uses the "[Expert@HostName:0]#" prompt, which is typically used for expert mode commands, but the CPUSE version can be checked using the "show installer status build" command in standard mode.

Option C is incorrect because it uses the "[Expert@HostName:0]#" prompt, and while it includes the "build" parameter, it's not the standard command to check the CPUSE version.

Option D is incorrect because it uses the "HostName:0>" prompt, but it lacks the "show" command and uses "build" instead of "status build."

References: Check Point Certified Security Expert R81 documentation

The FWD daemon uses TCP port 256 to do a Full Synchronization between gateway cluster members. This port is also used for other synchronization types, such as Delta Synchronization and Accelerated Synchronization. The FWD daemon is responsible for synchronizing the connections table, NAT table, and VPN keys between cluster members. References: ClusterXL Administration Guide, SK25977 - Ports Used by Check Point Software

To enable VMAC mode on a cluster member, you need to set the value of the global kernel parameter fwha_vmac_global_param_enabled to 1. This can be done on-the-fly using the command fw ctl set int fwha_vmac_global_param_enabled 1 on all cluster members. This command does not require a reboot or a policy installation. VMAC mode allows the cluster to use a virtual MAC address for its virtual IP addresses, which reduces the number of gratuitous ARP packets sent upon failover and avoids ARP cache issues on some routers and switches. References: How to enable ClusterXL Virtual MAC (VMAC) mode

At least 20GB is the recommended size of the root partition when installing a dedicated R81 SmartEvent server. The root partition is the primary partition that contains the operating system files and other essential files for booting and running the system. The SmartEvent server requires at least 20GB of free space on the root partition to install and operate properly. If the root partition size is less than 20GB, you may encounter errors or performance issues with SmartEvent. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

 The Threat Prevention profile in Check Point R81.20 SmartConsole application allows you to enforce the following software blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. These software blades provide comprehensive protection against various types of threats, such as network attacks, malware, ransomware, phishing, and zero-day exploits. You can configure the profile settings for each software blade, such as the action to take, the protection scope, and the exceptions. References: Check Point Security Expert R81 Course, Threat Prevention Administration Guide

The command "fw tab -s" is used to display information about the state of various kernel tables in a Check Point firewall. It provides a perspective on the number and status of these tables, which can be helpful for troubleshooting and monitoring firewall performance.

Option B correctly identifies the command that gives a perspective of the number of kernel tables, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The directory /opt/CPsuite-R81/fw1/log contains the log files for the Security Gateway, such as firewall, VPN, IPS, and anti-virus logs1. These log files can be viewed and analyzed using SmartConsole or SmartView2. The other directories are not correct because:

• A. The directory /opt/CPSmartlog-R81/log contains the log files for the SmartLog server, which is a separate component that indexes and searches the logs from multiple Security Gateways3.
• B. The directory /opt/CPshrd-R81/log contains the log files for the shared components of the Check Point suite, such as cpwd, cpca, cpd, and cpwatchdog4.
• D. The directory /opt/CPsuite-R81/log does not exist by default and is not used for logging purposes.

References: Logging and Monitoring R81 Administration Guide, SmartConsole R81 Help, SmartLog R81 Help, Check Point Processes and Daemons

The two ClusterXL Deployment options are Distributed and Full High Availability. Distributed deployment means that each cluster member has its own Security Management Server and synchronizes with other members. Full High Availability deployment means that one cluster member is active and handles all traffic, while the other members are in standby mode and ready to take over in case of a failure. The other options are not valid ClusterXL Deployment options, but rather ClusterXL Modes or ClusterXL Load Sharing Methods. References: [Check Point Security Expert R81 ClusterXL Administration Guide], page 6.

 SmartEvent uses its event policy to identify events. The event policy can be customized by matching logs against event rules. Event rules define the conditions and actions for generating events. You can create, edit, delete, enable, or disable event rules in the SmartEvent Policy tab of the SmartConsole. References: [SmartEvent Administration Guide]

The FWD process provides logging services, such as forwarding logs from Gateway to Log Server, providing Log Export API (LEA) and Event Logging API (EL-A) services. The FWD process is responsible for sending logs from the Security Gateway to the Security Management Server or Log Server, and for fetching logs from the Security Management Server or Log Server to SmartConsole. The FWD process also handles the communication with external logging applications that use the LEA or EL-A protocols.

References:

• FWD process does not work after reboot - Check Point CheckMates, section “FWD process does not work after reboot”
• Check Point R81, section “Logging and Monitoring”
• CoreXL Dynamic Dispatcher - Check Point Software, section “Example of output”

 The CLI utility that runs connectivity tests from a Security Gateway to an AD domain controller is test_ad_connectivity -d . This command tests the connectivity between the gateway and the domain controller using LDAP, Kerberos, and WMI protocols. It also verifies the identity awareness configuration and shows the relevant logs3. The other options are not valid commands for testing AD connectivity. References: 3: Check Point Software, Getting Started, Testing Active Directory Connectivity.

 The CPM process handles connection from SmartConsole R81. The CPM process is the main process of the Security Management Server and the Multi-Domain Security Management Server. It is responsible for managing the database, handling policy installation, communicating with SmartConsole clients, and providing REST API services. The CPM process runs on port 19009 and uses the CPD process as a proxy for communication with other processes.

References:

• Check Point Processes and Daemons, section “CPM”
• Check Point R81, section “SmartConsole”
• Check Point R81.20, section “REST API”

 The Anti-Virus feature of the Threat Prevention policy blocks traffic from infected websites by matching logs against ThreatCloud information about the reputation of the website. ThreatCloud is a collaborative network that collects and analyzes threat data from millions of sources worldwide. It assigns a reputation score to each website based on its malicious activity and behavior. If a website has a low reputation score, it is considered infected and blocked by the Anti-Virus blade. References: Training & Certification | Check Point Software, CCSE section

 Establishing SIC between gateways and the management server is a prerequisite for Central Deployment usage, as the CDT tool will not take care of this automatically1. The administrator must have write permission on SmartUpdate, the Security Gateway must have the latest CPUSE Deployment Agent, and the Security Gateway must have a policy installed2. These are the basic requirements for using the Central Deployment Tool (CDT), which is a utility that lets you manage a deployment of software packages from your Management Server to the multiple managed Security gateways and cluster members at the same time2. The CDT can perform various actions, such as installation of software packages, taking snapshots, running shell scripts, pushing/pulling files, and automating the RMA backup and restore process2. The CDT is supported on Check Point Appliances with R80.40 and higher versions2. References: How to keep your Security Gateways up to date - Check Point Software, Central Deployment Tool (CDT) - Check Point CheckMates.

 The approach that will allow you to configure individual policies for each application when configuring Endpoint Compliance Settings for Applications and Gateways within Mobile Access is Very Advanced Approach. This approach lets you define compliance rules for each application separately and assign different actions for each rule. You can also create custom messages and notifications for each application. The other approaches are either less granular or not applicable in this scenario. The Basic Approach lets you define compliance rules for all applications globally and assign a single action for all rules. The Medium Approach lets you define compliance rules for all applications globally and assign different actions for each rule. The Strong Approach is not a valid option for Endpoint Compliance Settings. References: [Endpoint Compliance Settings]

A Distinguished Name (DN) is a unique identifier for an object in an LDAP directory, such as a user, a group, or an organization. A DN consists of a sequence of relative distinguished names (RDNs), which are attributes that describe the object. The most common RDNs are:

• Common Name (CN): The name of the object, such as a user’s full name or a group’s name
• Country ©: The two-letter ISO code of the country where the object is located, such as US or PK
• User container (UC): The name of the container that holds the user objects, such as Users or People
• Domain Component (DC): The name of the domain that the object belongs to, such as checkpoint.com or example.org

An Organizational Unit (OU) is not a component of a DN, but a type of object that can be used to organize other objects in a hierarchical structure. An OU can have its own DN, which includes the OU attribute as an RDN, such as OU=Sales,DC=checkpoint,DC=com.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 14
• LDAP Distinguished Names
• What is a Distinguished Name?

The command to identify the NIC driver before considering about the employment of the Multi-Queue feature is ethtool -i eth0, where eth0 is the name of the network interface. This command displays the information about the driver and firmware version of the NIC, as well as other details such as bus-info and supported features1. The Multi-Queue feature requires a NIC driver that supports multiple transmit and receive queues2.

References: : ethtool(8) - Linux man page : How To Configure Multi-Queue NICs | Linode Docs

When configuring SmartEvent Initial settings, you must specify a basic topology for SmartEvent to help it calculate traffic direction for events. This setting is called Internal network(s) and you are defining your networks. You can specify one or more networks or IP addresses that are considered internal for SmartEvent. This helps SmartEvent to determine the direction of the traffic (inbound, outbound, or internal) and generate events accordingly. References: [SmartEvent Administration Guide]

The lock symbol in the left column of the rule means that another user has locked the rule for editing. This is to prevent multiple users from editing the same rule at the same time and causing conflicts. References:

 The command to add users to or from existing roles is add rba user roles . This command allows you to assign one or more roles to a user in the Gaia database. Roles are collections of permissions that define what actions a user can perform on the system. You can use predefined roles or create your own custom roles. To remove a role from a user, you can use the command delete rba user roles . 

The valid authentication methods for mutual authenticating the VPN gateways are Pre-shared Secret and PKI Certificates. Pre-shared Secret is a method that uses a secret key that is known only to the two VPN gateways. PKI Certificates is a method that uses digital certificates that are issued by a trusted Certificate Authority (CA) and contain the public key of each VPN gateway. Both methods ensure that the VPN gateways can verify each other’s identity before establishing a secure VPN tunnel. References: [Check Point R81 VPN Administration Guide]

The “sim affinity -I” command is a command that displays the affinity distribution of the Security Gateway’s interfaces. Affinity distribution is the assignment of CPU cores to handle the traffic from different interfaces. The “sim affinity -I” command shows the following information for each interface:

• The interface name, such as eth0, eth1, etc.
• The interface index, such as 0, 1, 2, etc.
• The interface type, such as physical, bond, VLAN, etc.
• The interface state, such as up or down
• The interface speed, such as 1000 Mbps, 10000 Mbps, etc.
• The interface MTU, such as 1500, 9000, etc.
• The interface MAC address, such as 00:11:22:33:44:55
• The interface IP address, such as 192.168.1.1, 10.0.0.1, etc.
• The interface affinity mask, such as 0x00000001, 0x00000002, etc. The affinity mask is a hexadecimal value that represents the CPU cores that are assigned to handle the traffic from the interface. For example, 0x00000001 means that only CPU core 0 is assigned, 0x00000003 means that CPU cores 0 and 1 are assigned, and so on.

The “sim affinity -I” command can help you to monitor and optimize the performance of your Security Gateway by showing you how the traffic load is distributed among the CPU cores. You can also use the “sim affinity” command with other options to change the affinity settings of the interfaces or the firewall instances. For more information, you can refer to the Check Point R81.20 (Titan) Resolved Issues and Enhancements1 or the Solved: Sim Affinity - Check Point CheckMates2.

 SandBlast Agent is a comprehensive endpoint security solution that extends 0-day prevention to web browsers and user devices. It protects against advanced threats such as ransomware, phishing, and zero-day attacks by using a combination of static, dynamic, and behavioral analysis. References: [SandBlast Agent Datasheet]

 FWD is a process that runs on both Security Management Server and Security Gateway. On Security Management Server, FWD handles logging and communication with SmartConsole. On Security Gateway, FWD receives policy files from FWM (the policy compiler process on Security Management Server) and stores them in a temporary directory before installing them on the firewall kernel7. Therefore, FWD is responsible for receiving policy files from FWM on Security Gateway side. The correct answer is A.

References: 7: Check Point Processes and Daemons

VLAN Tag is not an attribute of packet acceleration. Packet acceleration is a feature of SecureXL that allows certain packets to bypass the Firewall kernel and be processed by a more efficient mechanism. Packet acceleration is based on templates that match packets based on four attributes: Source IP address, Destination IP address, Protocol, and Destination port. If a packet matches an existing template, it is accelerated; otherwise, it is sent to the Firewall path for inspection. References: [SecureXL Mechanism]

The traffic is handled by the Accelerated Path. According to the R81.x Security Gateway Architecture (Logical Packet Flow)1, the Accelerated Path is the fastest path for processing packets, as it bypasses most of the inspection and uses SecureXL to accelerate the traffic. The Accelerated Path is used for connections that are established, compliant with the security policy, and do not require any content inspection or NAT1.

The Application Control blade inspects the traffic based on the application identity, which is determined by the Application Control Software Blade in the Medium Path1. However, once the application identity is established, the connection can be offloaded to SecureXL and handled by the Accelerated Path2. This way, the Application Control blade can improve performance and reduce CPU consumption2.

The other paths are not used for this traffic because:

• The Slow Path is used for packets that are not compliant with the security policy, require stateful inspection or NAT, or are not supported by SecureXL1. This path involves the most inspection and processing, and is therefore the slowest3.
• The Fast Path is used for packets that are trusted and do not require any inspection or NAT. This path bypasses both SecureXL and the Firewall kernel, and uses a kernel module called simfast to forward the packets directly to the network interface driver4. This path is not enabled by default, and requires manual configuration of rules to define which traffic can use it4.
• The Medium Path is used for packets that require content inspection, such as IPS, Anti-Virus, Anti-Bot, URL Filtering, or Application Control1. This path uses SecureXL to accelerate some parts of the inspection, but still involves some processing by the Firewall kernel3. This path is only used for the first few packets of a connection until the application identity is established, and then the connection can be offloaded to the Accelerated Path2.

References: : Control SecureXL / CoreXL Paths - Check Point CheckMates : What is CoreXL & SecureXL – jermsmit.com : R81.x Security Gateway Architecture (Logical Packet Flow) : SecureXL and Application Control Layer - Check Point CheckMates

Comprehensive and Detailed Explanation: The “MAC magic” value, also known as the “Cluster Global ID”, is a mechanism that identifies different clusters on the same network segment. It is used to prevent MAC address conflicts and ensure proper load balancing among cluster members. The “MAC magic” value is a hexadecimal number that is appended to the virtual MAC address of the cluster interface. By default, the “MAC magic” value is set to 1 for all clusters, but it must be changed manually if there is more than one cluster connected to the same VLAN. Otherwise, the clusters will not be able to communicate with each other or with external hosts.

The “MAC magic” value does not need to be modified under the other conditions listed in the question. The firewall cluster can use either Broadcast or Multicast for CCP traffic without affecting the “MAC magic” value. The number of members in a firewall cluster also does not affect the “MAC magic” value, as long as they belong to the same cluster and have the same Cluster Global ID.

References: Verifying Magic Mac - R81.20 - Check Point CheckMates; What is Magic MAC? - Check Point CheckMates; Check Point R81 CLI Reference Guide, page 17; R81 ClusterXL Administration Guide, page 9-10

The verified answer is B. cpinfo.

cpinfo is a command that collects diagnostic data for analyzing a customer setup remotely. It is an auto-updatable utility that runs on the customer’s machine and uploads the data to Check Point servers. The data includes information about the system, the security policy, the objects, and the logs. Check Point support engineers can use the DiagnosticsView utility to open the cpinfo file and view the customer’s configuration and environment settings1.

migrate export is a command that exports the Check Point configuration and database files to a compressed file. It is used for backup and migration purposes, not for remote analysis2.

sysinfo is a command that displays basic information about the system, such as the hostname, the OS version, the CPU model, and the memory size. It does not collect or upload any data to Check Point servers3.

cpv is not a valid command in Check Point.

References:

• Support, Support Requests, Training … - Check Point Software1
• Migrate export - Check Point Software
• sysinfo - Check Point Software

The correct answer is C. CPM (19009), CPMI (18190) https (443).

SmartConsole is a client application that connects to the Security Management Server to manage and configure the security policy and objects. SmartConsole uses three ports to communicate with the Security Management Server1:

• CPM (19009): This port is used for the communication between the SmartConsole client and the Check Point Management (CPM) process on the Security Management Server. The CPM process handles the database operations and the policy installation.
• CPMI (18190): This port is used for the communication between the SmartConsole client and the Check Point Management Interface (CPMI) process on the Security Management Server. The CPMI process handles the authentication and encryption of the SmartConsole sessions.
• https (443): This port is used for the communication between the SmartConsole client and the web server on the Security Management Server. The web server provides the SmartConsole GUI and the SmartConsole extensions.

The other options are incorrect because they either include ports that are not used by SmartConsole or omit ports that are used by SmartConsole.

References:

• SmartConsole R81.20 - Check Point Software1

Which software blade does NOT accompany the Threat Prevention policy? Application Control and URL Filtering software blade does not accompany the Threat Prevention policy. The Threat Prevention policy is a unified policy that includes Anti-virus, IPS, Anti-bot, and Threat Emulation software blades. Application Control and URL Filtering software blade is part of the Access Control policy, which is a separate policy that controls network access based on users, applications, content, and other criteria. References: R81 Security Management Administration Guide, page 29.

The Internal Certificate Authority (ICA) is created during the primary Security Management Server installation process. The ICA is responsible for issuing and managing certificates for all Check Point components in the network. The ICA is automatically installed as an integral part of the Security Management Server and can be managed from SmartConsole. References: R81 Security Management Administration Guide, page 113.

You need to change the MAC-address on eth2 interface of the gateway. The command and the mode that you will use to achieve this goal are set interface eth2 mac-addr 11:11:11:11:11:11; CLISH. This command allows you to change the MAC address of an interface in GAIA, which can be useful for replacing a faulty network card or cloning another device. The command is executed in CLISH mode, which is a shell that provides a menu-based interface for configuring various system settings. To apply the changes, you need to save the configuration and restart the interface. References: Gaia Administration Guide R81, page 31.

 SNX (SSL Network Extender) is a thin VPN client installed on an endpoint user computer that provides secure remote access to a corporate network. It can be used with Mobile Access blade or the IPsec VPN blade via the Mobile Access or SNX portals1. SNX has two modes: Network Mode and Application Mode2.

Network Mode: In this mode, SNX creates a virtual network adapter on the endpoint computer and assigns it an IP address from the internal network. This allows the endpoint computer to access all the resources on the internal network as if it was physically connected to it. Network Mode supports all IP-based applications, including TCP and UDP applications2.

Application Mode: In this mode, SNX does not create a virtual network adapter on the endpoint computer, but instead intercepts the traffic of specific applications and forwards it to the Security Gateway. Application Mode supports only TCP-based applications that are defined in the Mobile Access policy. Application Mode is useful when Network Mode is not supported or when granular control over the applications is required2.

References: : SSL Network Extender : SNX Modes

The command fw unloadlocal removes the current security policy from the local gateway and returns it to its initial state2. This command can be used as a last resort to restore traffic flow through the gateway if the policy is causing problems. The command fw unloadpolicy is not valid, and the commands fwm unload local and fwm unload policy are used to remove policies from remote gateways3. References: 2: Check Point Software, Getting Started, Unloading Security Policies; 3: Check Point Software, Getting Started, Unloading Security Policies from Remote Gateways.

Which command is used to obtain the configuration lock in Gaia? The command that is used to obtain the configuration lock in Gaia is lock database override. This command allows a user to take over the configuration lock from another user who is currently logged in with read/write access. The other user will be forced to logout and will lose any unsaved changes. This command should be used with caution and only when necessary. References: Gaia Administration Guide R81, page 15.

What two ordered layers make up the Access Control Policy Layer? Network and Application Control are the two ordered layers that make up the Access Control Policy Layer. The Network layer controls network access based on source, destination, service, time, etc. The Application Control layer controls application access based on users, groups, applications, content categories, etc. The Network layer is always processed before the Application Control layer. References: R81 Security Management Administration Guide, page 29.

Proxy ARP is a technique that allows a device to respond to ARP requests on behalf of another IP address. Proxy ARP is required for Manual Static NAT when the translated IP address does not belong to one of the firewall’s interfaces. This is because the firewall needs to intercept the packets destined to the translated IP address and forward them to the original IP address after applying the NAT rule. Without Proxy ARP, the packets would not reach the firewall and the NAT would not work. Proxy ARP is not required for Automatic Static NAT or Automatic Hide NAT, because these types of NAT use IP addresses that belong to the firewall’s interfaces. Proxy ARP is also not required for Manual Hide NAT, because this type of NAT does not change the destination IP address of the packets, only the source IP address. References: Check Point R81 Security Management Administration Guide, page 115

 The correct syntax for adding an access-rule via R80 API is to use the add access-rule command with the layer, position, name, and service parameters. The layer parameter specifies the name of the access control policy layer where the rule will be added. The position parameter specifies the ordinal number in which to place the rule in the rulebase. The name parameter specifies the name of the rule. The service parameter specifies one or more services that match this rule. References: [Check Point Security Expert R81 API Reference Guide], page 18.

 A Policy Package is a set of rules and settings that define how a Security Gateway enforces security on traffic that passes through it. A Policy Package can be created on either the Management Server or the Security Gateway, but it must be installed on both to take effect. When a new Policy Package is created on the Management Server, it must be installed on an existing Security Gateway that has a different Policy Package installed. The message below warns the administrator that installing a new Policy Package will overwrite the existing one on the Security Gateway.

The message also advises the administrator to back up their existing configuration before proceeding with the installation.

 Aaron should check API Server status with “api status” from Expert mode. If services are stopped, he should start them with “api start”. This is the correct way to verify and start the API Server on a Security Management Server running Gaia R81.X. The other commands are either invalid or not related to the API Server. The api command is a wrapper script that simplifies the management of the API Server. It can be used to start, stop, restart, status, enable, or disable the API Server. References: [API Server]

 In a Standalone deployment, a Check Point computer runs both the Security Gateway and Security Management Server products. This means that the same appliance performs both network security functions and security policy management functions. A Standalone deployment is suitable for small or branch offices that do not require a separate management server. References: Check Point R81 Installation and Upgrade Guide, page 10

You can switch the active log file by running fw logswitch on the Management Server1. This command closes the current log file and creates a new one2. It is useful for archiving or backing up log files, or for creating a new log file for a specific time period2. You can also schedule the log switch to occur automatically at a regular interval, such as daily, weekly, or monthly2. To run this command, you need to access the Management Server in expert mode and run fw logswitch1. You can also use the SmartView Tracker to switch the active log file from the GUI. To do this, go to the Network & Endpoint tab, click on the File menu, and select Switch Active File…3.

References: How to switch the active log file - Check Point Software, fw logswitch - Check Point Software, Troubleshooting Check Point logging issues when Security Management Server / Log Server is not receiving logs from Security Gateway - Check Point Software

Browser-Based Authentication is an identity awareness method that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Browser-Based Authentication redirects users to a web page where they can enter their credentials and be authenticated by an external server, such as LDAP or RADIUS. After authentication, users can access the Internet and corporate resources according to the security policy rules that apply to their identity.

Browser-Based Authentication is suitable for scenarios where users can use company issued or personal laptops, since it does not require any installation or configuration on the user’s device. It also supports various operating systems and browsers, and can be customized to match the company’s branding.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 9
• Configuring Browser-Based Authentication in SmartConsole
• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 13

 The two high availability modes are New and Legacy. High availability (HA) is a feature that allows you to create a cluster of two or more Security Gateways that act as a single entity to provide redundancy and reliability for your network traffic. HA ensures that if one Security Gateway fails or becomes unavailable, another Security Gateway in the cluster takes over its role seamlessly and continues to process the traffic. HA also provides load balancing and synchronization of the cluster members. The New mode is the recommended mode for HA clusters, as it provides better performance, scalability, and stability than the Legacy mode. The New mode uses the ClusterXL mechanism to manage the cluster members and the state synchronization. The Legacy mode uses the High Availability Security Extension (HASE) mechanism to manage the cluster members and the state synchronization. The Legacy mode is supported for backward compatibility with older versions of Check Point products, but it has some limitations and disadvantages compared to the New mode. 

Mobile Access Portal is a clientless solution that provides secure web access to corporate resources from any device and any browser. Mobile Access Portal uses SSL encryption and authentication to protect the data and the identity of the users. Mobile Access Portal supports various types of web applications, such as webmail, file shares, intranet sites, and web-based applications.

The references are:

• Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 15
• Check Point R81 Mobile Access Blade Administration Guide, page 7
• [Check Point Mobile Access Software Blade]

 SandBlast is the best Check Point product to protect against malware and zero-day attacks while ensuring quick delivery of safe content to your users. SandBlast is an advanced network threat prevention solution that uses a combination of technologies to detect and block known and unknown threats before they reach your network. SandBlast uses Threat Emulation, which is a sandboxing technology that inspects files for malicious behavior in a virtual environment; Threat Extraction, which removes potentially malicious elements from files and delivers clean and safe content to your users; Anti-Bot, which identifies and blocks botnet communications and prevents data exfiltration; Anti-Virus, which scans files for known malware signatures; and IPS, which monitors network traffic for malicious or anomalous patterns. SandBlast also provides comprehensive reports and forensic analysis on the detected threats and their origin and behavior. 

The recommended way to have a redundant Sync connection between the cluster nodes is to use a group of bonded interfaces connected to different switches. In the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management, you should define a dedicated sync interface, only one interface per node.

Hit Count is a feature to track the number of connections that each rule matches, which can help to optimize the Rule Base efficiency and analyze the network traffic behavior. The benefit that is not provided by Hit Count is automatically rearrange Access Control Policy based on Hit Count Analysis. Hit Count does not change the order of the rules automatically, but it allows the administrator to manually move the rules up or down based on the hit count statistics. The administrator can also use the SmartOptimize feature to get suggestions for improving the Rule Base order and performance. References: R81 Security Management Administration Guide, page 97.

 In Advanced Permanent Tunnel Configuration, the life_sign_timeout parameter sets the amount of time the tunnel test runs without a response before the peer host is declared ‘down’. The life_sign_polling_interval parameter sets the interval between each tunnel test packet sent to the peer host.

 One of the requirements for a successful upgrade using the Advanced Upgrade with Database Migration is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. This is to ensure that there is enough space to copy the log files from the source machine to the target machine during the upgrade process. References: Advanced Upgrade with Database Migration

The Advanced Networking Blade is not subscription-based and therefore does not have to be renewed on a regular basis. The Advanced Networking Blade is a software blade that provides advanced routing capabilities for Check Point Security Gateways. It supports dynamic routing protocols such as OSPF, BGP, RIP, and PIM, as well as features such as Policy-Based Routing (PBR), Multicast Routing, and IPv6 support. The Advanced Networking Blade is included in the Next Generation Firewall (NGFW) package and does not require a separate license.

 The most probable reason for the expert password to be no longer valid after a week is that save config was not issued on clish. The clish command set expert-password sets the expert password for the current session only. To make the password persistent, the clish command save config must be issued after setting the expert password2. The other options are not relevant for setting the expert password. References: 2: Check Point Software, Getting Started, Setting Expert Password.

The three types of tracking available for Threat Prevention Policy are Alert, SNMP trap, and Mail. These tracking options can be configured in the Threat Prevention tab of the SmartConsole, under the Policy section. The tracking options determine how the system notifies the administrator of events that match the policy rules. References: Configuring Threat Prevention Policy

Check Point recommends configuring Disk Space Management parameters to delete old log entries when available disk space is less than or equal to a certain threshold. In this case, the correct threshold is specified as option D: 15%.

So, when the available disk space reaches or falls below 15%, old log entries should be deleted to free up space.

Options A, B, and C do not represent the recommended threshold for deleting old log entries according to Check Point's best practices.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The Audit Log is a feature that records all the actions performed by R81 SmartConsole administrators, such as logging in, logging out, publishing, installing policy, creating objects, modifying rules, etc. You can see and search records of action done by R81 SmartConsole administrators by following these steps:

• In SmartConsole, go to Logs & Monitor view.
• In the left pane, select Open Audit Log View.
• In the right pane, you will see a table that shows all the audit log records. You can filter, sort, group, or search the records by using the toolbar options.
• You can also double-click on a record to see more details in a pop-up window. References: R81 Logging and Monitoring Administration Guide

In R81, spoofing is defined as a method of making packets appear as if they come from an authorized IP address. Spoofing can be used by attackers to bypass security policies or hide their identity. Check Point firewalls use anti-spoofing mechanisms to prevent spoofed packets from entering or leaving the network. References: Security Gateway R81 Administration Guide:

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution. References: SandBlast Mobile Architecture

 Check Point Central Deployment Tool (CDT) communicates with the Security Gateway / Cluster Members over Check Point SIC using TCP port 18191 by default. CDT is a tool that allows you to perform simultaneous configuration changes on multiple gateways or clusters using predefined commands or scripts. References: Check Point Central Deployment Tool (CDT)

The CPM process is the core process of the Security Management Server that handles all management operations. It listens to TCP-port 19009 by default. References: CPM process

 Tom will need two machines to install Check Point R81 in a distributed deployment, if he does not include a SmartConsole machine in his calculations. A distributed deployment consists of a Security Management Server that manages one or more Security Gateways. Therefore, Tom will need one machine for the Security Management Server and another machine for the Security Gateway. The other options are either too few or too many machines for a distributed deployment. References: Check Point R81 Installation and Upgrade Guide

SecureXL Templating is a feature that accelerates the processing of packets that belong to the same connection or session by creating a template for the first packet and applying it to the subsequent packets. SecureXL Templating is precluded by factors that prevent the creation of a template, such as source port ranges, encrypted connections, NAT, QoS, etc. References: SecureXL Mechanism

 The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345. 

 Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits. To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features. References: R81 Performance Tuning Administration Guide

 Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default. References: CPM process

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer's configuration and environment settings.

References:

 The inspection point Big l is the first point immediately following the tables and rule base check of a packet coming from outside of the network. It is also the last point before the packet leaves the Security Gateway to the internal network1. The other inspection points are either before or after the rule base check, or in a different direction of traffic flow2. References: Check Point R81 Security Gateway Architecture and Packet Flow, 156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics

Session unique identifiers are passed to the web API using the X-chkp-sid HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations. References: Check Point R81 REST API Reference Guide

The cpinfo tool generates a R81 Security Gateway configuration report that includes information about the hardware, operating system, product version, patches, and configuration settings. References: cpinfo - Check Point Support Center

 You can select the file types that are sent for emulation for all the Threat Prevention profiles. Each profile defines an Inspect or Bypass action for the file types. The Inspect action means that the file will be sent to the Threat Emulation engine for analysis, and the Bypass action means that the file will not be sent and will be allowed or blocked based on other Threat Prevention blades1. The other options are not valid actions for file types in Threat Prevention profiles. References: Check Point R81 Threat Prevention Administration Guide

The correct command to show actual allowed connections in the state table is option B: fw tab –t connections. This command displays the contents of the "connections" table, which contains information about the active connections being tracked by the firewall.

Option A (fw tab –t StateTable) is incorrect as there is no "StateTable" table; it should be "connections."

Option C (fw tab –t connection) is also incorrect, as it should be "connections."

Option D (fw tab connections) is not the correct syntax for the command.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

References: VPN Administration Guide

 Sticky Decision Function (SDF) is required to prevent asymmetric routing in an Active-Active cluster. Asymmetric routing occurs when packets from a source to a destination follow a different path than packets from the destination to the source. This can cause problems with stateful inspection and NAT. SDF ensures that packets from the same connection are handled by the same cluster member1. References: Check Point R81 ClusterXL Administration Guide

The Check Point ThreatCloud is a worldwide collaborative security network that collects and analyzes threat data from millions of sensors, security gateways, and other sources, and delivers real-time threat intelligence and protection to Check Point products. References: Check Point ThreatCloud

PDP is not a valid CPVIEW view. CPVIEW is a command-line tool that shows the status of different system parameters, such as CPU, memory, disk, network, and firewall. The valid views are IDA, RAD, VPN, FW, QoS, and others. PDP is a process that handles identity awareness and authentication. References: Check Point R81 Gaia Administration Guide, Check Point Identity Awareness Administration Guide R81

 You can communicate with the API server using three command sources: SmartConsole GUI Console, mgmt_cli Tool, and Gaia CLI. Web Services are not a command source, but a way to access the API server using HTTP requests. References: Check Point Management APIs

 CPM process stores objects, policies, users, administrators, licenses and management data in a Postgres SQL database. This database is located in $FWDIR/conf and can be accessed using the pg_client command2. The other options are not the correct database type for CPM. References: Check Point R81 Security Management Administration Guide

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

 fwssd is a child process of fwd, which is the firewall daemon that handles policy installation, logging, and state synchronization. cpwd is the watchdog process that monitors and restarts other processes. fwm is the management server process that handles communication with GUI clients. cpd is the infrastructure daemon that handles SIC, licensing, and policy code generation. References: Check Point Processes Cheat Sheet – LazyAdmins, Check Point R81 Gaia Administration Guide, Certified Security Expert (CCSE) R81.20 Course Overview

The SmartEvent component that creates events is the Correlation Unit, which is responsible for correlating and analyzing security events to identify patterns and potential threats.

Option A, "Consolidation Policy," does not create events but is used to configure policies for event consolidation.

Option C, "SmartEvent Policy," is not responsible for creating events but is used to configure policies related to SmartEvent.

Option D, "SmartEvent GUI," is the graphical user interface for managing SmartEvent but does not create events itself.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The least amount of CPU cores required to enable CoreXL is 2. CoreXL is a technology that improves the performance of Security Gateways by using multiple CPU cores to process traffic in parallel. CoreXL requires at least two CPU cores, one for SND (Secure Network Distributor) and one for a Firewall instance. The other options are either too few or too many CPU cores for enabling CoreXL. References: [Check Point R81 SecureXL Administration Guide], [Check Point R81 Performance Tuning Administration Guide]

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

The fw ctl affinity -l -a -r -v command is the most accurate CLI command to get info about assignment (FW, SND) of all CPUs in your SGW. This command displays the affinity settings of all interfaces and processes in a verbose mode, including the Firewall (FW) and Secure Network Distributor (SND) instances. References: CoreXL Administration Guide

The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2. References: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet – LazyAdmins

Threat Simulator is not a component of Check Point SandBlast. Check Point SandBlast is a solution that provides advanced protection against zero-day threats using four components: Threat Emulation, Threat Extraction, Threat Cloud, and Threat Prevention. References: Check Point SandBlast Network

On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.

References:

References:

 The API command add host name ip-address  can be used in a script to create 100 new host objects with different IP addresses. This command adds a new host object with the specified name and IP address to the database. The other commands are either not valid or not suitable for creating new host objects. References: Check Point - Management API reference

NAT rules are prioritized in the following order:

• Automatic Static NAT: This is the highest priority NAT rule and it translates the source or destination IP address to a different IP address without changing the port number. It is configured in the network object properties.
• Automatic Hide NAT: This is the second highest priority NAT rule and it translates the source IP address and port number to a different IP address and port number. It is configured in the network object properties.
• Manual/Pre-Automatic NAT: This is the third highest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase before the automatic NAT rules.
• Post-Automatic/Manual NAT rules: This is the lowest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase after the automatic NAT rules.

 Session Rate Acceleration is a SecureXL feature that accelerates the establishment of new connections by bypassing the inspection of the first packet of each session. Session Rate Acceleration ignores the source port information of the packet, as well as the destination port ranges, protocol type, and VPN information. The other packet info is used by Packet Acceleration, which is another SecureXL feature that accelerates the forwarding of subsequent packets of an established connection. References: SecureXL Mechanism

 Connections to the Check Point R81 Web API use the HTTPS protocol. The Web API is a RESTful web service that allows you to perform management tasks on the Security Management Server using HTTP requests. References: Check Point Management APIs

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

References:

Sticky Decision Function (SDF) is a feature that ensures that VPN traffic is handled by the same core on a Security Gateway with multiple CPU cores. This improves the performance and stability of VPN tunnels by avoiding out-of-order packets and reducing encryption overhead. However, the limitation of employing SDF is that acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF. This means that SDF may reduce the overall throughput and scalability of the Security Gateway. Therefore, SDF should be used only when necessary and only on gateways that are dedicated to VPN traffic. References: R81 Performance Tuning Administration Guide

 R81.20 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81. 

Check Point Protect is a lightweight app that can be used to gather and analyze threats to your mobile device. It provides real-time threat intelligence, device posture assessment, and secure browsing protection3. The other applications are either not designed for mobile devices, or do not offer threat analysis features. References: R81 CCSA & CCSE exams released featuring Promo for… - Check Point …, Check Point Protect - Apps on Google Play

Suspicious Activity Rules Solution

Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).

The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity rules are Firewall rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation.

References:

There are four ways to use the Management API for creating host object with R81 Management API: Using Web Services, Using mgmt_cli tool, Using CLISH, and Using SmartConsole GUI console. Events are collected with SmartWorkflow from Trouble Ticket systems is not a correct option. References: Check Point Management APIs

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, "SecurID."

Options A, C, and D are not standard authentication methods for mobile devices in this context.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 For best practices, the recommended time for automatic unlocking of locked admin accounts is 30 minutes at least. Admin accounts can be locked due to failed login attempts, password expiration, or manual locking by another admin. To prevent unauthorized access or brute force attacks, locked admin accounts should not be unlocked automatically too soon. The recommended minimum time for automatic unlocking is 30 minutes, which can be configured from the SmartConsole under Manage > Permissions and Administrators > Advanced > Unlock locked administrators after. 

Running the command fw unloadlocal on the Security Management Server will remove the installed Security Policy from the local firewall module. This command is useful for troubleshooting purposes when there is a problem with the policy installation or enforcement. However, it will also expose the Security Management Server to potential attacks, so it should be used with caution. References: Training & Certification | Check Point Software, R81 CCSA & CCSE exams released featuring Promo for… - Check Point …

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red exclamation mark indicates that one or more blades on the gateway have an issue that needs attention. The issue could be related to configuration, license, policy, or other factors. Deyra can hover over the icon to see more details about the problem. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

A star community is a VPN topology where one or more satellites connect to a center gateway. The center gateway can be a Security Gateway or a Security Management Server. The VPN routing option determines how the traffic is routed between the satellites and the center, and between the satellites themselves. There are three VPN routing options available in a star community12:

• To center only: The satellites can only communicate with the center gateway, and not with each other or with any other VPN targets. This option is useful for remote access clients that only need to access resources on the center gateway.
• To center, or through the center to other satellites, to Internet and other VPN targets: The satellites can communicate with the center gateway, and also with other satellites, Internet hosts, and other VPN targets through the center gateway. This option is useful for branch offices that need to access resources on the center gateway, as well as on other branch offices, Internet hosts, and other VPN targets.
• To center and to other satellites through center: The satellites can communicate with the center gateway, and also with other satellites through the center gateway. However, they cannot communicate with Internet hosts or other VPN targets. This option is useful for branch offices that need to access resources on the center gateway and on other branch offices, but not on Internet hosts or other VPN targets.

Therefore, the options A (To satellites through center only) and D (To center only) are not valid VPN routing options in a star community.

References: 1: Remote Access VPN R81.20 Administration Guide - Check Point Software, page 13 2: Gaia R81.20 Administration Guide - Check Point Software, page 1030

The default commands that appear when right-clicking the IP address, source or destination, in an event in SmartEvent are ping, whois, nslookup, and Telnet. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent has a feature that allows administrators to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in an event provides a list of default and customized commands that can be executed on the IP address of the active cell. The default commands are ping, whois, nslookup, and Telnet. Ping is a command that tests the connectivity and latency between two hosts by sending packets and measuring the response time. Whois is a command that queries a database for information about the owner and registrar of a domain name or an IP address. Nslookup is a command that queries a DNS server for information about a domain name or an IP address, such as its IP address, name server, mail server, etc. Telnet is a command that establishes a remote connection to another host using the Telnet protocol. 

The kind of information that you would expect to see using the sim affinity command is network interfaces and core distribution used for CoreXL. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The sim affinity command can show which network interfaces and SecureXL instances are bound to which CPU cores, and allow administrators to change the affinity settings.

The correct statement about Security Gateway and Security Management Server failover in Check Point R81.X in terms of Check Point Redundancy driven solution is: Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure. Security Gateway failover is a feature that allows a cluster of Security Gateways to provide high availability and load balancing for network traffic. If one Security Gateway fails or becomes unreachable, another Security Gateway in the cluster automatically takes over its role and handles the traffic without interrupting the service. Security Management Server failover is a feature that allows a backup Security Management Server to take over the role of the primary Security Management Server in case of failure or disaster. However, this feature requires manual intervention to activate the backup server and restore the database from a backup file. 

 The order of NAT priorities is determined by the type of NAT rule that is applied to the traffic. There are three types of NAT rules in Check Point: static NAT, IP pool NAT, and hide NAT12.

• Static NAT: This type of NAT rule maps a single IP address to another single IP address. It is usually used to allow external hosts to access internal servers or devices. Static NAT has the highest priority among the NAT rules, and it is applied before the security policy is enforced12.
• IP pool NAT: This type of NAT rule maps a range of IP addresses to another range of IP addresses. It is usually used to balance the load among multiple servers or devices. IP pool NAT has the second highest priority among the NAT rules, and it is applied after the security policy is enforced12.
• Hide NAT: This type of NAT rule hides a group of IP addresses behind a single IP address or an interface. It is usually used to allow internal hosts to access external resources. Hide NAT has the lowest priority among the NAT rules, and it is applied after the security policy is enforced12.

Therefore, the order of NAT priorities is: static NAT, IP pool NAT, hide NAT.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 209 2: Check Point R81 Security Engineering Guide - Check Point Software, page 163

The command that would show the API server status is api status. API stands for Application Programming Interface, and it is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. API status is a command that shows the current status of the API server, such as whether it is enabled or disabled, running or stopped, listening on which port, using which certificate, etc. The other commands are either invalid or perform different functions. 

The port that the CPM process runs on is TCP 19009. CPM stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. CPM is responsible for managing policies, objects, logs, tasks, and other management functions. CPM listens on TCP port 19009 for incoming connections from SmartConsole clients. The other ports are either used by other processes or not related to CPM. 

The NAT rules that are prioritized first are Manual/Pre-Automatic NAT. NAT stands for Network Address Translation, and it is a feature that allows Security Gateways to modify the source or destination IP addresses or ports of packets that pass through them. NAT rules are the rules that define how NAT is applied to traffic that matches certain criteria. There are three types of NAT rules: Manual/Pre-Automatic NAT, Automatic NAT, and Manual/Post-Automatic NAT. Manual/Pre-Automatic NAT rules are the rules that are manually created by administrators and placed before the automatic NAT rules in the rulebase. These rules have the highest priority and are processed first by the Security Gateway. Automatic NAT rules are the rules that are automatically generated by the Security Gateway based on the NAT properties of network objects. These rules have the second highest priority and are processed after the manual/pre-automatic NAT rules. Manual/Post-Automatic NAT rules are the rules that are manually created by administrators and placed after the automatic NAT rules in the rulebase. These rules have the lowest priority and are processed last by the Security Gateway. 

 What can cause Vanessa unnecessary problems, if she didn’t check all requirements for migration to R81, is missing an installed R77.20 Add-on on Security Management Server. R77.20 Add-on is a package that adds new features and enhancements to R77 Security Management Server, such as support for new appliances, Gaia OS features, VPN features, etc. One of the requirements for migrating to R81 from R77 Security Management Server is to have R77.20 Add-on installed on the server. If Vanessa did not check this requirement and tried to migrate without R77.20 Add-on, she would encounter errors and failures during the migration process. The other options are either not relevant or not problematic for migration to R81. 

The “fw monitor” tool can be best used to troubleshoot network traffic issues. Fw monitor is a tool that allows administrators to capture packets at different inspection points in the Firewall kernel, and apply filters and flags to analyze the traffic. Fw monitor can help troubleshoot network connectivity problems, packet drops, NAT issues, VPN issues, and more. The other options are either not related or less suitable for fw monitor.

 The TCP/IP model is a four-layer model that describes how data is transmitted over a network. The four layers are: Application, Transport, Internet, and Network Access. The Application layer provides services and protocols for applications to communicate with each other. The Transport layer provides reliable or unreliable data delivery between hosts. The Internet layer provides routing and addressing of packets across networks. The Network Access layer provides physical and logical access to the network media. References: Training & Certification | Check Point Software, Check Point Resource Library

To change the number of firewall instances used by CoreXL, the cpconfig command must be used, followed by a reboot. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The number of firewall instances determines how many cores are dedicated to CoreXL. The cpconfig command allows the administrator to configure various settings on the Security Gateway, including the number of firewall instances. After changing this setting, a reboot is required for the changes to take effect. The other commands are either incorrect or do not require a reboot.

 According to the Check Point website, Whitelist Files is the tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed. Whitelist Files can be configured in SmartConsole under Threat Prevention > Policy > Whitelist Files. The other tools are either not related or not valid tools. References: Whitelist Files

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

ThreatCloud is a collaboration platform for all the Check Point customers to share information about malicious and benign files that all of the customers can benefit from as it makes emulation of known files unnecessary. ThreatCloud is a cloud-based service that collects and analyzes threat intelligence from multiple sources, such as Check Point products, third-party vendors, open sources, and customers. ThreatCloud provides real-time updates and feeds to Check Point products, such as SandBlast, which is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment. By integrating with ThreatCloud, a Threat Emulation appliance can benefit from the shared information about malicious and benign files, and avoid emulating files that are already known to be safe or harmful. This can improve the performance and efficiency of the Threat Emulation appliance. The other options are either incorrect or not relevant to ThreatCloud or Threat Emulation. 

The responsibility of SOLR process on R81.20 management server is to generate indexes of data written to the database. SOLR is an open source search platform that provides fast and scalable indexing and querying capabilities. SOLR is used by the R81.20 management server to index data such as logs, objects, policies, tasks, and events, and to enable quick and efficient searches on this data by SmartConsole and SmartView applications. 

 In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources. 

 For Stateful Mode configuration, chain modules marked with 2 will not apply. Stateful Mode configuration is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. Chain modules are firewall kernel modules that perform various security functions, such as VPN, IPS, QoS, etc. Each chain module is associated with a key, which specifies the type of traffic applicable to the chain module. The key can be one of the following values: 0 for all packets, 1 for stateful packets, 2 for stateless packets, and 3 for no match packets. For Stateful Mode configuration, only chain modules with key 0 or 1 will apply, as they handle all packets or stateful packets. Chain modules with key 2 will not apply, as they handle stateless packets, which are not relevant for Stateful Mode configuration.

 The Logs and Monitor tab is used to monitor network and security performance in SmartConsole. The Logs and Monitor tab lets you view and analyze logs, events, reports, and alerts from various sources, such as Security Gateways, Security Management Servers, Endpoint Security Servers, and SmartEvent Servers. You can also use the Logs and Monitor tab to create custom views, filters, queries, and charts to display the data that is relevant to your needs12.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 23 2: Check Point R81 SmartConsole User Guide - Check Point Software, page 9

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. The option that can be added to each Log, Detailed Log and Extended Log is Accounting/Suppression. Accounting/Suppression is a feature that allows administrators to control how often logs are generated for certain rules or connections. Accounting means that logs are generated periodically based on a specified interval or volume. Suppression means that logs are generated only for the first and last packet of a connection or session. Accounting/Suppression can be added to any tracking option to reduce the number of logs and save disk space.

AppWiki is the Check Point feature that enables application scanning and the detection. AppWiki is an easy to use tool that lets you search and filter Check Point’s Web 2.0 Applications Database to find out information about internet applications, including social network widgets; filter by a category, tag, or risk level; and search for a keyword or application1. AppWiki helps you to identify and control the applications on your network, and to apply granular policies based on the application type, risk, and characteristics1. AppWiki is integrated with the Check Point Application Control Software Blade, which provides the industry’s strongest application security and identity control to organizations of all sizes1.

References: 1: AppWiki | Check Point Software

The command that shows the status of processes is cpwd_admin list. Cpwd_admin is a command that allows administrators to manage processes that are registered with the Check Point WatchDog (CPWD) daemon. CPWD is a daemon that monitors the health of critical processes on the Security Gateway or Management Server, and restarts them if they fail or stop responding. Cpwd_admin list shows the process name, PID, status, start time, monitor status, and number of restarts for each process registered with CPWD. 

 For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

 In ClusterXL Load Sharing Multicast Mode, every member of the cluster receives all of the packets sent to the cluster IP address. This mode uses multicast MAC addresses to distribute packets to all cluster members. Each member decides whether to accept or reject the packet based on a load balancing algorithm. This mode provides better performance and scalability than Unicast mode, but requires a switch that supports multicast MAC addresses. 

The default port used by the AMON server when using CPSTAT is 18192. CPSTAT is a command-line tool that allows administrators to monitor various statistics and status information about Check Point products and components, such as CPU usage, memory usage, policy installation, cluster state, etc. CPSTAT uses AMON (Advanced Monitoring) protocol to communicate with AMON server, which is a daemon that runs on Security Gateways or Management Servers and collects and provides AMON data. By default, AMON server listens on TCP port 18192 for incoming CPSTAT requests.

 The first thing that must be done if “fwm sic_reset” could not be completed is to change internal CA via cpconfig. Fwm sic_reset is a command that allows administrators to reset Secure Internal Communication (SIC) between Security Management Server and Security Gateways or other Check Point modules. SIC is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). If fwm sic_reset fails, it means that there is a problem with the ICA or the certificates that prevents SIC from being reset. To resolve this problem, administrators need to change internal CA via cpconfig, which is a command that allows administrators to configure various settings on Security Gateways or Management Servers, including the ICA. Changing internal CA via cpconfig will create a new ICA with a new certificate, and allow SIC to be reset with the new certificate.

 The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”.cap"number of captures". This is a feature of CPView that allows the user to capture the current page for later analysis or troubleshooting. The file is saved in the /var/log directory on the Security Gateway. References: Check Point Resource Library, page 3.

According to the Check Point R81 training course, the Proxy ARP feature for Manual NAT in R81.20 requires the configuration of the local.arp file on the Security Gateway. This file contains the mapping of IP addresses to MAC addresses for NATed hosts. The other options are either incorrect or irrelevant. References: Certified Security Expert (CCSE) R81.20 Course Overview

According to the Check Point website, SmartUpdate is the application that should be used to install a contract file. A contract file contains information about the licenses and services that are purchased from Check Point. SmartUpdate can also be used to install software packages and patches on Security Gateways and Management Servers. The other applications are either not relevant or not capable of installing a contract file. References: SmartUpdate

 The file that contains the host address to be published, the MAC address that needs to be associated with the IP address, and the unique IP of the interface that responds to ARP request is $FWDIR/conf/local.arp. Local.arp is a configuration file that defines static ARP entries for hosts behind NAT devices. This file allows the Security Gateway to respond to ARP requests for NATed hosts with the correct MAC address, and to publish the NATed IP address instead of the real IP address. The other files are either not related or not valid. 

The SmartEvent R81 Web application for real-time event monitoring is called SmartEventWeb. SmartEventWeb is a web-based interface that allows administrators to view and analyze security events from various sources, such as logs, reports, incidents, and indicators. SmartEventWeb provides dashboards, widgets, filters, and drill-down options to help administrators gain insights into their security posture. The other options are either incorrect or refer to different applications.

References:

The Software Container is a logical component in the Software Blade Architecture. There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security. The container enables the server functionality, and defines its purpose – e.g, management or gateway.

According to the Check Point website, Capsule Connect and Capsule Workspace both offer secured connection for remote users who are using their mobile devices. However, there are differences between the two. For credential protection, Connect uses One-time Password login support and has no SSO support, whereas Workspace offers both One-Time Password and certain SSO login support. The other statements are either false or partially true. References: Capsule Connect and Capsule Workspace

 UserCheck is a communication tool used to inform a user about a website or application they are trying to access. UserCheck allows administrators to interact with users in real time, informing them of the security policy and the actions they need to take. UserCheck can also enable users to self-remediate incidents or request exceptions from the administrator. References: Training & Certification | Check Point Software, Check Point Resource Library

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

With SecureXL enabled, accelerated packets will pass through the following: Network Interface Card and the Acceleration Device. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. Accelerated packets are packets that match certain criteria and can be handled by SecureXL without involving the Firewall kernel. These packets bypass the OSI Network Layer, OS IP Stack, and Check Point Firewall Kernel, and are processed directly by the Network Interface Card and the Acceleration Device. The other options are either incorrect or describe non-accelerated packets. 

 To set the IP address and default gateway of the Management interface on a Check Point appliance, you can use the following commands:

• set interface Mgmt ipv4-address 192.168.80.200 mask-length 24 - This command sets the IPv4 address of the Management interface to 192.168.80.200 and the subnet mask to 255.255.255.0 (24 bits).
• set static-route default nexthop gateway address 192.168.80.1 on - This command sets the default gateway to 192.168.80.1 and enables the static route.
• save config - This command saves the configuration changes to the appliance.

These commands are documented in the Check Point appliance initial installation guide, which you can find in the web search results.

The other options are incorrect because they use invalid syntax or parameters for the commands. For example, option B uses add static-route instead of set static-route, option C uses 0.0.0.0. instead of 0.0.0.0, and option D uses add static-route default instead of set static-route default.

The Access Control policy supports two policy layers. These are the Network layer and the Application & URL Filtering layer. The Network layer contains rules that control the network traffic based on the source, destination, service, and action. The Application & URL Filtering layer contains rules that control the application and web access based on the application, site category, and user identity12.

The Access Control policy can also use inline layers, which are sub-policies that are embedded within a rule. Inline layers allow more granular control over specific traffic or scenarios, such as VPN, Mobile Access, or different user groups13. However, inline layers are not considered as separate policy layers, but rather as extensions of the parent rule4.

Therefore, the correct answer is A. The Access Control policy supports two policy layers.

References:

• 1, Policy Layers in R80.x - Check Point CheckMates
• 2, Access Control policies, layers, and rules | Check Point Firewall …
• 3, Chapter 8: Introduction to Policies, Layers, and Rules - Check Point …
• 4, Creating an Access Control Policy - Check Point Software

Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services. You can use an API to:

• Use an automated script to perform common tasks

• Integrate Check Point products with 3rd party solutions

• Create products that use and enhance the Check Point solution

References:

According to the Check Point website, you can use the pre_upgrade_verifier tool to verify if your management server is ready to upgrade to R81.20. This tool checks the compatibility of your current configuration and database with the target version, and provides a detailed report of any issues or warnings. The other tools are either used for exporting or importing databases, or not valid tools. References: Upgrade Verification Service

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is three. One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members. This configuration provides optimal performance and security for Mobile Access traffic. 

 Log Consolidator is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

 One of the requirements for Joey’s success in upgrading from R75.40 to R81 version of Security management using Advanced Upgrade with Database Migration method is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. Advanced Upgrade with Database Migration method is a procedure that allows administrators to upgrade their Security Management Server to a newer version by migrating their database from an older version to a new machine with a fresh installation of the newer version. One of the steps in this procedure is to copy the /var/log folder from the source machine to the target machine, which contains important log files and configuration files. To ensure that there is enough disk space on the target machine for this operation, it is required that the size of the /var/log folder on the target machine must be at least 25% of the size of the /var/log folder on the source machine. 

 According to the Check Point R81 training course, the medium path is available only when CoreXL is enabled. CoreXL is a performance-enhancing technology that allows multiple CPU cores to process traffic simultaneously. The medium path handles packets that require deeper inspection or content awareness, such as IPS, Anti-Virus, or URL Filtering. The other paths are either available regardless of CoreXL or not valid terms. References: Certified Security Expert (CCSE) R81.20 Course Overview