156-215.81 Questions and Answers

When an encrypted packet is decrypted, this happens in the security policy4. The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy. References: Check Point R81 VPN Administration Guide

 A stateful inspection firewall works by registering connection data and compiling this information in state tables. State tables are data structures that store information about the state and context of each connection, such as source, destination, service, protocol, sequence number, flags, etc. State tables enable the firewall to inspect both the header and the payload of each packet and apply security policies accordingly.References: [Stateful Inspection], [State Tables]

Logs are not automatically forwarded to a new Log Server. SmartConsole must be used to manually configure each gateway to send its logs to the server. After adding a new Log Server and establishing the SIC trust with the SMS, the administrator must use SmartConsole to assign the Log Server to each gateway in the Logs and Masters section of the gateway properties2. The other options are not correct, as gateways can send logs to both SMS and Log Server, Log Servers are not proprietary log archive servers, and gateways will not detect the new Log Server after the next policy install.

 The SIC Status “Unknown” means that there is no connection between the gateway and Security Management Server. This can happen if the gateway is down, unreachable, or has not been initialized yet12. References: Check Point R81 Security Management Administration Guide, Free Check Point CCSA Sample Questions and Study Guide

The Status Attention means that at least one Software Blade has a minor issue, but the gateway works1. For example, this could indicate a license expiration warning, a policy installation failure, or a blade activation problem2. References: Check Point R81 SmartConsole Guide, Check Point R81 Security Management Administration Guide

The best way to restrict access to a network resource only allowing certain users to access it, and only when they are on a specific network, is to create an Access Role object, with specific users or user groups specified, and specific networks defined. Then, use this access role as the “Source” of an Access Control rule. This allows for granular control over network traffic based on user identity and location3.

References: 3: Check Point R81 Security Gateway Administration Guide, page 13.

When a SAM rule is required on Security Gateway to quickly block suspicious connections which are not restricted by the Security Policy, the administrator needs to take the following action: SmartView Monitor should be opened and then the SAM rule/s can be applied immediately. Installing policy is not required. SAM stands for Suspicious Activity Monitoring and is a feature that allows administrators to block or limit connections from specific sources or destinations without modifying the security policy. SAM rules can be created from SmartView Monitor or SmartEvent based on real-time network activity or security events. References: [Check Point R81 SmartView Monitor Administration Guide]

The SmartConsole tab that shows logs and detects security threats, providing a centralized display of potential attack patterns from all network devices, is Logs and Monitor1, p. 24. The Logs and Monitor tab allows administrators to view logs from various sources, such as Security Gateways, SmartEvent servers, and SmartReporter servers. Gateway and Servers, Manage Setting, and Security Policies are other tabs in SmartConsole that have different functions. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point SmartConsole R81 Help]

When URL Filtering is set, only the host part of the URL is sent to the Check Point Online Web Service for analysis. The host part is the part of the URL that identifies the web server, such as www.example.com. The Check Point Online Web Service uses this information to categorize the URL and return the appropriate action to the Security Gateway. The other options are not sent to the Check Point Online Web Service for analysis, as they may contain sensitive or irrelevant data.

References: 1: Policy Layers 2: Adding a New Log Server 3: Suspicious Activity Monitoring : [URL Filtering]

The command show cluster state is used to monitor cluster members in CLI. It displays information such as the cluster mode, the cluster members, their status, their priority, and their interfaces.References: [ClusterXL Administration Guide], [Check Point CLI Reference Card]

The main difference between Static NAT and Hide NAT is that Static NAT allows incoming and outgoing connections, while Hide NAT only allows outgoing connections4. Static NAT translates a single IP address to another single IP address, while Hide NAT translates a group of IP addresses to a single IP address. Static NAT is used to expose internal servers to external networks, while Hide NAT is used to hide internal hosts from external networks. References: Check Point R81 Firewall Administration Guide

 Core Protections are installed as part of the Threat Prevention Policy. Core Protections are a set of IPS protections that are essential for securing your network against malicious traffic4. The other policies do not include Core Protections.

References: 1: Check Point CLI Reference Card 2: Anti-Spoofing 3: SmartView Tracker 4: Core Protections

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

 To make John’s changes available to other administrators, and to save the database before installing a policy, John must publish the session. Publishing the session saves the changes to the database and makes them visible to other administrators1. The other options do not achieve this goal. References: Publishing a Session

Gaia includes Check Point Upgrade Service Engine (CPUSE), which can directly receive updates for licensed Check Point products for the Gaia operating system and the Gaia operating system itself. CPUSE is an advanced tool that automates software updates and upgrades on Gaia platforms. It can download and install packages such as hotfixes, Jumbo Hotfix Accumulators, minor versions, major versions, and OS updates.References: [CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)], [Check Point R81]

 RADIUS Accounting gets identity data from requests generated by the accounting client. RADIUS Accounting is a feature that allows tracking and measuring resource usage of network services by users. The accounting client, which is usually a network access server (NAS), sends accounting requests to a RADIUS server with information about user sessions, such as start and stop times, bytes transmitted and received, IP addresses, etc. The RADIUS server records this information in a database for billing, auditing, or reporting purposes. One of the mandatory attributes that the accounting client must include in every accounting request is the User-Name attribute, which identifies the user who is accessing the network service.

Automatic Hide NAT enables Source Port Address Translation by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

The following cannot be configured in an Access Role Object: Time4. An Access Role Object is a way to define a group of users based on four criteria: Networks, Users, Machines, and Locations5. Networks are IP addresses or network objects that represent the source or destination of the traffic. Users are user accounts or user groups from an identity source such as LDAP or RADIUS. Machines are endpoints that are identified by MAC addresses or certificates. Locations are geographical regions based on IP addresses. References: Check Point R81 Firewall Administration Guide, Check Point R81 Identity Awareness Administration Guide

The method to update the trusted log server regarding the policy and configuration changes performed on the Security Management Server is Save Policy. Saving a policy updates the trusted log server with the latest policy and configuration changes3. References: Check Point R81 Logging and Monitoring Administration Guide

The purpose of a Stealth Rule is to drop any traffic destined for the firewall that is not otherwise explicitly allowed1, p. 32. A Stealth Rule is usually placed at the top of the rule base, before any other rule that allows traffic to the Security Gateway2, p. 13. A Stealth Rule is not used to hide a server’s IP address, to allow administrators to access SmartDashboard, or to drop any traffic that is not explicitly allowed. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

The option that is NOT an advantage of Stateful Inspection is No Screening above Network layer. Stateful Inspection is a firewall technology that inspects packets at all layers of the OSI model, from layer 3 (Network) to layer 7 (Application). Stateful Inspection provides screening above Network layer, such as checking TCP flags, sequence numbers, ports, and application protocols . The other options are advantages of Stateful Inspection, as it provides high performance, good security, and transparency for legitimate traffic.

References: Stateful Inspection Technology, Firewall Administration Guide

The Security Management Server and the Security Gateway are the components that can store logs in the Check Point Security Management Architecture. The Security Management Server stores logs in a database and can also forward them to external log servers. The Security Gateway can store logs locally in a buffer or a local log file, and can also send them to the Security Management Server or a log server.

References: Check Point Security Management Administration Guide R81, p. 11-12

The two ordered layers that make up the Access Control Policy Layer are Network and Threat Prevention. Network layer contains rules that define how traffic is inspected and handled by the Security Gateway. Threat Prevention layer contains rules that define how traffic is inspected by the Threat Prevention Software Blades2. References: Check Point R81 Security Management Administration Guide

Domain-based— VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

This statement is not true because a VPN domain is not a service or user, but a host or network that can send or receive VPN traffic through a VPN Gateway1. This is the definition given in the Site to Site VPN R81 Administration Guide1. The other statements are true according to the same guide1.

Remote Access VPN R81.20 Administration Guide

Site to Site VPN R81 Administration Guide

DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud

Manual NAT can offer more flexibility than Automatic NAT because it allows the administrator to define the NAT rules in any order and position1. Automatic NAT creates the NAT rules automatically and places them at the top or bottom of the NAT Rule Base2. References: Check Point R81 Firewall Administration Guide, Check Point R81 Security Management Administration Guide

 Extended Log is a tracking option that enables administrators to see additional information about the traffic that matches a security rule, such as data type, file name, file size, etc. However, to see any data type information, Content Awareness must be enabled on the Security Gateway. Content Awareness is a blade that inspects files based on their type, size, name, and data. Content Awareness is required for Extended Log to work properly3. References: Check Point R81 Content Awareness Administration Guide

The most likely reason for Vanessa’s authentication failure is that she is using the wrong details for SmartConsole. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. She needs to use the credentials that were defined during the initial configuration of the Security Management Server, or the ones that were assigned to her by the administrator12. The other options are not valid reasons for this error. References: SmartConsole Login, Check Point CCSA - R81: Practice Test & Explanation

The default Gaia user that has full read/write access is admin3. The admin user is the superuser that can perform any administrative task on the Gaia system, such as configuring network settings, installing software updates, managing licenses, creating snapshots, and more. The admin user can also access the Gaia Portal, which is a web-based interface for managing Gaia settings and features. References: Check Point R81 Gaia Administration Guide

Gaia can be managed through CLI, WebUI, and SmartDashboard1, p. 17-18. CLI is a command-line interface that allows administrators to configure and monitor Gaia using commands and scripts. WebUI is a web-based interface that allows administrators to configure and monitor Gaia using a browser. SmartDashboard is a graphical user interface that allows administrators to manage security policies and objects for Gaia devices. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Gaia Administration Guide R81], [Check Point Security Management Administration Guide R81]

When a certificate is revoked from a Security Gateway, the information is stored on the Certificate Revocation List (CRL). The CRL is maintained by the Internal Certificate Authority (ICA) and is checked during certificate validation processes.

Option A (Incorrect): The Security Management Server maintains certificate information but does not store revoked certificates permanently.

Option C (Incorrect): The Internal Certificate Authority manages certificate issuance but does not store revoked certificates—it publishes a CRL instead.

Option D (Incorrect): The Security Administrator does not receive direct notifications of revoked certificates.

Thus, the correct answer is B. Stored on the Certificate Revocation List.

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate1. A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2. A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3. The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication. PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4. Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4. PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

What is mutual authentication? | Two-way authentication

Mutual authentication - AWS Client VPN

VPN authentication options - Windows Security

Mutual Authentication | Top 3 Methods of Mutual Authentication

Authentication methods and features - Microsoft Entra

Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. This option allows the administrator to select which tunnels should be permanent and which should be established on demand. The other options are not valid, as they do not match the available choices in the VPN community settings.

References: [VPN Administration Guide], [Check Point R81.10]

An Access Role Object has four configuration screens: Users, Machines, Networks, and Identity Tags1, p. 27. Time is not a valid configuration screen of an Access Role Object. References: Check Point CCSA - R81: Practice Test & Explanation

Gaia can be configured using the command line interface (CLI) or the WebUI. The CLI is a text-based interface that allows you to configure and manage Gaia settings using commands and scripts. The WebUI is a graphical interface that allows you to configure and manage Gaia settings using a web browser. Gaia Interface and GaiaUI are not valid terms for Gaia configuration tools.References: [Gaia Administration Guide], [Gaia Overview]

Anti-Virus is the Check Point software blade that prevents malicious files from entering a network using virus signatures and anomaly-based protections from ThreatCloud. Anti-Virus scans files and email attachments for viruses, worms, trojans, and other types of malware. It also uses ThreatCloud, a collaborative network that delivers real-time dynamic security intelligence, to detect unknown malware based on their behavior. Firewall is a software blade that enforces security policy by inspecting and controlling network traffic. Application Control is a software blade that enables administrators to control access to web applications. Anti-spam and Email Security is a software blade that protects email infrastructure from spam, phishing, and malware attacks.

 A security gateway is a device that enforces the security policy on the traffic that passes through it. There are three deployment options available for a security gateway: Standalone, Distributed, and Bridge Mode. Standalone means that the security gateway and the security management server are installed on the same machine. Distributed means that the security gateway and the security management server are installed on separate machines. Bridge Mode means that the security gateway acts as a transparent bridge between two network segments, without changing the IP addressing scheme1. References: Check Point R81 Security Gateway Technical Administration Guide

 It is Best Practice to have an Explicit CleanUp rule at the end of each policy layer. This rule will log and drop any traffic that does not match any of the preceding rules in the layer1, p. 23. References: Check Point CCSA - R81: Practice Test & Explanation

 It is possible to have more than one administrator connected to a Security Management Server at once, but objects edited by one administrator will be locked for editing by others until the session is published. This feature is called concurrent administration and it allows multiple administrators to work on the same security policy at the same time. However, when one administrator edits an object, such as a gateway, a rule, or a network, that object is locked for other administrators until the change is published or discarded. The lock icon shows which objects are being edited by other administrators and prevents conflicts or overwrites.References: [Concurrent Administration], [SmartConsole Overview]

Clish is the default shell for the command line interface. It is a user-friendly shell that provides a menu-based and a command-line mode. Admin, Normal, and Expert are not valid shell names1.

Application information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option4. The “Extended Log” option provides additional information about the application, such as name, category, risk, and technology4. References: LOGGINGAND MONITORING R80

The answer is D because in R80 and above, the first administrator to connect to the Management Server using SmartConsole gets a lock on only the objects being modified in his session of the Management Database. Other administrators can connect to make changes using different sessions, but they cannot modify the same objects as the first administrator until he publishes his changes. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously12 References: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide

 Central License is the preferred and recommended method of licensing because it ties to the IP address of the management server and is not dependent on the IP of any gateway in the event it changes. Central License allows administrators to manage licenses for all Security Gateways from one central location. If the IP address of a gateway changes, the license remains valid as long as it is connected to the same management server. Central Licensing is supported with Gaia and is not the only option when deploying Gaia. Central Licensing does not tie to the IP address of a gateway and can not be changed to any gateway if needed.

References: 1: Rugged Appliances 2: SmartUpdate 3: Check Point Software Deployment Options : [Anti-Virus] : [Check Point Software Blades] : [Central License]

 A SAM (Suspicious Activity Monitoring) rule is implemented to provide the function or benefit of blocking suspicious activity. A SAM rule is a rule that defines an action to be taken by the firewall when it detects a suspicious activity, such as an attack, a scan, or a policy violation. The action can be blocking, dropping, rejecting, or logging the traffic that triggered the suspicious activity. A SAM rule can be created manually or automatically by other security features, such as IPS, Anti-Bot, or SmartEvent.References: [SAM Rules], [Suspicious Activity Rules]

Identity Sharing is a feature that allows Security Gateways to acquire and share identities with other Security Gateways, enabling identity-based access control across different network segments or domains13. Management servers, users, and administrators do not share identities with Security Gateways.

References: Identity Awareness R81.10 Administration Guide, Check Point R81.10

The administrator can edit a list of trusted SmartConsole clients in three ways: in cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server, and in SmartConsole: Manage and Settings > Permissions and Administrators > Advanced > Trusted Clients

This answer is correct because these are the software components that are used by the pre-defined Autonomous Threat Prevention Profiles in R81.20 and higher1. These profiles provide zero-maintenance protection from zero-day threats and continuously and autonomously ensure that your protection is up-to-date with the latest cyber threats and prevention technologies2.

The other answers are not correct because they either include software components that are not part of the Autonomous Threat Prevention Profiles, such as Sandbox, ThreatCloud, Zero Phishing, Sanitization, C&C Protection, JPS, File and URL Reputation, or they omit some of the software components that are part of the Autonomous Threat Prevention Profiles, such as Anti-Bot, Anti-Virus, and Macro Extraction.

Autonomous Threat Prevention Management - Check Point Software

Check Point Quantum R81.20 (Titan) Release

Threat Prevention R81.20 Best Practices - Check Point Software

Check Point R81

If a network administrator has identified a malicious host on the network and instructed you to block it, but you cannot make any firewall policy changes at this time, you can use Suspicious Activity Monitoring (SAM) rules to block this traffic. SAM rules are temporary rules that allow you to block or limit traffic from specific sources or destinations without modifying the security policy. SAM rules are created and managed by SmartView Monitor and are enforced by the security gateway for a specified duration. Anti-Bot protection, Anti-Malware protection, and Policy-based routing are not tools that can be used to block traffic without changing the firewall policy. References: [Check Point R81 SmartView Monitor Administration Guide]

By default, the SIC certificates issued by R80 Management Server are based on the SHA-256 algorithm1. SHA-256 is a secure hash algorithm that produces a 256-bit digest. SHA-200, MD5, and SHA-128 are not valid algorithms for SIC certificates. References: SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)

An explicit rule is created by an administrator and configured to allow or block traffic based on specified criteria. Explicit rules are displayed in the Rule Base and can be modified by the administrator. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 12.

The options to calculate the traffic direction are Incoming, Internal, and External3. Outgoing is not an option. Incoming traffic is traffic that enters the Security Gateway from an external network. Internal traffic is traffic that originates and terminates in networks that are directly connected to the Security Gateway. External traffic is traffic that originates or terminates in networks that are not directly connected to the Security Gateway. References: Check Point R81 Security Management Administration Guide

The best sync method in the ClusterXL deployment is to use one dedicated sync interface56. This method provides optimal performance and reliability for synchronization traffic. Using multiple sync interfaces is not recommended as it increases CPU load and does not provide 100% sync redundancy5. Using multiple clusters is not a sync method, but a cluster topology. References: Sync Redundancy in ClusterXL, Best Practice for HA sync interface

Check Point Security Management supports two types of Policy Layers:

Ordered Layers – Enforced in sequential order, where each rule is evaluated before moving to the next layer.

Inline Layers – A sub-layer within a rule that adds additional inspection without affecting other rules.

Option A (incorrect): "Inbound Layers and Outbound Layers" is not a Check Point terminology.

Option C (incorrect): "Structured Layers and Overlap Layers" do not exist in Check Point policy management.

Option D (incorrect): Check Point R81.X fully supports Policy Layers.

Thus, the correct answer is B. Ordered Layers and Inline Layers.

 The command cplic print displays the installed licenses and their expiration dates on the CLI1. References: Check Point CLI Reference Card

The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”. cap”number of captures”2. References: Free Check Point CCSA Sample Questions and Study Guide

Security Zones are a feature of Application Control and Identity Awareness that allow you to define groups of network objects based on their level of trust. Security Zones do not work with Manual NAT rules, because Manual NAT rules are applied before the Application Control and Identity Awareness policy is enforced1. References: Check Point R81 Security Management Administration Guide

The two Check Point Protocols that are used by are FWD and LEA567. FWD is the Firewall Daemon that handles communication between different Check Point components, such as Security Management Server, Security Gateway, SmartConsole, etc. LEA is the Log Export API that allows external applications to retrieve logs from the Security Gateway or Security Management Server. Therefore, the correct answer is B. FWD and LEA. References: Border Gateway Protocol - Check Point Software, Check Point IPS Datasheet, List of valid protocols for services? - Check Point CheckMates

 Check Point licenses are divided into two types: central and local. Central licenses are managed by a Security Management Server and can be attached to any Security Gateway managed by that server. Local licenses are tied to the IP address of a specific Security Gateway and cannot be transferred to a gateway that has a different IP address. Formal and corporate are not types of Check Point licenses. References: [Check Point R81 Licensing and Contract Administration Guide]

SmartConsole is a unified graphical user interface that allows administrators to manage multiple Check Point security products from a single console. More than one administrator can log into the Security Management Server with SmartConsole with write permission at the same time. Every administrator works in a session that is independent of the other administrators. The changes made by one administrator are not visible to others until they are published2. References: Check Point R81 SmartConsole R81 User Guide

 Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication. Captive Portal is a web page that prompts users to enter their credentials. Transparent Kerberos Authentication is a method that automatically authenticates users who have a valid Kerberos ticket from the Active Directory domain controller2. UserCheck is a feature that allows users to interact with the security policy, not a method of authentication. User Directory is a component that integrates with external user databases, not a web page for authentication. Captive Portal alone is not enough to fill in the blank, as it is only one of the methods used by Browser-based Authentication.

The reason why querying logs now are very fast is that Indexing Engine indexes logs for faster search results. Indexing Engine is a component of R81 Management that creates and maintains an index of log data, which enables quick and efficient log searches4. The other options are not related to the speed of log querying. The amount of logs being stored may vary depending on the log retention settings. New Smart-1 appliances may have improved hardware specifications, but they do not affect the log querying process directly. SmartConsole queries results from the Security Management Server, not from the Security Gateway.

References: 1: HTTPS Inspection 2: Browser-Based Authentication 3: URL Filtering 4: Indexing Engine

Detailed Log is not a valid tracking log option in R80.x3. The tracking log options in R80.x are Log, Full Log, and Extended Log45. References: Where is ‘full log’ option in track column, LOGGINGAND MONITORING R80, Logging and Monitoring Administration Guide R80.20

This log filter will show only the logs that have the action of “Key Install”, which means that the Security Gateway installed a new encryption key for the VPN tunnel1. It will also show only the logs that have the IP address of 1.1.1.1, which is the remote gateway that has some issues. Finally, it will show only the logs that have the Quick Mode, which is the IKE Phase 2 negotiation that establishes the agreed networks for both gateways2.

The other log filters are not correct because they either include the Main Mode, which is the IKE Phase 1 negotiation that establishes the secure channel between the gateways2, or they do not specify the IP address of the remote gateway.

Logging and Monitoring R81.20 Administration Guide

Remote Access VPN R81.20 Administration Guide

Remote Access VPN R81 Administration Guide

SmartView Monitor is the tool that allows you to monitor the top bandwidth on SmartConsole. SmartView Monitor is a graphical tool that displays real-time network and security performance data, such as traffic, throughput, connections, CPU usage, memory usage, etc. You can use SmartView Monitor to identify the top bandwidth consumers and optimize your network performance.References: [SmartView Monitor], [Monitoring Network Traffic]

The types of Software Containers are Security Management, Security Gateway, and Endpoint Security. Software Containers are virtual environments that run on top of Gaia OS and allow multiple instances of Check Point products to coexist on the same physical machine. The other options are not valid types of Software Containers.

The Hit count feature will work independently from logging and track the hits even if the Track option is set to “None”1, p. 23. When you enable Hit Count, the Security Management Server collects the data from supported Security Gateways and displays the number of connections that each rule matches in SmartConsole3. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Security Management Administration Guide R81

With URL Filtering, only the host portion of the URL is sent to the Check Point Online Web Service for analysis. The host portion is the part of the URL that identifies the web server, such as www.example.com.  The Check Point Online Web Service uses this information to categorize the URL and return the appropriate action to the Security Gateway3. The other options are not sent to the Check Point Online Web Service for analysis, as they may contain sensitive or irrelevant data.

The tracking actions that can be selected when configuring Spoof Tracking are Log, alert, none. Spoof Tracking is a feature that detects packets with spoofed source IP addresses and logs them in SmartView Tracker. The administrator can choose to log only, log and alert, or do nothing when spoofed packets are detected. The other options are not valid tracking actions for Spoof Tracking, as they are either not available or not relevant for this feature.

References: [Spoof Tracking], [Firewall Administration Guide]

The policy type that is used to enforce bandwidth and traffic control rules is QoS. QoS stands for Quality of Service and is a software blade that allows administrators to prioritize network traffic according to various criteria such as source, destination, service, application, user, etc. QoS can also limit the bandwidth consumption of certain traffic types or guarantee a minimum bandwidth for critical applications. References: [Check Point R81 QoS Administration Guide]

 Identity Awareness is a software blade that lets an administrator easily configure network access and auditing based on three items: network location, the identity of a user, and the identity of a machine. These items are used to identify and authenticate users and machines, and to enforce identity-based policies. Network location refers to the IP address or subnet of the source or destination of the traffic. The identity of a user can be obtained from various sources, such as Active Directory, LDAP, or Captive Portal. The identity of a machine can be verified by using Secure Domain Logon or Identity Agent. 

SmartView is the web application for real-time event monitoring in SmartEvent R80 and above. It provides a unified view of security events across the network and allows for quick investigation and response34. References: SmartEvent R80.40 Administration Guide, SmartView

A Distinguished Name (DN) is a unique identifier for an entry in an LDAP directory. A DN consists of a sequence of relative distinguished names (RDNs) separated by commas. Each RDN is composed of an attribute type and an attribute value, such as cn=John Smith or ou=Sales. A DN can have different components depending on the structure and schema of the LDAP directory, but some common components are: Common Name (cn), Country ©, Organizational Unit (ou), Organization (o), State or Province (st), and Locality (l). User container is not a component of a DN3. References: Check Point R81 Identity Awareness Administration Guide

The following is considered a “Subscription Blade”, requiring renewal every 1-3 years: IPS blade4. The IPS blade is a software blade that provides protection against network attacks and exploits by inspecting traffic and blocking malicious packets. The IPS blade requires a subscription license that includes updates for the IPS signatures and Geo Protection database. Other subscription blades include Anti-Bot, Anti-Virus, URL Filtering, Application Control, Threat Emulation, and Threat Extraction. References: Check Point Licensing and Contract Operations User Guide

The Object Explorer is the part of SmartConsole that allows administrators to add, edit, delete, and clone objects. Objects are entities that represent network elements, such as hosts, networks, gateways, services, users, etc. The Object Explorer provides a tree view of all the objects in the database and allows searching, filtering, and grouping them2. References: Check Point R81 SmartConsole R81 User Guide

A central license is automatically attached to a Security Gateway when it is installed. A local license requires an administrator to designate a gateway for attachment1, p. 8. References: Check Point CCSA - R81: Practice Test & Explanation

 SecureID is the authentication method that requires token authenticator2. SecureID is a two-factor authentication method that uses a hardware or software token to generate a one-time password. The user must enter the token code along with their username and password to authenticate. References: Check Point R81 Identity Awareness Administration Guide

Stateful Inspection is a firewall technology that inspects both the header and the payload of each packet and keeps track of the state and context of each connection. Packet Filtering is a firewall technology that inspects only the header of each packet and does not keep track of the state or context of each connection. A benefit that Stateful Inspection offers over Packet Filtering is that only one rule is required for each connection, whereas Packet Filtering requires two rules for each connection (one for each direction). Stateful Inspection also offers other benefits over Packet Filtering, such as enhanced security, performance, and flexibility. Stateful Inspection does not offer unlimited connections because of virtual memory usage, nor does it avoid using memory to record the protocol used by the connection.References: [Stateful Inspection], [Packet Filtering], [Firewall Technologies]

The BEST object type to represent an LDAP group in a Security Policy is an Access Role. An Access Role object defines a set of users, machines, or networks that can access a resource or service1, p. 27. An Access Role object can include LDAP groups as one of its components2, p. 10. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Identity Awareness Administration Guide R81

The actions available in the “Actions” column of a rule in HTTPS Inspection policy are “Inspect” and “Bypass”. “Inspect” means that the HTTPS traffic will be decrypted and inspected according to the Access Control policy. “Bypass” means that the HTTPS traffic will not be decrypted and will be allowed without inspection1. The other options are not valid actions for HTTPS Inspection policy.

The Next Generation Threat Emulation software blade package uses CPU-level and OS-level sandboxing in order to detect and block malware1, p. 41. It emulates files in a virtual environment and inspects their behavior for malicious activity3. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Threat Emulation Administration Guide R81

 Authentication rules are defined for user groups rather than individual users1. To define authentication rules, you must first define users and groups. You can define users with the Check Point user database, or with an external server, such as LDAP1. UserCheck is a feature that enables user interaction with security events2. Individual users and all users in the database are not valid options for defining authentication rules. References: How to Configure Client Authentication, UserCheck

Check Point Gaia can be configured using:

The Command Line Interface (CLI) – This includes Clish and Expert mode, accessible via SSH, console access, or direct login.

The GAiA Portal (WebUI) – A browser-based graphical user interface used to manage Gaia settings.

Option A (incorrect): The CLI is not limited to serial console access. SSH is widely used.

Option B (incorrect): "Gaia Ultimate Shell" is not an official term.

Option D (incorrect): "Web Ultimate Interface" is not a valid name.

Thus, the correct answer is C. Command line interface; GAiA Portal.

You can use the same layer in multiple policies or rulebases. A layer is a set of rules that can be shared, reused, or inherited by different policies. This allows you to create modular and flexible security policies that can be applied to different scenarios.References: [Layers], [Policy Layers and Sub-Policies]

 A Security Policy is created in SmartConsole, stored in the Security Management Server, and distributed to the various Security Gateways. SmartConsole is a graphical user interface that allows administrators to create and edit security policies. The Security Management Server is a central server that stores and manages the security policies. The Security Gateways are devices that enforce the security policies on the network traffic.

References: : Check Point R81 Security Gateway Administration Guide, page 9.

 The answer is A because Identity Awareness commands are used to support identity sharing between Security Gateways. Policy Decision Point (PDP) is the Security Gateway that collects identities from various sources and shares them with other gateways. Policy Enforcement Point (PEP) is the Security Gateway that enforces the policy based on the identities received from the PDP12 References: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Security Management Administration Guide

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given. DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1. DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES. 3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

What is DES encryption, and why was it replaced?

Data Encryption Standard - Wikipedia

What is 3DES encryption?

[What is AES encryption and how does it work?]

 SmartUpdate is the application that is used for the central management and deployment of licenses and packages. SmartUpdate allows administrators to manage licenses, software updates, and hotfixes for multiple Security Gateways and cluster members from one central location2. SmartProvisioning is an application that enables centralized management of network devices. SmartLicense is a feature that simplifies license management by using a cloud-based portal. Deployment Agent is a component that enables automatic deployment of software packages3.

Identity Awareness uses several methods for acquiring identity, such as Active Directory Query, Identity Agent, Browser-Based Authentication, Terminal Servers, Captive Portal, and RADIUS12. Cloud IdP (Identity Provider) is not a method used by Identity Awareness12. Therefore, the correct answer is B. Cloud IdP (Identity Provider).

 The type of Check Point license that ties the package license to the IP address of the Security Management Server is Central license. A Central license is a license that is installed on the Security Management Server and applies to all the Security Gateways that are managed by it. The Central license is based on the IP address of the Security Management Server and cannot be transferred to another Security Management Server with a different IP address.References: [Check Point R81 Licensing Guide], [Managing and Installing license via SmartUpdate]

When using Automatic Hide NAT, Source Port Address Translation (PAT) is enabled by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

To achieve the requirement of giving the Network Operations Center administrator access to Check Point Security devices mostly for troubleshooting purposes, but not to the expert mode, and still allowing her to run tcpdump, you need to:

Add tcpdump to CLISH using add command. This command adds a new command to the Command Line Interface Shell (CLISH) that allows running tcpdump without entering the expert mode .

Create a new access role. This option defines a set of permissions and commands that can be assigned to a user or a group of users.

Add tcpdump to the role. This option grants the permission to run tcpdump to the role.

Create new user with any UID and assign role to the user. This option creates a new user account with any User ID (UID) and assigns the role that has tcpdump permission to the user.

References: [How to add a new command to CLISH], [Check Point R81 Gaia Administration Guide], [Check Point R81 Identity Awareness Administration Guide]

Check Point provides an Automatic Licensing and Verification tool that ensures licenses are properly validated. This tool:

Automatically checks current licenses against Check Point's online license repository.

Activates newly added licenses.

Ensures compliance with active contracts.

Option B (incorrect): "Verification licensing" is not an official Check Point feature.

Option C (incorrect): "Verification tool" is too generic and does not refer to Check Point’s licensing system.

Option D (incorrect): "Automatic licensing" does not fully describe the verification and activation process.

Thus, the correct answer is A. Automatic Licensing and Verification tool.

Plug-and-play (Trial) and Evaluation licenses are considered temporary because they expire after a certain period of time3. Plug-and-play licenses are valid for 15 days, while Evaluation licenses are valid for 30 days. References: Check Point Licensing and Contract Operations User Guide

 The padlock sign next to the DNS rule in the Rule Base indicates that another administrator is logged into the Management and currently editing the DNS Rule1. This is a feature of R80 that allows multiple administrators to work on the same policy simultaneously. The padlock sign prevents other administrators from modifying the same rule until the editing administrator publishes or discards the changes2. The other options are not valid explanations for the padlock sign. References: 156-215.80 : Check Point Certified Security Administrator (CCSA R80) : Part 19, Multi-User Policy Editing

The snapshot option would allow you to make a backup copy of the OS and Check Point configuration, without stopping Check Point processes. A snapshot is a full system backup, including network interfaces, routing tables, and Check Point products and configuration. The other options require stopping Check Point processes or do not backup the OS.

References: Check Point Security Management Administration Guide R81, p. 15-16

This answer is correct because the vpn tu command is used for VPN tunnel management and shows detailed information about VPN tunnels, such as the tunnel ID, peer IP, encryption domain, and status1. This command will bring up a menu for you to choose from, such as list all IPsec SAs, delete all IPsec SAs, or delete IPsec SA for given peer1.

The other answers are not correct because they either show different information or do not exist as commands. The cat $FWDlR/conf/vpn.conf command shows the VPN configuration file, which contains the VPN domains, communities, and encryption settings2. The vpn tu tlist command does not exist, but it might be confused with the vpn tunnelutil tlist command, which shows the tunnel utilization statistics3. The cpview command shows the Check Point real-time performance monitoring tool, which displays various system and network parameters, such as CPU, memory, disk, interfaces, and VPN4.

How to use the “vpn tu” command for VPN tunnel management

New VPN daemons in R81.10 / R81.20 - Check Point CheckMates

Remote Access VPN R81.20 Administration Guide - Check Point Software

Remote Access VPN R81 Administration Guide - Check Point Software

Check Point licenses come in two forms: central and local. Central licenses are attached to the Security Management Server and are distributed to managed Security Gateways. Local licenses are attached directly to a specific Security Gateway.

 src:192.168.1.1 AND dst:172.26.1.1 AND action:Drop is the correct log query to show only dropped packets with source address of 192.168.1.1 and destination address of 172.26.1.1. The AND operator means that all conditions must be true for the query to match. The OR operator means that any condition can be true for the query to match3. The other queries will either show packets that are not dropped or packets that have different source or destination addresses.

The BEST way to tune the profile in order to lower the CPU load still maintaining security at good level is to set the Performance Impact to Medium or lower. This will reduce the number of packets that are inspected by the Threat Prevention blades, while still providing a high level of protection . Setting High Confidence to Low and Low Confidence to Inactive will lower the security level, as it will allow more traffic that may be malicious. The problem is likely with the Threat Prevention Profile, as it can have a significant impact on the CPU utilization of the Security Gateway. Adding more memory to the appliance will not solve the problem, as memory is not the bottleneck in this case. Setting the Performance Impact to Very Low Confidence to Prevent will increase the CPU load, as it will inspect more packets and block more traffic that may be false positives.

References: Threat Prevention Administration Guide, Check Point R81.10

According to the Hewlett Packard Enterprise Support Center3, the snapshot command uses the command line to create an image of the OS. A snapshot is a point-in-time copy of a disk partition that can be used to restore the system in case of a failure or corruption. References: Hewlett Packard Enterprise Support Center

When enabling tracking on a rule, the default option is Log. This option generates a log entry for each connection that matches the rule. The log entry contains information such as the source, destination, service, action, and time of the connection.References: [Logging and Monitoring R81], [Logging and Monitoring]

With the User Directory Software Blade, you can create user definitions on a(n) LDAP Server2. LDAP stands for Lightweight Directory Access Protocol and is a protocol for accessing and managing user information stored in a directory service. The User Directory Software Blade enables integration with LDAP servers such as Microsoft Active Directory, Novell eDirectory, and OpenLDAP. References: Check Point R81 Identity Awareness Administration Guide

Endpoint Identity Agent and Browser-Based Authentication are the identity sources that provide the highest level of security for sensitive servers, as they require user authentication and can enforce granular access rules based on user identity. AD Query, Terminal Servers Endpoint Identity Agent, and RADIUS and Account Logon are less secure, as they rely on passive methods of identity acquisition or do not support identity-based access control12.

References: Identity Awareness R81.10 Administration Guide, Identity Awareness AD Query

In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway using the CPLIC command1. This command allows you to install a license from a file or from the User Center1. Therefore, the correct answer is D. True, Central License can be installed with CPLIC command on a Security Gateway. 

The Security Management Server does not display policies and logs on the administrator’s workstation. That is the function of the SmartConsole, which is a separate component that connects to the Security Management Server. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 4.

The default layers that are included when creating a new policy layer are Access Control, Threat Prevention, and HTTPS Inspection. Access Control is the layer that defines the basic firewall rules. Threat Prevention is the layer that enables the protection against various types of attacks, such as IPS, Anti-Virus, Anti-Bot, etc. HTTPS Inspection is the layer that allows the inspection of encrypted traffic1. The other options are not the default layers that are included when creating a new policy layer.

 The product that correlates logs and detects security threats, providing a centralized display of potential attack patterns from all network devices is SmartEvent. SmartEvent is a software blade that analyzes logs from various sources such as Security Gateways, Endpoint Security Servers, Identity Awareness Servers, etc. and generates security events based on predefined or custom rules. SmartEvent provides a graphical interface for viewing and managing security events in real-time or historical mode. References: [Check Point R81 SmartEvent Administration Guide]

The statement that a Sectional Title can be used to disable multiple rules by disabling only the sectional title is false. A Sectional Title is a visual divider that helps organize and navigate large rule bases. It does not affect the rule enforcement order or the rule functionality. Disabling a Sectional Title does not disable the rules under it. To disable multiple rules, you need to select them individually or use Shift+Click or Ctrl+Click to select them in bulk, and then right-click and choose Disable Rule(s). The other statements are true. Section titles are not sent to the gateway side, they are only displayed in SmartConsole. These sections are simple visual divisions of the Rule Base and do not hinder the order of rule enforcement. Sectional Titles do not need to be created in SmartConsole, they can also be created using SmartConsole CLI or API commands.References: [Sectional Titles], [SmartConsole CLI Guide], [SmartConsole API Reference Guide]

In a Distributed deployment, the Security Gateway and the Security Management software are installed on different computers or appliances2. This allows for better scalability and performance. References: Check Point Security Management Administration Guide R81

The option that is used to enforce changes made to a Rule Base is Install policy. Installing policy is the process of sending the security policy and the network objects from the Security Management Server to the Security Gateway1, p. 22. Publishing database and saving changes are options that are used to save changes made to a Rule Base, but they do not enforce them on the Security Gateway2. Activating policy is not a valid option in SmartConsole. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point SmartConsole R81 Help

 Identity Awareness is a blade that enables administrators to define access rules based on the identity of users and machines, rather than just IP addresses. Identity Awareness allows easy configuration for network access and auditing based on three items: network location, the identity of a user, and the identity of a machine. Network location refers to the source or destination network segment of the traffic. The identity of a user refers to the username or group membership of the user who initiates or receives the traffic. The identity of a machine refers to the hostname or certificate of the machine that initiates or receives the traffic. References: [Check Point R81 Identity Awareness Administration Guide]

The VPN Domains configuration element determines which traffic should be encrypted into a VPN tunnel vs. sent in the clear. The VPN Domain is the set of hosts and networks that are allowed to communicate securely with the gateway12. The firewall topologies, NAT rules, and the rule base do not directly affect the VPN encryption decision. References: Check Point R81 Security Gateway Technical Administration Guide, CCSA/CCSE Exam Tips & Content - R80.X vs. R81.X - Check Point CheckMates

The answer is B because Geo policy shared policy is used to create policy for traffic to or from a particular location based on the source or destination country. DLP shared policy is used to prevent data loss by inspecting files and data for sensitive information. Mobile Access software blade is used to provide secure remote access to corporate resources from various devices. HTTPS inspection is used to inspect encrypted web traffic for threats and compliance4References: Check Point R81 Geo Policy Administration Guide, [Check Point R81 Data Loss Prevention Administration Guide], [Check Point R81 Mobile Access Administration Guide], [Check Point R81 HTTPS Inspection Administration Guide]

SecurID is a Check Point supported authentication scheme that typically requires a user to possess a token. A token is a physical device that generates a one-time password that changes periodically. The user must enter the password along with their username to authenticate. References: Remote Access VPN R81.20 Administration Guide, page 30.

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References: Check Point Security Management Administration Guide R81, p. 9

The correct syntax for adding a host using GAiA management CLI is mgmt add host name ip-address 2. References: Check Point GAiA R81 Command Line Interface Reference Guide

 The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

Central licensing is the preferred licensing model because it ties the package license to the IP-address of the Security Management Server and has no dependency on the gateway. This allows for easier management and distribution of licenses across multiple gateways1.

References: 1: Check Point R81 Security Management Administration Guide, page 14.

The statement that is TRUE of anti-spoofing is that it is BEST Practice to have anti-spoofing groups in sync with the routing table. Anti-spoofing prevents attackers from sending packets with a false source IP address. Anti-spoofing groups define which IP addresses are expected on each interface of the Security Gateway. If the routing table changes, the anti-spoofing groups should be updated accordingly34. References: Check Point R81 ClusterXL Administration Guide, Network Defined by Routes: Anti-Spoofing