Checkpoint 156-315.81 Check Point Certified Security Expert R81 Exam Practice Test

The best log filter to see only the IKE Phase 2 agreed networks for both gateways is B. action:“Key Install” AND 1.1.1.1 AND Quick Mode1. This filter will show you the logs that indicate the successful establishment of IKE Phase 2, which is also known as Quick Mode2. In this phase, the Security Gateway and the remote gateway negotiate the IPSec Security Associations (SAs) and exchange the encryption keys for the VPN tunnel2. The action:“Key Install” field shows that the SAs were installed successfully3. The 1.1.1.1 field shows that the logs are related to the remote gateway with that IP address3. The Quick Mode field shows that the logs are related to IKE Phase 2, as opposed to Main Mode, which is IKE Phase 13. To use this filter, you need to go to SmartConsole, open SmartLog, and enter the filter expression in the search box3.

References: How to troubleshoot VPN issues with IKEVIEW tool - Check Point Software, IPsec and IKE - Check Point Software, SmartLog R81.20 Administration Guide - Check Point Software

 The Threat Prevention software components available on the Check Point Security Gateway are IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction. These components provide comprehensive protection against various types of cyber threats, such as network attacks, malware, ransomware, phishing, zero-day exploits, data leakage, and more. IPS is a network security component that detects and prevents malicious traffic based on signatures, behavioral patterns, and anomaly detection. Anti-Bot is a network security component that detects and blocks botnet communications and command-and-control servers. Anti-Virus is a network security component that scans files for known viruses, worms, and trojans. Threat Emulation is a network security component that emulates files in a sandbox environment to detect unknown malware and prevent zero-day attacks. Threat Extraction is a network security component that removes malicious content from files and delivers clean files to users. References: [Check Point R81 Threat Prevention Administration Guide], page 9-10

CoreXL is a technology that improves the performance of the Security Gateway by utilizing multiple CPU cores for processing traffic. CoreXL creates multiple instances of the firewall kernel (fwk) that run in parallel on different CPU cores. The number of kernel instances can be configured using the cpconfig command on the Security Gateway3. The minimum number of CPU cores required to enable CoreXL is 2, as one core is reserved for SND (Secure Network Distributor) and one core is used for running a kernel instance4. If the Security Gateway has only one CPU core, CoreXL cannot be enabled. Therefore, the correct answer is C.

References: 3: CoreXL Administration Guide 4: [CoreXL Frequently Asked Questions (FAQ)]

The command “ps aux | grep twd” is used to check the process ID and the processing time of the twd process on the Security Gateway. The ps command displays information about the active processes on the system. The aux option shows all processes for all users, including those without a controlling terminal. The grep command filters the output of the ps command by searching for the pattern “twd”, which is the name of the process that handles VPN traffic encryption and decryption1. The output of the command shows the process ID, CPU usage, memory usage, start time, and other details of the twd process2. Therefore, the correct answer is A.

References: 1: [Check Point Processes and Daemons] 2: [How to troubleshoot VPN issues with cpview utility]

 The command ‘fw sam -I dport 22’ will delete all of the SSH connections of a gateway by adding a temporary rule to the Security Policy that blocks traffic with destination port 22. The other commands are not valid or do not have the same effect. References: Check Point R81 Command Line Interface Reference Guide, page 101.

The valid authentication methods for mutual authenticating the VPN gateways are Pre-shared Secret and PKI Certificates. Pre-shared Secret is a method that uses a secret key that is known only to the two VPN gateways. PKI Certificates is a method that uses digital certificates that are issued by a trusted Certificate Authority (CA) and contain the public key of each VPN gateway. Both methods ensure that the VPN gateways can verify each other’s identity before establishing a secure VPN tunnel. References: [Check Point R81 VPN Administration Guide]

The lock symbol in the left column of the rule means that another user has locked the rule for editing. This is to prevent multiple users from editing the same rule at the same time and causing conflicts. References: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics-TP-Policy/TP-Policy-Edit-Rules.htm

 The best sync method in the ClusterXL deployment is to use one dedicated sync interface. This means that one interface on each cluster member is used exclusively for synchronization traffic, which improves performance and security. Using multiple clusters or sync interfaces is not recommended, as it can cause network congestion or synchronization issues. References: : Check Point Resource Library, Certified Security Expert (CCSE) R81.20 Course Overview, page 8.

VLAN Tag is not an attribute of packet acceleration. Packet acceleration is a feature of SecureXL that allows certain packets to bypass the Firewall kernel and be processed by a more efficient mechanism. Packet acceleration is based on templates that match packets based on four attributes: Source IP address, Destination IP address, Protocol, and Destination port. If a packet matches an existing template, it is accelerated; otherwise, it is sent to the Firewall path for inspection. References: [SecureXL Mechanism]

 The action that is not supported in UserCheck objects is Reject. UserCheck objects in the Application Control and URL Filtering rules allow the gateway to communicate with the users and display messages or requests on their browsers. The supported actions in UserCheck objects are Ask, Inform, Block, and Continue. The Ask action prompts the user to confirm or cancel an action. The Inform action notifies the user about an event or a policy. The Block action prevents the user from accessing a resource or performing an action. The Continue action allows the user to access a resource or perform an action after displaying a message. References: [UserCheck]

 The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities. This option lets you specify which VPN communities are allowed or denied by the rule. A VPN community is a group of VPN gateways or hosts that share the same VPN policy and keys. You can create different types of VPN communities, such as star, meshed, or remote access, depending on your network topology and security requirements. You can also use tags to group VPN gateways or hosts into logical categories. 

 Certificate Authority (CA) is a service that issues and manages digital certificates for secure communication between Check Point components. CA can be installed on a Security Management Server or on a dedicated server. CA can be configured as primary or secondary in a High Availability cluster. The cpconfig command is used to run the Check Point Configuration Tool on Gaia OS, which allows users to configure various settings for Check Point products. One of the configuration options is Certificate Authority, which shows if CA is installed on the server and if it is primary or secondary5. Therefore, Alice needs to look for this option to check the CA status.

References: 5: cpconfig

 The command that may impact performance briefly and should not be used during heavy traffic times of day is fw tab -t connections. This command displays all the entries in the connections table, which can be very large and consume a lot of CPU resources. The other commands are less intensive and can be used safely. The command fw tab -t connections -s displays only the statistics of the connections table, such as number of entries, peak size, etc. The command fw tab -t connections -c clears all the entries in the connections table. The command fw tab -t connections -f displays only the entries that match a filter expression. References: [fw tab Command]

 The multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for VRRP is 224.0.0.18. This is a reserved multicast address that is used by VRRP routers to communicate with each other and announce their priority and state. Firewall policies must be configured to accept VRRP packets on the Gaia platform if it runs Firewall software. Otherwise, VRRP packets will be dropped by default. References: [Configuring VRRP on Gaia]

 The lowest supported version of the Security Management that can be upgraded to R81.X is R75 Gaia. This means that the Security Management Server must be running on the Gaia Operating System and have a version of R75 or higher. R76 Splat, R77.X Gaia, and R75 Splat are not supported for upgrading to R81.X1. References: 1: Check Point Software, Getting Started, Supported Upgrade Paths.

Captive Portal is a feature of Identity Awareness Software Blade that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Captive Portal redirects users to a web page where they can enter their credentials and be authenticated by an external server, such as LDAP or RADIUS. After authentication, users can access the Internet and corporate resources according to the security policy rules that apply to their identity.

The references are:

• Check Point R81 Identity Awareness Administration Guide, page 9
• Configuring Browser-Based Authentication in SmartConsole

The command fw ctl debug 0 will reset the kernel debug options to default settings. This command will disable all the debug flags and clear the debug buffer. It is recommended to use this command before and after performing a kernel debug, to avoid any interference or confusion with other debug outputs. The command fw ctl debug 0 is also equivalent to fw ctl debug -buf 0.

References:

• Best Practices - HTTPS Inspection - Check Point Software, section “How to perform a Kernel Debug”
• LOGGINGAND MONITORING R81 - Check Point Software, page 104

The Log “Views” tab shows the details of a selected log when SmartEvent is correlating events. You can select a log from the Logs tab and click on the Views tab to see more information about the log, such as source, destination, service, action, blade, rule number, etc. You can also customize the columns and filters in the Views tab to display only the relevant fields for your analysis. References: [SmartEvent User Guide]

 CPUSE (Check Point Upgrade Service Engine) is a tool that allows users to download, import, install, and uninstall software packages on Gaia OS. CPUSE has a web-based user interface that can be accessed through Gaia Portal. CPUSE offers four package options in the web GUI for different purposes4:

• Clean Install - This option performs a clean installation of a Major Version package, which erases all existing configuration and data on the system.
• Export Package - This option exports a package from CPUSE repository to an external location for backup or transfer purposes.
• Upgrade - This option performs an upgrade of a Major Version package or a Minor Version package, which preserves the existing configuration and data on the system.
• Database Conversion - This option converts the database schema of a Major Version package to match the current version.

Therefore, the correct answer is B.

References: 4: CPUSE - Gaia Deployment Agent

Cluster Synchronization is a mechanism that allows cluster members to share state information and maintain a consistent security policy. Cluster Synchronization uses two types of synchronization: Full Synchronization and Delta Synchronization. Full Synchronization transfers the entire Security Policy and state tables from one cluster member to another. Delta Synchronization transfers only the changes in the state tables. Cluster Synchronization uses two services for communication: TCP port 256 (CPHA) for Full Synchronization and UDP port 8116 for Delta Synchronization3. Therefore, the correct answer is A.

References: 3: Cluster Synchronization

The pre-defined Permission Profile that should be assigned to an administrator that requires full access to audit all configurations without modifying them is Read Only All. This profile grants read-only access to all features and blades in SmartConsole, including logs and reports. This profile is suitable for auditors who need to review the security policy and settings, but not change them. References: R81 Security Management Administration Guide, page 57.

 If the action of the matching rule is Drop, the gateway stops matching against later rules in the Policy Rule Base and drops the packet. This is because the Drop action is a final action that terminates the rule matching process and discards the packet. The gateway does not continue to check rules in the next Policy Layer down or in other enabled policies. References: [Policy Layers and Sub-Policies]

https://s c1.checkpoint.com/documents/R81/CP_R81_SecMGMT/html_frameset.htm?topic=documents/R81/CP_R81_SecMGMT/126197

 To override Bob’s configuration database lock, Alice can use the command lock database override in the clish shell. This command will transfer the lock from Bob to Alice and allow her to make the urgent configuration changes. However, this command should be used with caution, as it may cause conflicts or inconsistencies if Bob and Alice are working on the same objects or policies. It is recommended to communicate with other administrators before using this command and to release the lock as soon as possible after finishing the changes1. The other commands are not valid in clish and will result in an error message.

 Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. Permanent VPN tunnels are always active and prevent VPN tunnel negotiation failures due to idle time or traffic volume. You can configure permanent VPN tunnels in SmartConsole by selecting the Permanent Tunnel option in the VPN Community Properties window.

The two ClusterXL Deployment options are Distributed and Full High Availability. Distributed deployment means that each cluster member has its own Security Management Server and synchronizes with other members. Full High Availability deployment means that one cluster member is active and handles all traffic, while the other members are in standby mode and ready to take over in case of a failure. The other options are not valid ClusterXL Deployment options, but rather ClusterXL Modes or ClusterXL Load Sharing Methods. References: [Check Point Security Expert R81 ClusterXL Administration Guide], page 6.

The Hit Count feature allows tracking the number of connections that each rule matches, regardless of the Track option set for the rule. When you enable Hit Count, the Security Management Server collects the data from supported Security Gateways and displays it in SmartConsole. You can use the Hit Count feature to optimize your rule base by identifying unused or rarely used rules, or rules that match too many connections. 

 The attribute that is not used for identifying a connection by packet acceleration (SecureXL) is TCP Acknowledgment Number. SecureXL identifies connections by using a hash function that takes into account the following attributes: source address, destination address, source port, destination port, protocol, and VPN ID. The TCP Acknowledgment Number is not part of the hash function and does not affect the connection identification. References: [SecureXL Mechanism]

https //sc1.checkpoint.com/documents/R77/CP R77_Firewall_WebAdmm/92711.htm

 The possible Automatic Reactions in SmartEvent are Mail, SNMP Trap, Block Source, Block Event Activity, and External Script1. Automatic Reactions are actions that SmartEvent can perform automatically when a specific event occurs2. They can help you respond quickly and efficiently to security incidents and threats2. The Automatic Reactions are1:

• Mail: This reaction sends an email notification to a specified recipient with the details of the event. You can customize the subject and the body of the email, and use variables to include relevant information.
• SNMP Trap: This reaction sends an SNMP trap to a specified SNMP server with the details of the event. You can customize the OID and the community string of the trap, and use variables to include relevant information.
• Block Source: This reaction blocks the source IP address of the event from accessing your network for a specified duration. You can choose to block the source on all gateways or on specific gateways. You can also choose to block the source on a specific port or service.
• Block Event Activity: This reaction blocks the specific activity that triggered the event from occurring again for a specified duration. You can choose to block the activity on all gateways or on specific gateways. You can also choose to block the activity on a specific port or service.
• External Script: This reaction runs an external script on a specified server with the details of the event as arguments. You can use any script that can be executed by the operating system of the server, such as bash, perl, python, etc. You can use variables to include relevant information in the script arguments.

References: SmartEvent R81.20 Administration Guide - Check Point Software, SmartEvent - Check Point Software

Multi-Version Cluster Upgrade (MVCLU) is a feature that allows you to upgrade a cluster of Security Gateways from one major version to another, without downtime1. MVCLU supports upgrading a cluster that runs on different versions, as long as the versions are compatible with the destination version1. The number of versions, besides the destination version, that are supported in a MVCLU depends on the destination version. For example, if the destination version is R81, then MVCLU supports up to three versions besides R81, which are R80.40, R80.30, and R80.202. Therefore, the correct answer is B, as three versions are supported in a MVCLU besides the destination version.

References: 1: ClusterXL upgrade methods and paths - Check Point Software 2: Check Point R81 - Check Point Software

The recommended way to have a redundant Sync connection between the cluster nodes is to use a group of bonded interfaces connected to different switches. In the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management, you should define a dedicated sync interface, only one interface per node.

After verifying that API Server is not running, you can start the API Server by running the command “api start” in Expert mode. This command will start the API Server process (cpm_api) and enable it to run automatically after reboot. You can also use the command “api enable” to enable the API Server without starting it immediately. The other commands are either incorrect or not related to the API Server. The set api command is used in CLISH mode to configure API settings, such as port, domain, or certificate. The mgmt_cli command is used in Expert mode to execute API commands, such as login, logout, show, set, etc. References: [API Server]

 The Full Log tracking option includes more information than the Log tracking option, such as the data type of the traffic. The data type indicates the type of content that was transferred, such as text, image, video, or audio. The data type can be used for filtering and reporting purposes. The Log tracking option only includes basic information, such as source, destination, service, action, and time.

 SandBlast is the best Check Point product to protect against malware and zero-day attacks while ensuring quick delivery of safe content to your users. SandBlast is an advanced network threat prevention solution that uses a combination of technologies to detect and block known and unknown threats before they reach your network. SandBlast uses Threat Emulation, which is a sandboxing technology that inspects files for malicious behavior in a virtual environment; Threat Extraction, which removes potentially malicious elements from files and delivers clean and safe content to your users; Anti-Bot, which identifies and blocks botnet communications and prevents data exfiltration; Anti-Virus, which scans files for known malware signatures; and IPS, which monitors network traffic for malicious or anomalous patterns. SandBlast also provides comprehensive reports and forensic analysis on the detected threats and their origin and behavior. 

Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_report.pdf file was delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing some graphs, tables and links.

The component of SandBlast protection that her company is using on a Gateway is SandBlast Threat Extraction. SandBlast Threat Extraction is a software blade that provides protection against malicious files by removing potentially risky elements, such as macros, embedded objects, scripts, etc. The sanitized files are delivered to the users with a notification about the removed elements. SandBlast Threat Extraction can also reconstruct the original files after they are scanned by SandBlast Threat Emulation, which is another software blade that provides protection against malicious files by emulating them in a virtual sandbox and analyzing their behavior. References: R81 Threat Prevention Administration Guide, page 37.

 The correct syntax to add a new host named “emailserver1” with IP address 10.50.23.90 using GAiA Management CLI is mgmt_cli add host name "emailserver1" ip-address 10.50.23.90. The name and ip-address parameters are required and must be enclosed in double quotes. The other options are missing the double quotes or have incorrect parameter names1. References: 1: Check Point Software, Getting Started, Adding a Host.

Authentication rules are defined for user groups, not individual users or all users in the database. Authentication rules allow you to control which user groups can access specific resources or services through the Security Gateway. You can define different authentication methods and schemes for different user groups, such as Check Point Password, OS Password, RADIUS, TACACS, SecurID, LDAP, or Certificate. You can also define different session timeouts and source restrictions for different user groups. Authentication rules are processed before the network access rules in the rule base.

Active-Active is not a cluster mode. Active-Active is a cluster configuration where both members are active and handle traffic simultaneously. However, this configuration is only supported for VSX clusters, not for regular clusters. The cluster modes for regular clusters are High Availability (HA), Load Sharing Unicast, and Load Sharing Multicast. References: [Check Point Security Expert R81 ClusterXL Administration Guide], page 7.

The correct answer is C. CPM (19009), CPMI (18190) https (443).

SmartConsole is a client application that connects to the Security Management Server to manage and configure the security policy and objects. SmartConsole uses three ports to communicate with the Security Management Server1:

• CPM (19009): This port is used for the communication between the SmartConsole client and the Check Point Management (CPM) process on the Security Management Server. The CPM process handles the database operations and the policy installation.
• CPMI (18190): This port is used for the communication between the SmartConsole client and the Check Point Management Interface (CPMI) process on the Security Management Server. The CPMI process handles the authentication and encryption of the SmartConsole sessions.
• https (443): This port is used for the communication between the SmartConsole client and the web server on the Security Management Server. The web server provides the SmartConsole GUI and the SmartConsole extensions.

The other options are incorrect because they either include ports that are not used by SmartConsole or omit ports that are used by SmartConsole.

References:

• SmartConsole R81.20 - Check Point Software1

To enable VMAC Mode in ClusterXL, you need to go to Cluster Object -> Edit -> ClusterXL and VRRP -> Use Virtual MAC. VMAC Mode is a feature that allows ClusterXL to use a virtual MAC address for cluster interfaces instead of physical MAC addresses. This simplifies the cluster configuration and avoids issues with MAC address flapping or spoofing on switches. References: [VMAC Mode]

 SmartEvent uses its event policy to identify events. The event policy can be customized by matching logs against event rules. Event rules define the conditions and actions for generating events. You can create, edit, delete, enable, or disable event rules in the SmartEvent Policy tab of the SmartConsole. References: [SmartEvent Administration Guide]

 You are the administrator for ABC Corp. You have logged into your R81 Management server. You are making some changes in the Rule Base and notice that rule No.6 has a pencil icon next to it.

This means that rule No.6 has been marked for editing in your Management session. In R81, every administrator works in a session that is independent of other administrators. Changes made by one administrator are not visible to others until they are published. When you edit a rule, it is marked with a pencil icon to indicate that it has been modified in your session. You can also lock a rule to prevent other administrators from editing it until you unlock it or publish your session. References: R81 Security Management Administration Guide, page 43.

 You can enable Multi-Version Cluster (MVC) by running set cluster member mvc on on the Check Point Security Gateway Cluster Member1. MVC is a feature that allows you to upgrade a Security Gateway Cluster to a higher version without downtime2. It works by upgrading one cluster member at a time, while the other cluster members continue to operate with the lower version2. MVC supports upgrading from R80.40 and above to R81 and above2. To use MVC, you need to do the following steps2:

• Enable MVC on each cluster member by running set cluster member mvc on in Clish and rebooting the gateway.
• Install the higher version on one cluster member using CPUSE or ISO image.
• Install policy on the upgraded cluster member and verify that it works properly.
• Repeat the previous steps for the remaining cluster members until all of them are upgraded.
• Disable MVC on each cluster member by running set cluster member mvc off in Clish and rebooting the gateway.

References: Multi-Version Cluster (MVC) - Check Point Software, Multi-Version Cluster (MVC) - Check Point CheckMates

 ClusterXL and VRRP are the two cluster solutions that are available under R81.20. According to the ClusterXL R81.20 Administration Guide1, ClusterXL is a Check Point software-based clustering solution that provides high availability and load sharing for Check Point Security Gateways and Cluster Members. ClusterXL supports two modes: High Availability and Load Sharing. In High Availability mode, all Cluster Members are connected to the same network segment and share a virtual IP address. One member is active and handles all traffic, while the others are in standby mode and ready to take over in case of a failure. In Load Sharing mode, all Cluster Members are active and share the traffic load according to a predefined algorithm. ClusterXL supports both unicast and multicast modes for Load Sharing1.

VRRP (Virtual Router Redundancy Protocol) is an industry standard protocol that provides high availability for routers or firewalls by creating a virtual router with a virtual IP address that is shared by a group of routers or firewalls. One router or firewall is elected as the master and handles all traffic directed to the virtual IP address, while the others are backups that monitor the master and take over if it fails. VRRP can be used with Check Point Security Gateways to provide redundancy and failover for external interfaces1.

NSRP (NetScreen Redundancy Protocol) is a proprietary protocol developed by Juniper Networks that provides high availability and load balancing for NetScreen firewalls. NSRP is not supported by Check Point products2.

HSRP (Hot Standby Router Protocol) is a Cisco proprietary protocol that provides high availability for routers by creating a virtual router with a virtual IP address that is shared by a group of routers. One router is elected as the active router and handles all traffic directed to the virtual IP address, while another router is elected as the standby router and monitors the active router and takes over if it fails. HSRP is not supported by Check Point products.

IP Clustering is a feature of Linux Virtual Server (LVS) that provides high availability and load balancing for IP-based services by creating a cluster of real servers that are accessed through a virtual IP address. The cluster is managed by a director that routes requests to the real servers according to a scheduling algorithm. IP Clustering is not supported by Check Point products.

References: : ClusterXL R81.20 Administration Guide : Check Point R81.20 : Solved: R81.20 - Check Point CheckMates : [Hot Standby Router Protocol - Wikipedia] : [Linux Virtual Server - Wikipedia]

 The main objective when using Application Control is to ensure security and privacy of information. Application Control is a blade that enables administrators to control access to web applications and web sites based on categories, users, groups, machines, and time. Application Control can also block or limit usage of applications that pose security risks or consume excessive bandwidth2. References: Check Point R81 Application Control Administration Guide

 The correct query syntax to find records in the logs that show log records from the Application & URL Filtering Software Blade where traffic was dropped is blade;“application control AND action:drop”. This query uses quotation marks to enclose the values of the blade and action fields, and uses a colon to separate the field name from the value. The query also uses AND to combine two conditions that must be met for a log record to match. References: [Searching Logs]

The command ‘api status’ is used to check the status of the Management API server on the Management Server. The command will show if the API server is running, the port number, and the API version. The other commands are not valid or do not check the Management API server status. References: How To’s - Interact with Check Point Management API on Gaia R81, section “Check API Status”.

For Management High Availability, the valid synchronization status options are:

A. Collision

B. Down

C. Lagging

D. Never been synchronized

In this context, "Down" indicates that the synchronization is not functioning correctly or that the standby management server is not reachable. This is a valid synchronization status, so the answer is not B.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

When John detects a high load on the sync interface, the recommended solution is to implement a delay in the sync process for short-lived connections like HTTP. Here's an explanation of each option:

A. Delaying the sync for 2 seconds for short connections like HTTP services is a common practice to reduce the load on the sync interface. This allows the interface to handle the incoming connections more effectively.

B. Adding a second interface to handle sync traffic might be a viable solution, but it can be more complex and costly compared to implementing a delay for short connections.

C. Not syncing short connections like HTTP services is not a recommended approach because it may lead to synchronization issues and potential data inconsistencies between cluster members.

D. Delaying the sync for ICMP (ping) services is not a common practice and may not effectively address the high load issue on the sync interface.

Therefore, option A is the most recommended solution as it addresses the issue by introducing a delay for short-lived connections, optimizing the sync process without causing synchronization problems.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 The extended master key extension/session hash is a feature introduced in TLS 1.3 to prevent a Man-in-the-Middle attack/disclosure of the client-server communication. It works by generating a unique session hash for each connection, which is derived from the master key and other parameters. This session hash is then used to authenticate the application data and the end-of-handshake messages, ensuring that no one can tamper with or eavesdrop on the communication. References: Check Point Security Expert R81 Course, TLS 1.3 RFC

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: https:// /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

The configuration file that contains the structure of the Security Server showing the port numbers, corresponding protocol name, and status is $FWDIR/conf/fwauthd.conf. This file is used for configuring authentication services in Check Point Security Servers.

References: Check Point documentation or training materials related to Security Server configuration.

The Sticky Decision Function in ClusterXL is primarily used in Load Sharing implementations. In Load Sharing, the pivot member is responsible for determining the destination of new connections and ensures that traffic from the same source IP address is directed to the same cluster member. This ensures session stickiness for the same source IP, improving load sharing efficiency.

References: Check Point Certified Security Expert R81 documentation and learning resources.

Mobile Access encrypts all traffic using HTTPS for web-based applications and 3DES or RC4 algorithm for native applications. For end users to access the native applications, they need to install the SSL Network Extender, which is a lightweight VPN client that creates a secure SSL tunnel to the Mobile Access gateway. The SSL Network Extender supports various types of native applications, such as email clients, file sharing, and remote desktop. References: Mobile Access Administration Guide, SSL Network Extender

The command used to display status information for various components is show sysenv all. This command provides comprehensive status information about the system's environment and various components, including hardware and software components. It can be useful for troubleshooting and monitoring the system's health.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.:

In SmartDashboard, Threat Prevention profiles can be assigned to one or more rules. This means that you can have multiple profiles assigned to a single gateway, and each of these profiles can be associated with one or more rules. This allows for granular control over threat prevention settings for different rules or scenarios.

References: Check Point Certified Security Expert R81 documentation and learning resources.

The command cpinfo –y all displays information about all the hotfixes that are installed on the gateway1. This command also shows the hotfix ID, description, installation date, and status for each hotfix2. The other commands are not valid options for this task. The command cpinfo –h all shows the hardware information of the gateway3. The commands cpinfo –o hotfix and cpinfo –l hotfix do not exist and will return an error message.

References: Hotfix installer - Configuration Manager, How to keep your Security Gateways up to date, Solved: Does it always need to have the higher hotfix vers…

 The correct command to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI is mgmt: add host name emailserver1 ip-address 10.50.23.90. This command will create a new host object in the Security Management Server database, with the specified name and IP address. The mgmt: prefix indicates that the command is executed on the Security Management Server, and not on the local GAiA machine. The other commands are either missing the mgmt: prefix, or have incorrect syntax or parameters. 

The directory /opt/CPsuite-R81/fw1/log contains the log files for the Security Gateway, such as firewall, VPN, IPS, and anti-virus logs1. These log files can be viewed and analyzed using SmartConsole or SmartView2. The other directories are not correct because:

• A. The directory /opt/CPSmartlog-R81/log contains the log files for the SmartLog server, which is a separate component that indexes and searches the logs from multiple Security Gateways3.
• B. The directory /opt/CPshrd-R81/log contains the log files for the shared components of the Check Point suite, such as cpwd, cpca, cpd, and cpwatchdog4.
• D. The directory /opt/CPsuite-R81/log does not exist by default and is not used for logging purposes.

References: Logging and Monitoring R81 Administration Guide, SmartConsole R81 Help, SmartLog R81 Help, Check Point Processes and Daemons

The FWD daemon uses TCP port 256 to do a Full Synchronization between gateway cluster members. This port is also used for other synchronization types, such as Delta Synchronization and Accelerated Synchronization. The FWD daemon is responsible for synchronizing the connections table, NAT table, and VPN keys between cluster members. References: ClusterXL Administration Guide, SK25977 - Ports Used by Check Point Software

 CPUSE offline upgrade is the best upgrade method when the management server is not connected to the Internet. CPUSE (Check Point Upgrade Service Engine) is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the management server using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

SmartView Monitor is a GUI client that is supported in R81. It allows you to monitor the network and security performance of your Security Gateways and devices5. You can use it to view real-time statistics, alerts, logs, reports, and graphs6. The other GUI clients are not supported in R81 because:

• A. SmartProvisioning was replaced by SmartLSM in R80.20 and later versions7. SmartLSM is a unified solution for managing large-scale deployments of Security Gateways8.
• B. SmartView Tracker was replaced by SmartLog in R80 and later versions9. SmartLog is a powerful log analysis tool that enables fast and easy access to log data from multiple Security Gateways10.
• D. SmartLog is not a GUI client, but a web-based application that runs on the Security Management Server or Log Server10. You can access it from any web browser or from SmartConsole.

References: SmartView Monitor R81 Help, SmartView Monitor R81 Administration Guide, What’s New in Check Point R80.20, SmartLSM R81 Help, What’s New in Check Point R80, SmartLog R81 Help

SandBlast appliances can be deployed in the following modes:

C. Inline/prevent or detect

SandBlast appliances can be deployed in an inline mode where they actively inspect and prevent or detect malicious traffic. In this mode, the appliance sits in the network traffic path and can take actions to block or detect threats in real-time.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on SandBlast.

The main difference between SSL VPN (Secure Sockets Layer Virtual Private Network) and IPSec VPN (Internet Protocol Security Virtual Private Network) is in the way they operate:

SSL VPN typically does not require the installation of a resident VPN client. It often relies on a web browser to establish the VPN connection, making it more convenient for remote users who may not want to install dedicated VPN software.

IPSec VPN, on the other hand, often requires the installation of a resident VPN client on the user's device to establish the VPN connection. This client software is necessary for configuring and managing the VPN connection.

Option C, stating that SSL VPN and IPSec VPN are the same, is incorrect because they have distinct characteristics as described above.

Option A is incorrect because it inaccurately suggests that IPSec VPN does not require a resident VPN client, which is not true in most cases.

Option B is incorrect because it wrongly claims that SSL VPN requires the installation of a resident VPN client.

References: Check Point Certified Security Expert R81 Study Guide

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality. According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

• Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.
• OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.
• Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

References: What is an API Gateway?, How to use Check Point API with Postman quick guide, Home - Check Point Developers, Introduction to RESTful APIs and JSON format, Checkpoint API tutorial, part 1 - getting started

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

 The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them. It runs on the Log Server machine or on a dedicated machine1. To check the status of the SmartEvent Correlation Unit, you can use the command cpstat cpsead on the machine where it is installed. This command will show you information such as the number of logs processed, the number of events generated, the CPU and memory usage, and the status of the connection to the SmartEvent Server23.

References: SmartEvent Administration Guide R76, SmartEvent Administration Guide R75, SmartEvent Performance Tuning Guide

 SecureXL templates are a mechanism to accelerate the rate of connection establishment by grouping connections that match a particular service and whose sole differentiating element is the source port. SecureXL templates enable even the very first packets of a TCP handshake to be accelerated, without waiting for the Firewall kernel to create a connection entry. The first packets of the first connection on the same service will be forwarded to the Firewall kernel, which will then create a template of the connection. The template will contain all the relevant information for the connection, such as source and destination IP addresses, destination port, NAT information, policy decision, etc. The template will be used by SecureXL to handle subsequent connections on the same service, without involving the Firewall kernel. This reduces the CPU load and increases the throughput.

There are three types of SecureXL templates: Accept, Drop, and NAT. Accept templates are used for connections that are allowed by the Firewall policy. Drop templates are used for connections that are blocked by the Firewall policy. NAT templates are used for connections that require NAT translation. Deny templates are not a valid type of SecureXL template.

References: SecureXL NAT Templates in R80.20 and lower, Part 3 - SecureXL, Security Gateway Performance Optimization - Part 5 - SecureXL

Automation and Orchestration differ in that automation relates to codifying tasks, whereas orchestration relates to codifying processes. Automation is the process of converting manual tasks into executable scripts or programs that can be run by machines or software agents. Orchestration is the process of coordinating multiple automated tasks into a coherent workflow that achieves a desired outcome or goal. Orchestration can also involve integrating different systems, tools, and services through web service interactions such as XML and JSON. References: Check Point Security Expert R81 Course, Automation & Orchestration Administration Guide

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

Each instance of VRRP running on a supported interface may monitor the link state of other interfaces. The monitored interfaces do not have to be running VRRP.

If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has, then the backup platform will begin to send out its own HELLO packet.

Once the master sees this packet with a priority greater than its own, then it releases the VIP.

References:

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

The Correlation Unit in SmartEvent architecture has the function of analyzing each log entry as it arrives at the log server according to the Event Policy. When it identifies a threat pattern, it forwards an event to the SmartEvent Server. This is an essential function in threat detection and analysis, as it helps in identifying and alerting about security threats based on the configured policies.

Option A correctly describes the function of the Correlation Unit, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The Correlation Unit in Check Point Security Management performs several actions, but it does not assign a severity level to the event. The Correlation Unit is responsible for identifying patterns in logs, marking logs that are part of larger patterns, generating events based on the Event policy, and adding new log entries to ongoing events. However, assigning a severity level to an event is typically done through the Event policy configuration, not by the Correlation Unit.

References: Check Point Certified Security Expert R81 Study Guide

Threat Emulation downloads packages by default once per day. The packages contain updates for the Threat Emulation engine, signatures, and images. The download frequency can be changed in the Threat Prevention policy settings. References: Threat Emulation Administration Guide, Threat Prevention R81 Release Notes

Check Point Capsule is a suite of solutions designed to provide comprehensive mobile security and secure access. The components of Check Point Capsule include:

Capsule Docs (Option A): A component that secures document sharing and protects sensitive data.

Capsule Cloud (Option B): A component that provides cloud-based security services.

Capsule Workspace (Option D): A component that provides secure workspace on mobile devices.

Option C, "Capsule Enterprise," is not a recognized component of Check Point Capsule based on the available information. Therefore, it is the correct answer as the component that is NOT part of Check Point Capsule.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

The most recommended way to install patches and hotfixes is CPUSE (Check Point Update Service Engine). CPUSE is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the target device using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

Firewall Management (fwm) is available on any management product, including Multi-Domain and on products that requite direct GUI access, such as SmartEvent, It provides the following:

– GUI Client communication

– Database manipulation

– Policy Compilation

– Management HA sync

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

To determine the cause of a cluster gateway showing "Down" despite running "clusterXL_admin up" on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

References: Check Point documentation or training materials related to High Availability and ClusterXL.

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

• A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.
• B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.
• D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

References: ClusterXL R81.20 Administration Guide, ClusterXL Administration Guide R80.40, sk25977 - Ports used by Check Point software

The feature that provides Full Layer3 VPN –IPSec VPN, giving users network access to all mobile applications, is the correct answer.

Capsule Connect/VPN is used to establish secure VPN connections for mobile devices, and the Full Layer3 VPN (IPSec VPN) option provides comprehensive network access.

References: Check Point documentation or training materials related to Mobile Access Methods and VPN configurations.

Dynamic Dispatch is a feature that enhances CoreXL performance by dynamically assigning new connections to CoreXL FW instances based on their CPU utilization1. To enable Dynamic Dispatch on Security Gateway without enabling Firewall Priority Queues (FPQ), you need to run the command fw ctl multik set_mode 4 in Expert mode and reboot2. This command will set the CoreXL mode to Dynamic Dispatcher without FPQ. The other options are not correct because:

• A. fw ctl Dyn_Dispatch on: This command does not exist and will return an error message.
• B. fw ctl Dyn_Dispatch enable: This command does not exist and will return an error message.
• D. fw ctl multik set_mode 1: This command will set the CoreXL mode to Static Dispatcher without FPQ, which is the default mode2. This mode will use a static hash function to assign new connections to CoreXL FW instances based on their IP addresses and protocol.

References: CoreXL Dynamic Dispatcher, To fully enable Dynamic Dispatcher on a Security Gateway, Running Dynamic Dispatch / Dynamic Split / Dynamic Balancing on VSEC/IaaS in Vmware, Dynamic Balancing for CoreXL

SecureXL is a performance-enhancing technology used in Check Point firewalls. It improves the throughput of both non-encrypted firewall traffic and encrypted VPN traffic. The statement in option C is true because SecureXL does improve both types of traffic by offloading processing to dedicated hardware acceleration, optimizing firewall and VPN operations.

Option C correctly states that SecureXL improves this traffic, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

To use SmartConsole R81 for managing SmartEvent R81, you need to have the following ports open:

• Port 19009 for communication over HTTPS (443)
• Port 19009 for communication over HTTP (80)

These ports are necessary for the SmartConsole to communicate with SmartEvent for management and monitoring purposes.

References: Check Point Certified Security Expert R81 documentation and learning resources.

The command "fw tab -s" is used to display information about the state of various kernel tables in a Check Point firewall. It provides a perspective on the number and status of these tables, which can be helpful for troubleshooting and monitoring firewall performance.

Option B correctly identifies the command that gives a perspective of the number of kernel tables, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Threat Extraction (Answer B): Threat Extraction always delivers a file, but it removes potentially malicious content from the file before delivering it to the user. It is designed to provide a safe version of the file quickly, taking less than a second to complete.

Threat Emulation (Option A): Threat Emulation does not deliver the original file to the user until it has been thoroughly analyzed for threats. It may take more than 3 minutes to complete the analysis. The emphasis here is on safety and thorough inspection, which may result in a longer processing time.

Therefore, Option B correctly describes the main difference between Threat Extraction and Threat Emulation.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

The proxy ARP configuration is stored under the following file:

D. $FWDIR/conf/local.arp on the gateway

This file, local.arp, contains the proxy ARP configuration for the Security Gateway. It is used to configure ARP (Address Resolution Protocol) settings for network communication.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on proxy ARP.

 The cpinfo command is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The cpinfo output can be used for troubleshooting or sent to Check Point support for analysis. The -x parameter is used to get information about the specified Virtual System on a VSX gateway. A Virtual System is a virtualized firewall instance that runs on a VSX gateway and has its own security policy and objects. References: Check Point Security Expert R81 Course, cpinfo Utility, VSX Administration Guide

The Check Point daemon that monitors the other daemons is cpwd (Check Point Watchdog). It is responsible for monitoring the health and status of various Check Point daemons and processes running on the Security Gateway. If any daemon or process stops responding or encounters an issue, cpwd can restart it to ensure the continued operation of the Security Gateway.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 User-mode processes are processes that run in the user space of the operating system, as opposed to kernel-mode processes that run in the kernel space. User-mode processes are usually less privileged and have less access to system resources than kernel-mode processes. Check Point products use both user-mode and kernel-mode processes to provide various functionalities and services.

The following are some of the user-mode processes that can be seen on the management server and gateway:

• fwd: This process is responsible for policy installation, logging, and communication with other Check Point components. It runs on both the management server and gateway.
• cpd: This process is responsible for licensing, certificate management, and communication with SmartConsole. It runs on both the management server and gateway.
• cpwd: This process is responsible for monitoring and restarting other processes. It runs on both the management server and gateway.

The following is a user-mode process that can only be seen on the management server:

• fwm: This process is responsible for managing the security policy database, compiling the security policy, and generating reports. It runs only on the management server.

Therefore, the correct answer is B.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

The correct command to store the GAIA configuration in a file is save configuration 1. This will create a file with the current system level configuration in the home directory of the current user1. The other commands are incorrect because they either do not exist or do not save the configuration to a file. References: 1: Backing up Gaia system level configuration(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk102234)

The API command to create a new host with the name "New Host" and IP address "192.168.0.10" is:

This command adds a host object with the specified name and IP address to the Check Point configuration.

References: Check Point documentation or training materials related to API commands.

The port that the CPM process runs on is TCP 19009. CPM stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. CPM is responsible for managing policies, objects, logs, tasks, and other management functions. CPM listens on TCP port 19009 for incoming connections from SmartConsole clients. The other ports are either used by other processes or not related to CPM. 

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

• 1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”
• 2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1
• 3, Check Point Certified Security Expert R81, page 5
• 5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”

 According to the Check Point website, Whitelist Files is the tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed. Whitelist Files can be configured in SmartConsole under Threat Prevention > Policy > Whitelist Files. The other tools are either not related or not valid tools. References: Whitelist Files

 According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.20 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References: Check Point R81

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

The “fw monitor” tool can be best used to troubleshoot network traffic issues. Fw monitor is a tool that allows administrators to capture packets at different inspection points in the Firewall kernel, and apply filters and flags to analyze the traffic. Fw monitor can help troubleshoot network connectivity problems, packet drops, NAT issues, VPN issues, and more. The other options are either not related or less suitable for fw monitor.

 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. The option that can be added to each Log, Detailed Log and Extended Log is Accounting/Suppression. Accounting/Suppression is a feature that allows administrators to control how often logs are generated for certain rules or connections. Accounting means that logs are generated periodically based on a specified interval or volume. Suppression means that logs are generated only for the first and last packet of a connection or session. Accounting/Suppression can be added to any tracking option to reduce the number of logs and save disk space.

 Identity Awareness AD-Query is using the Microsoft WMI API to learn users from AD. WMI stands for Windows Management Instrumentation, and it is an API that allows remote management and monitoring of Windows systems. Identity Awareness AD-Query is a feature that enables the Security Gateway to query Active Directory servers for user and computer information, such as login events, group membership, and IP addresses. By using the WMI API, Identity Awareness AD-Query can receive real-time notifications from Active Directory servers without installing any agents or scripts on them. 

The SmartEvent R81 Web application for real-time event monitoring is called SmartEventWeb. SmartEventWeb is a web-based interface that allows administrators to view and analyze security events from various sources, such as logs, reports, incidents, and indicators. SmartEventWeb provides dashboards, widgets, filters, and drill-down options to help administrators gain insights into their security posture. The other options are either incorrect or refer to different applications.

 According to the Check Point R81 training course, the medium path is available only when CoreXL is enabled. CoreXL is a performance-enhancing technology that allows multiple CPU cores to process traffic simultaneously. The medium path handles packets that require deeper inspection or content awareness, such as IPS, Anti-Virus, or URL Filtering. The other paths are either available regardless of CoreXL or not valid terms. References: Certified Security Expert (CCSE) R81.20 Course Overview

The methods of SandBlast Threat Emulation deployment are Cloud, Appliance, and Private. SandBlast Threat Emulation is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior for malicious indicators. SandBlast Threat Emulation can be deployed in three different methods: Cloud, Appliance, and Private. Cloud method is when the files are sent to the Check Point cloud service for emulation and analysis. This method does not require any additional hardware or software on the customer’s side, and provides the fastest updates and feeds from ThreatCloud. Appliance method is when the files are sent to a dedicated appliance on the customer’s network for emulation and analysis. This method provides more control and privacy for the customer, and supports more file types and sizes. Private method is when the files are sent to a private cloud service on the customer’s network for emulation and analysis. This method provides the highest level of control and privacy for the customer, and supports customizing the emulation environment and scenarios.

AppWiki is the Check Point feature that enables application scanning and the detection. AppWiki is an easy to use tool that lets you search and filter Check Point’s Web 2.0 Applications Database to find out information about internet applications, including social network widgets; filter by a category, tag, or risk level; and search for a keyword or application1. AppWiki helps you to identify and control the applications on your network, and to apply granular policies based on the application type, risk, and characteristics1. AppWiki is integrated with the Check Point Application Control Software Blade, which provides the industry’s strongest application security and identity control to organizations of all sizes1.

References: 1: AppWiki | Check Point Software

According to the Check Point Resource Library, the minimum amount of RAM needed for a Threat Prevention Appliance is 4 GB. This applies to both physical and virtual appliances. The other options are either incorrect or irrelevant. References: Check Point Resource Library

The command to show SecureXL status is fwaccel stat. This command displays information about SecureXL acceleration, such as the number of accelerated and non-accelerated connections, the reason for non-acceleration, and the SecureXL device name and mode. The other commands are either invalid or show different statistics.

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

 The deployment of Check Point API does not have the purpose of creating a customized GUI Client for manipulating the objects database. The Check Point API is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The Check Point API can be used to execute an automated script to perform common tasks, create products that use and enhance the Check Point solution, and integrate Check Point products with 3rd party solutions. However, creating a customized GUI Client for manipulating the objects database is not a supported or intended use case of the Check Point API. 

Ken can use either of the two commands lock database override or unlock database to obtain a configuration lock from another administrator on R81 Security Management Server via CLI. These commands allow him to override the existing lock and gain exclusive access to the database. He can also use the WebUI to perform the same action. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

The true statement about the API server on R81.20 is: By default, the API server is active on management servers with 4 GB of RAM (or more) and on stand-alone servers with 8GB of RAM (or more). The API server is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. The API server is enabled by default on R81.20 management servers that have at least 4 GB of RAM, and on stand-alone servers that have at least 8 GB of RAM. The API server can also be manually enabled or disabled from the WebUI or the CLI. 

The error “no proposal chosen” indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error “no proposal chosen” 1.

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

• The same pre-shared secret or certificate
• The same encryption algorithm (e.g., AES-256)
• The same hash algorithm (e.g., SHA-256)
• The same Diffie-Hellman group (e.g., Group 14)
• The same lifetime (e.g., 86400 seconds)

One can use the command vpn tu on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer. Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings 2.

References: 1: Troubleshooting the “no proposal chosen” error - Check Point Software 2: Support, Support Requests, Training … - Check Point Software

 One of the requirements for Joey’s success in upgrading from R75.40 to R81 version of Security management using Advanced Upgrade with Database Migration method is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. Advanced Upgrade with Database Migration method is a procedure that allows administrators to upgrade their Security Management Server to a newer version by migrating their database from an older version to a new machine with a fresh installation of the newer version. One of the steps in this procedure is to copy the /var/log folder from the source machine to the target machine, which contains important log files and configuration files. To ensure that there is enough disk space on the target machine for this operation, it is required that the size of the /var/log folder on the target machine must be at least 25% of the size of the /var/log folder on the source machine. 

The kind of information that you would expect to see using the sim affinity command is network interfaces and core distribution used for CoreXL. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The sim affinity command can show which network interfaces and SecureXL instances are bound to which CPU cores, and allow administrators to change the affinity settings.

The process that handles connection from SmartConsole R81 is cpm. Cpm stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. Cpm is responsible for managing policies, objects, logs, tasks, and other management functions. The other processes are either obsolete or irrelevant for SmartConsole connection.

The correct statement about Security Gateway and Security Management Server failover in Check Point R81.X in terms of Check Point Redundancy driven solution is: Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure. Security Gateway failover is a feature that allows a cluster of Security Gateways to provide high availability and load balancing for network traffic. If one Security Gateway fails or becomes unreachable, another Security Gateway in the cluster automatically takes over its role and handles the traffic without interrupting the service. Security Management Server failover is a feature that allows a backup Security Management Server to take over the role of the primary Security Management Server in case of failure or disaster. However, this feature requires manual intervention to activate the backup server and restore the database from a backup file. 

The command that shows the status of processes is cpwd_admin list. Cpwd_admin is a command that allows administrators to manage processes that are registered with the Check Point WatchDog (CPWD) daemon. CPWD is a daemon that monitors the health of critical processes on the Security Gateway or Management Server, and restarts them if they fail or stop responding. Cpwd_admin list shows the process name, PID, status, start time, monitor status, and number of restarts for each process registered with CPWD. 

The R81 SmartConsole, SmartEvent GUI client, and SmartView Web Application consolidate billions of logs and show them as prioritized security events. The SmartView Web Application is a web-based interface that allows you to access the SmartEvent Server from any browser. You can use the SmartView Web Application to view and analyze security events, generate reports, and configure SmartEvent settings12.

References: 1: Check Point R81 SmartConsole User Guide - Check Point Software, page 10 2: Check Point R81 SmartEvent Administration Guide - Check Point Software, page 9

 The file that contains the host address to be published, the MAC address that needs to be associated with the IP address, and the unique IP of the interface that responds to ARP request is $FWDIR/conf/local.arp. Local.arp is a configuration file that defines static ARP entries for hosts behind NAT devices. This file allows the Security Gateway to respond to ARP requests for NATed hosts with the correct MAC address, and to publish the NATed IP address instead of the real IP address. The other files are either not related or not valid. 

 If Deyra sees the gateway status as shown in the image, it means that there is a blade reporting a problem. The red exclamation mark indicates that one or more blades on the gateway have an issue that needs attention. The issue could be related to configuration, license, policy, or other factors. Deyra can hover over the icon to see more details about the problem. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.20 - Check Point CheckMates

 To set the IP address and default gateway of the Management interface on a Check Point appliance, you can use the following commands:

• set interface Mgmt ipv4-address 192.168.80.200 mask-length 24 - This command sets the IPv4 address of the Management interface to 192.168.80.200 and the subnet mask to 255.255.255.0 (24 bits).
• set static-route default nexthop gateway address 192.168.80.1 on - This command sets the default gateway to 192.168.80.1 and enables the static route.
• save config - This command saves the configuration changes to the appliance.

These commands are documented in the Check Point appliance initial installation guide, which you can find in the web search results.

The other options are incorrect because they use invalid syntax or parameters for the commands. For example, option B uses add static-route instead of set static-route, option C uses 0.0.0.0. instead of 0.0.0.0, and option D uses add static-route default instead of set static-route default.

 For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

 SmartEvent automatically defines events based on IPS (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent. 

According to the Check Point R81 release notes, acceleration is not supported for connections that require a Security server, such as HTTPS Inspection, Content Awareness, or Anti-Virus. The Security server performs deep inspection and modification of the traffic, which prevents acceleration. The other options are either false or not the most likely reason. References: Check Point R81

The software blade package that uses CPU-level and OS-level sandboxing in order to detect and block malware is the Next Generation Threat Emulation. This package is part of the Check Point SandBlast Zero-Day Protection solution, which protects organizations against unknown malware, zero-day threats and targeted attacks, and prevents infections from undiscovered exploits1.

CPU-level and OS-level sandboxing are two techniques that Check Point uses to analyze files and objects for malicious behavior. CPU-level inspection is a unique technology that detects malware at the pre-infection stage by examining the CPU instructions that the file executes. This allows Check Point to identify and block malware that tries to evade detection by using obfuscation, encryption, or polymorphism12.

OS-level sandboxing is a complementary technology that runs files and objects in a virtualized environment and monitors their behavior for malicious indicators. This allows Check Point to detect and block malware that tries to exploit vulnerabilities in the operating system or applications, or that performs malicious actions such as downloading additional payloads, modifying system settings, or communicating with command and control servers12.

Therefore, the correct answer is B. The Next Generation Threat Emulation software blade package uses CPU-level and OS-level sandboxing in order to detect and block malware.

References:

• 1, Understanding SandBlast - Check Point Software Technologies
• 2, HOW TO CHOOSE YOUR NEXT SANDBOXING SOLUTION - Check Point Software
• 3, CHECK POINT + SERVICENOW
• 4, Check Point Quantum Edge Datasheet

The best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic is: Pamela should check SecureXL status on DMZ Security gateway and if it’s turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, this also means that some traffic might not be seen by fw monitor, which is a tool that captures packets at different inspection points in the Firewall kernel. Therefore, to ensure that fw monitor captures all traffic, SecureXL should be turned OFF before using fw monitor. The other suggestions are either incorrect or less effective in capturing traffic. 

The cloud-based SandBlast Mobile application that is used to register new devices and users is Check Point Gateway. Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

References:

The Software Container is a logical component in the Software Blade Architecture. There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security. The container enables the server functionality, and defines its purpose – e.g, management or gateway. https://downloads.checkpoint.com/dc/download.htm?ID=11608

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions. Security Gateway is the device that inspects and filters network traffic according to the security policies. 

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address. Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

 The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”.cap"number of captures". This is a feature of CPView that allows the user to capture the current page for later analysis or troubleshooting. The file is saved in the /var/log directory on the Security Gateway. References: Check Point Resource Library, page 3.

The command that would show the API server status is api status. API stands for Application Programming Interface, and it is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. API status is a command that shows the current status of the API server, such as whether it is enabled or disabled, running or stopped, listening on which port, using which certificate, etc. The other commands are either invalid or perform different functions. 

 The order of NAT priorities is determined by the type of NAT rule that is applied to the traffic. There are three types of NAT rules in Check Point: static NAT, IP pool NAT, and hide NAT12.

• Static NAT: This type of NAT rule maps a single IP address to another single IP address. It is usually used to allow external hosts to access internal servers or devices. Static NAT has the highest priority among the NAT rules, and it is applied before the security policy is enforced12.
• IP pool NAT: This type of NAT rule maps a range of IP addresses to another range of IP addresses. It is usually used to balance the load among multiple servers or devices. IP pool NAT has the second highest priority among the NAT rules, and it is applied after the security policy is enforced12.
• Hide NAT: This type of NAT rule hides a group of IP addresses behind a single IP address or an interface. It is usually used to allow internal hosts to access external resources. Hide NAT has the lowest priority among the NAT rules, and it is applied after the security policy is enforced12.

Therefore, the order of NAT priorities is: static NAT, IP pool NAT, hide NAT.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 209 2: Check Point R81 Security Engineering Guide - Check Point Software, page 163

According to the Check Point website, INSPECT Engine is the technology that extracts detailed information from packets and stores that information in state tables. INSPECT Engine is the core of Check Point’s Stateful Inspection technology, which enables Security Gateways to inspect traffic at multiple layers and enforce security policies. The other technologies are either not related or not specific enough. References: INSPECT Engine

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

 The most ideal Synchronization Status for Security Management Server High Availability deployment is Synchronized. Security Management Server High Availability deployment is a feature that allows two or more Security Management Servers to provide redundancy and load balancing for managing security policies and logs. Synchronization Status is a parameter that indicates how up-to-date the databases of the Security Management Servers are with each other. Synchronization Status can have one of the following values: Synchronized, Lagging, Never been synchronized, or Collision. Synchronized means that the databases of all Security Management Servers are identical and have no conflicts. This is the most ideal status as it ensures consistency and reliability of security management. Lagging means that one or more Security Management Servers have not received all the updates from other Security Management Servers, and their databases are outdated. Never been synchronized means that one or more Security Management Servers have never synchronized their databases with other Security Management Servers, and their databases are independent. Collision means that one or more Security Management Servers have received conflicting updates from other Security Management Servers, and their databases have discrepancies. 

With SecureXL enabled, accelerated packets will pass through the following: Network Interface Card and the Acceleration Device. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. Accelerated packets are packets that match certain criteria and can be handled by SecureXL without involving the Firewall kernel. These packets bypass the OSI Network Layer, OS IP Stack, and Check Point Firewall Kernel, and are processed directly by the Network Interface Card and the Acceleration Device. The other options are either incorrect or describe non-accelerated packets. 

 In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources. 

 The statement that is most correct regarding about “CoreXL Dynamic Dispatcher” is: The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores. CoreXL Dynamic Dispatcher is a feature that allows the Security Gateway to dynamically assign connections to the most available CoreXL FW instance, based on the CPU core utilization. This improves the performance and load balancing of the Security Gateway, especially when handling connections with different processing requirements. The other statements are either incorrect or describe the CoreXL Static Dispatcher mechanism, which assigns connections based on a hash function of the Source IP, Destination IP, and IP Protocol type.

 Log Consolidator is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

Check Point Protect is a lightweight app that can be used to gather and analyze threats to your mobile device. It provides real-time threat intelligence, device posture assessment, and secure browsing protection3. The other applications are either not designed for mobile devices, or do not offer threat analysis features. References: R81 CCSA & CCSE exams released featuring Promo for… - Check Point …, Check Point Protect - Apps on Google Play

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

References: VPN Administration Guide

 Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits. To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features. References: R81 Performance Tuning Administration Guide

Check Point recommends configuring Disk Space Management parameters to delete old log entries when available disk space is less than or equal to a certain threshold. In this case, the correct threshold is specified as option D: 15%.

So, when the available disk space reaches or falls below 15%, old log entries should be deleted to free up space.

Options A, B, and C do not represent the recommended threshold for deleting old log entries according to Check Point's best practices.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via the cpm process. The cpm process is the main management process that handles database operations, policy installation, and communication with GUI clients via TCP port 190093. The other options are either incorrect or irrelevant to the log flow. References: Certified Security Expert (CCSE) R81.20 Course Overview, Check Point Ports Used for Communication by Various Check Point Modules

 R81.20 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81. 

The Check Point ThreatCloud is a worldwide collaborative security network that collects and analyzes threat data from millions of sensors, security gateways, and other sources, and delivers real-time threat intelligence and protection to Check Point products. References: Check Point ThreatCloud

The clusterXL_admin down -p command disables a Cluster Member permanently, meaning that it will not rejoin the cluster even after a reboot. The other commands either disable a Cluster Member temporarily or are invalid. References: [ClusterXL Administration Guide]

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

References:

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer's configuration and environment settings.

References:

 The host having a Critical event found by Anti-Bot should be remediated first, as it indicates that the host is infected by a botnet malware that is communicating with a Command and Control server. This poses a serious threat to the network security and data integrity. The other events may indicate potential malware infection or attack attempts, but not necessarily successful ones. References: Threat Prevention Administration Guide

The statement that is correct about the Sticky Decision Function is It is not supported with either the Performance pack of a hardware based accelerator card. The Sticky Decision Function (SDF) is a feature that ensures that packets from the same connection are handled by the same cluster member in a Load Sharing configuration. However, SDF is not compatible with SecureXL acceleration, which is enabled by default or by using a Performance pack or a hardware based accelerator card4. The other statements are either incorrect or outdated about SDF. References: Check Point R81 ClusterXL Administration Guide, Sticky Decision Function - Check Point CheckMates

The Check Point TE appliance in Recommended Mode includes 2(OS) images. One image is used for running the appliance, and the other image is used for backup and recovery purposes. The images are not chosen by the administrator during installation, nor based on the license or the latest version. References: [Check Point R81 Threat Emulation Administration Guide]

 CPM process stores objects, policies, users, administrators, licenses and management data in a Postgres SQL database. This database is located in $FWDIR/conf and can be accessed using the pg_client command2. The other options are not the correct database type for CPM. References: Check Point R81 Security Management Administration Guide

Check Point’s FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark.

References:

There are four ways to use the Management API for creating host object with R81 Management API: Using Web Services, Using mgmt_cli tool, Using CLISH, and Using SmartConsole GUI console. Events are collected with SmartWorkflow from Trouble Ticket systems is not a correct option. References: Check Point Management APIs

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation. References: CPD process

 The attributes that SecureXL will check after the connection is allowed by Security Policy are Source address, Destination address, Source port, Destination port, Protocol. These are the five tuple parameters that define a connection and are used by SecureXL to accelerate the traffic. The other options are either missing some of the parameters or include irrelevant ones, such as MAC addresses1. References: Check Point R81 SecureXL Administration Guide

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

 SSL Network Extender (SNX) has two modes of operation: Network Mode and Application Mode. Network Mode provides full network connectivity to the remote user, while Application Mode provides access to specific applications on the corporate network. References: [SSL Network Extender]

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts. References: Anti-Bot Software Blade

 Gateway API is not an example of a Check Point API. Check Point APIs are interfaces that enable interactions with Check Point products using automation scripts or external applications. The examples of Check Point APIs are Management API, OPSEC SDK, Threat Prevention API, Identity Awareness Web Services API, and others4. Gateway API is not a valid Check Point API name. References: Check Point R81 Security Management Administration Guide, Check Point APIs

The statement that is not true about Delta synchronization is Using UDP Multicast or Broadcast on port 8161. Delta synchronization is a mechanism that transfers only the changes in the kernel tables between cluster members, instead of sending the entire tables. It uses UDP Multicast or Broadcast on port 8116, not 81612. The other statements are true about Delta synchronization. References: Check Point R81 ClusterXL Administration Guide

Session unique identifiers are passed to the web API using the X-chkp-sid HTTP header option. The web API is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. To use the web API, you need to create a session with the management server by sending a login request with your credentials. The management server will respond with a session unique identifier (SID) that represents your session. You need to pass this SID in every subsequent request to the web API using the X-chkp-sid HTTP header option. This way, the management server can identify and authenticate your session and perform the requested operations. References: Check Point R81 REST API Reference Guide

The command cphaprob igmp can be used to display the Multicast MAC address of a cluster. This command shows the IGMP (Internet Group Management Protocol) information for each cluster interface, including the VRID (Virtual Router ID), the Multicast IP address, and the Multicast MAC address3. The other commands do not show the Multicast MAC address information. References: Check Point R81 ClusterXL Administration Guide

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References: R81 Mobile Access Administration Guide

SmartView is a web-based application that allows you to view and analyze logs, reports, and events from multiple Check Point products. You can access SmartView by using the following URL:

You need to use HTTPS protocol and the default port 443. You also need to enter the IP address of the Security Management Server that hosts the SmartView application. You cannot use the host name of the Security Management Server or a different port number. References: SmartView R81 Administration Guide

 Session Rate Acceleration is a SecureXL feature that accelerates the establishment of new connections by bypassing the inspection of the first packet of each session. Session Rate Acceleration ignores the source port information of the packet, as well as the destination port ranges, protocol type, and VPN information. The other packet info is used by Packet Acceleration, which is another SecureXL feature that accelerates the forwarding of subsequent packets of an established connection. References: SecureXL Mechanism

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

The fw tab -s command lists all tables in Gaia. The fw tab command displays information about the firewall tables, such as connections, NAT translations, SAM rules, etc. The -s option shows a summary of all tables. References: fw tab - Check Point Support Center

Advanced Security Checkups can be easily conducted within the Reports tab in the Logs & Monitor view in SmartConsole. The Reports tab allows you to generate and view various reports that provide insights into the security status and performance of your network. You can use predefined reports or create custom reports based on your needs. You can also schedule reports to run automatically and send them by email. Some of the predefined reports that can help you conduct advanced security checkups are:

• Security Overview: This report provides a summary of the security posture of your network, including the number and severity of incidents, the top attacked hosts and services, the top attackers and attack methods, the top detected threats and vulnerabilities, etc.
• Security Best Practices: This report evaluates your security configuration and policy against the Check Point best practices and provides recommendations for improvement. It covers areas such as firewall policy, NAT policy, VPN policy, identity awareness, threat prevention, etc.
• Compliance Status: This report assesses your compliance level with various regulations and standards, such as PCI DSS, ISO 27001, NIST 800-53, etc. It shows the compliance score, the compliance status of each requirement, the compliance status of each gateway and blade, etc.
• Network Activity: This report shows the network activity and traffic patterns on your network, including the top sources and destinations of traffic, the top protocols and applications used, the top bandwidth consumers, etc.
• System Health: This report monitors the health and performance of your management server and gateways, including the CPU utilization, memory usage, disk space, network interfaces, etc. References: R81 Logging and Monitoring Administration Guide

The Audit Log is a feature that records all the actions performed by R81 SmartConsole administrators, such as logging in, logging out, publishing, installing policy, creating objects, modifying rules, etc. You can see and search records of action done by R81 SmartConsole administrators by following these steps:

• In SmartConsole, go to Logs & Monitor view.
• In the left pane, select Open Audit Log View.
• In the right pane, you will see a table that shows all the audit log records. You can filter, sort, group, or search the records by using the toolbar options.
• You can also double-click on a record to see more details in a pop-up window. References: R81 Logging and Monitoring Administration Guide

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

CoreXL is supported when one of the following features is enabled: IPS. CoreXL does not support Check Point Suite with these features: Route-based VPN, IPv6, Overlapping NAT, QoS, Content Awareness, Application Control, URL Filtering, Identity Awareness, HTTPS Inspection, DLP, Anti-Bot, Anti-Virus, Threat Emulation. References: CoreXL

 The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345. 

The statement that is true regarding redundancy is Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments. ClusterXL and VRRP are two technologies that provide high availability and load sharing for Security Gateways. They are both supported by Gaia OS and can be deployed on various platforms5. The other statements are either false or incomplete regarding redundancy. References: Check Point R81 ClusterXL Administration Guide, Check Point R81 Gaia Administration Guide

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

The SmartEvent component that creates events is the Correlation Unit, which is responsible for correlating and analyzing security events to identify patterns and potential threats.

Option A, "Consolidation Policy," does not create events but is used to configure policies for event consolidation.

Option C, "SmartEvent Policy," is not responsible for creating events but is used to configure policies related to SmartEvent.

Option D, "SmartEvent GUI," is the graphical user interface for managing SmartEvent but does not create events itself.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution. References: SandBlast Mobile Architecture

 The inspection point Big l is the first point immediately following the tables and rule base check of a packet coming from outside of the network. It is also the last point before the packet leaves the Security Gateway to the internal network1. The other inspection points are either before or after the rule base check, or in a different direction of traffic flow2. References: Check Point R81 Security Gateway Architecture and Packet Flow, 156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

Threat Simulator is not a component of Check Point SandBlast. Check Point SandBlast is a solution that provides advanced protection against zero-day threats using four components: Threat Emulation, Threat Extraction, Threat Cloud, and Threat Prevention. References: Check Point SandBlast Network