156-315.81 Check Point Certified Security Expert R81 Questions and Answers

The essential means by which state synchronization works to provide failover in the event an active member goes down, ccp is used specifically for clustered environments to allow gateways to report their own state and learn about the states of other members in the cluster. Ccp stands for Cluster Control Protocol, and it is a proprietary protocol that runs on UDP port 8116. Ccp is responsible for exchanging state information, health checks, load balancing decisions, and synchronization network configuration between cluster members. The other options are either commands or daemons that are related to cluster operations, but not the protocol itself. 

 The CLI command that compiles and installs a Security Policy on the target’s Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

[Expert@SMS]# fwm load Standard_Policy fw1

This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

CPM stands for Check Point Management, which is a process that runs on the Security Management server and controls the management operations, such as policy installation, object creation, configuration backup, etc. CPM also controls other processes that are related to the management functions, such as:

• web_services: This process is responsible for providing web services for the communication between SmartConsole and the Security Management server. It handles requests from SmartConsole clients and forwards them to CPM or other processes.
• dle_server: This process is responsible for managing the log files and indexes. It handles queries from SmartLog and SmartEvent and provides log data to CPM or other processes.
• object_Store: This process is responsible for storing and retrieving objects from the database. It handles requests from CPM or other processes and provides object data.

Therefore, the correct answer is D.

The other options are incorrect because:

• A. Object-Store, Database changes, CPM Process and web-services: This option includes some processes that are controlled by CPM, such as Object-Store, CPM Process, and web-services, but it also includes Database changes, which is not a process but an action performed by CPM or other processes.
• B. web-services, CPMI process, DLEserver, CPM process: This option includes some processes that are controlled by CPM, such as web-services, DLEserver, and CPM process, but it also includes CPMI process, which is not a process but a protocol used by CPM or other processes to communicate with each other.
• C. DLEServer, Object-Store, CP Process and database changes: This option includes some processes that are controlled by CPM, such as DLEServer and Object-Store, but it also includes CP Process and database changes, which are not processes but a generic term for any Check Point process and an action performed by CPM or other processes respectively.

References: Check Point Processes and Daemons, Check Point Processes Cheat Sheet, Check Point Firewall Security Solution

Management HA is a feature that allows the Security Management server to have one or more backup Standby Security Management servers that are ready to take over in case of failure1. The Active Security Management server is the one that handles all the management operations, such as policy installation, object creation, configuration backup, etc. The Standby Security Management servers are synchronized with the Active Security Management server and store the same data, such as databases, certificates, CRLs, etc. The Standby Security Management servers can also perform some operations, such as fetching a Security Policy or retrieving a CRL1.

To make changes to the system, such as editing objects or policies, the administrator needs to connect to the Active Security Management server. This is because the Active Security Management server is the only one that can modify the data and synchronize it with the Standby Security Management servers. The administrator can use SmartConsole to connect to the Active Security Management server by entering its IP address or hostname1. The administrator can also use SmartDashboard to connect to the Active Security Management server by selecting Policy > Management High Availability. This shows information about the Security Management server that includes its peers - displayed with the name, status and type of Security Management server1.

The other options are incorrect because:

• A. secondary Smartcenter: This is a synonym for a Standby Security Management server, which cannot be used to make changes to the system.
• C. connect virtual IP of Smartcenter HA: This is not a valid option because there is no virtual IP for Smartcenter HA. Each Security Management server has its own IP address and hostname.
• D. primary Smartcenter: This is a synonym for the Active Security Management server, but it is not the correct term to use. The term primary implies that there is only one Active Security Management server, which is not true. The administrator can put the Active Security Management server on standby and promote a Standby Security Management server to active at any time1.

References: How to Configure Management HA

The blades of Threat Prevention in Check Point include:

Intrusion Prevention System (IPS)

AntiVirus

AntiBot

SandBlast Threat Emulation/Extraction

So, the correct answer is D, which includes all the mentioned blades.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 Security Checkup Summary can be easily conducted within Views. Views is a feature in SmartConsole that allows you to create customized dashboards and reports based on various security data sources, such as logs, events, audit trails, and more. You can use Views to perform a Security Checkup Summary, which is a comprehensive analysis of your network security posture and potential risks. You can use predefined templates or create your own views to generate the summary. References: Check Point Security Expert R81 Course, Views Administration Guide

The command cpinfo -y all can be used to have cpinfo display all installed hotfixes. Cpinfo is a tool that collects diagnostic data from a Check Point gateway or management server. The data includes configuration files, logs, status reports, and more. The -y parameter is used to specify which sections of data to include in the cpinfo output. The value all means to include all sections, including the hotfixes section, which shows the list of hotfixes installed on the system. References: Check Point Security Expert R81 Course, cpinfo Utility

In SmartDashboard, Threat Prevention profiles can be assigned to one or more rules. This means that you can have multiple profiles assigned to a single gateway, and each of these profiles can be associated with one or more rules. This allows for granular control over threat prevention settings for different rules or scenarios.

References: Check Point Certified Security Expert R81 documentation and learning resources.

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

• A. CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.
• B. CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.
• D. CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

References: ClusterXL R81.10 Administration Guide, ClusterXL Administration Guide R80.40, sk25977 - Ports used by Check Point software

 To add the company logo to reports, you would save the logo as a PNG file with the name ‘cover-company-logo.png’ and then copy that image file to the $RTDIR/smartview/conf directory on the SmartEvent server. The $RTDIR is an environment variable that points to the runtime directory of the SmartEvent server, which is usually /opt/CPrt-R81. The smartview/conf directory contains the configuration files for SmartView, which is a web-based interface for viewing reports and dashboards generated by SmartEvent. References: SmartEvent Administration Guide, SK120193 - How to add a company logo to SmartView reports

At least 20GB is the recommended size of the root partition when installing a dedicated R81 SmartEvent server. The root partition is the primary partition that contains the operating system files and other essential files for booting and running the system. The SmartEvent server requires at least 20GB of free space on the root partition to install and operate properly. If the root partition size is less than 20GB, you may encounter errors or performance issues with SmartEvent. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

Hybrid Emulation Mode is a mode of operation that allows load sharing of emulation between an on premise appliance and the cloud. Emulation is a process that analyzes files for malicious behavior by running them in a virtual sandbox. Hybrid Emulation Mode enables you to optimize the performance and scalability of your Threat Emulation solution by distributing the emulation workload between your local SandBlast appliance and the Check Point cloud service. References: Check Point Security Expert R81 Course, Threat Emulation Administration Guide

The command cpinfo –y all displays information about all the hotfixes that are installed on the gateway1. This command also shows the hotfix ID, description, installation date, and status for each hotfix2. The other commands are not valid options for this task. The command cpinfo –h all shows the hardware information of the gateway3. The commands cpinfo –o hotfix and cpinfo –l hotfix do not exist and will return an error message.

References: Hotfix installer - Configuration Manager, How to keep your Security Gateways up to date, Solved: Does it always need to have the higher hotfix vers…

 The main stages of a policy installation are Verification & Compilation, Transfer and Commit. Verification & Compilation is the stage where the Security Management Server checks the validity and consistency of the policy and compiles it into a binary format. Transfer is the stage where the compiled policy is sent to the Security Gateways over a secure channel. Commit is the stage where the Security Gateways activate the new policy and update their connections table accordingly. References: Check Point Security Expert R81 Course, Policy Installation Process

Nothing needs to be done to get SIC to work if there is a Geo-Protection policy blocking Australia and a network requires a Check Point Firewall to be installed in Sydney, Australia. SIC stands for Secure Internal Communication, and it is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). SIC is not affected by Geo-Protection policy, which is a feature that allows administrators to block or allow traffic based on the geographic location of the source or destination IP address. Geo-Protection policy only applies to data traffic, not control traffic, and SIC uses control traffic to establish trust between Check Point components. 

According to the Check Point Resource Library, the minimum amount of RAM needed for a Threat Prevention Appliance is 4 GB. This applies to both physical and virtual appliances. The other options are either incorrect or irrelevant. References: Check Point Resource Library

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

Check Point security components are divided into the following components: GUI Client, Security Management, Security Gateway. GUI Client is the graphical user interface that allows administrators to configure, manage, and monitor Check Point products and security policies. Security Management is the server that stores and enforces the security policies and provides logging and reporting functions. Security Gateway is the device that inspects and filters network traffic according to the security policies. 

The default port used by the AMON server when using CPSTAT is 18192. CPSTAT is a command-line tool that allows administrators to monitor various statistics and status information about Check Point products and components, such as CPU usage, memory usage, policy installation, cluster state, etc. CPSTAT uses AMON (Advanced Monitoring) protocol to communicate with AMON server, which is a daemon that runs on Security Gateways or Management Servers and collects and provides AMON data. By default, AMON server listens on TCP port 18192 for incoming CPSTAT requests.

 Application Control is the software blade that provides Application Security and identity control. It allows administrators to define granular policies based on users or groups to identify, block or limit the usage of web applications and widgets. Application Control also integrates with Identity Awareness to provide user-level visibility and control. References: Training & Certification | Check Point Software, Check Point Resource Library

When John detects a high load on the sync interface, the recommended solution is to implement a delay in the sync process for short-lived connections like HTTP. Here's an explanation of each option:

A. Delaying the sync for 2 seconds for short connections like HTTP services is a common practice to reduce the load on the sync interface. This allows the interface to handle the incoming connections more effectively.

B. Adding a second interface to handle sync traffic might be a viable solution, but it can be more complex and costly compared to implementing a delay for short connections.

C. Not syncing short connections like HTTP services is not a recommended approach because it may lead to synchronization issues and potential data inconsistencies between cluster members.

D. Delaying the sync for ICMP (ping) services is not a common practice and may not effectively address the high load issue on the sync interface.

Therefore, option A is the most recommended solution as it addresses the issue by introducing a delay for short-lived connections, optimizing the sync process without causing synchronization problems.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 UserCheck is a communication tool used to inform a user about a website or application they are trying to access. UserCheck allows administrators to interact with users in real time, informing them of the security policy and the actions they need to take. UserCheck can also enable users to self-remediate incidents or request exceptions from the administrator. References: Training & Certification | Check Point Software, Check Point Resource Library

The cpprod_util command is a utility that provides information about the installed Check Point products and their versions. The cpprod_util MgmtIsPrimary option checks if the Security Management Server is installed as a primary or a secondary server in a High Availability cluster2. If the server is primary, the command returns “yes”. If the server is secondary, the command returns “no”. Therefore, Bob can use this command to verify the provisioning of the secondary Security Management Server.

References: 2: cpprod_util

The cloud-based SandBlast Mobile application that is used to register new devices and users is Check Point Gateway. Check Point Gateway is a web portal that allows administrators to enroll devices and users into the SandBlast Mobile service, which is a cloud-based solution that protects mobile devices from advanced threats. Check Point Gateway also allows administrators to configure policies, monitor device status, and generate reports for SandBlast Mobile. 

The error “no proposal chosen” indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error “no proposal chosen” 1.

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

• The same pre-shared secret or certificate
• The same encryption algorithm (e.g., AES-256)
• The same hash algorithm (e.g., SHA-256)
• The same Diffie-Hellman group (e.g., Group 14)
• The same lifetime (e.g., 86400 seconds)

One can use the command vpn tu on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer. Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings 2.

References: 1: Troubleshooting the “no proposal chosen” error - Check Point Software 2: Support, Support Requests, Training … - Check Point Software

 According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.10 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References: Check Point R81

According to the Check Point website, Capsule Connect and Capsule Workspace both offer secured connection for remote users who are using their mobile devices. However, there are differences between the two. For credential protection, Connect uses One-time Password login support and has no SSO support, whereas Workspace offers both One-Time Password and certain SSO login support. The other statements are either false or partially true. References: Capsule Connect and Capsule Workspace

 You can use the cphaprob -a if command to check the status of the virtual cluster interface1. This command displays the state, virtual IP address, and physical IP address of each cluster interface2. It also shows the load balancing method, the load on each interface, and the active member for each interface2. This command can help you verify that Alice configured the virtual cluster interface correctly and that it is working properly. To run this command, you need to access the cluster member in Clish and run cphaprob -a if1.

References: How to configure ClusterXL in Load Sharing Unicast mode - Check Point Software, cphaprob -a if - Check Point Software

 Aaron should check API Server status with “api status” from Expert mode. If services are stopped, he should start them with “api start”. This is the correct way to verify and start the API Server on a Security Management Server running Gaia R81.X. The other commands are either invalid or not related to the API Server. The api command is a wrapper script that simplifies the management of the API Server. It can be used to start, stop, restart, status, enable, or disable the API Server. References: [API Server]

 The base level encryption key used by Capsule Docs is RSA 2048. This means that Capsule Docs uses a 2048-bit RSA public key encryption algorithm to encrypt and decrypt documents. RSA is an asymmetric encryption algorithm that uses two keys: a public key that can be shared with anyone, and a private key that must be kept secret. AES, SHA-256, and RSA 1024 are not the base level encryption keys used by Capsule Docs. References: : Check Point Software, Getting Started, Capsule Docs Encryption.

 In the Check Point Security Management Architecture, both the Security Management Server and Security Gateway can store logs. The Security Management Server stores logs related to management activities, while the Security Gateway stores logs related to network traffic1. References: Check Point Resource Library, page 3.

 CPUSE (Check Point Upgrade Service Engine) is a tool that allows users to download, import, install, and uninstall software packages on Gaia OS. CPUSE has a web-based user interface that can be accessed through Gaia Portal. CPUSE offers four package options in the web GUI for different purposes4:

• Clean Install - This option performs a clean installation of a Major Version package, which erases all existing configuration and data on the system.
• Export Package - This option exports a package from CPUSE repository to an external location for backup or transfer purposes.
• Upgrade - This option performs an upgrade of a Major Version package or a Minor Version package, which preserves the existing configuration and data on the system.
• Database Conversion - This option converts the database schema of a Major Version package to match the current version.

Therefore, the correct answer is B.

References: 4: CPUSE - Gaia Deployment Agent

 The purpose of the CPCA process is to generate and modify certificates for Check Point products and features. CPCA stands for Check Point Certificate Authority and it is responsible for creating and managing certificates for internal communication between Check Point components, such as Security Gateways, Security Management Servers, SmartConsole clients, and OPSEC applications. CPCA also supports external certificate authorities and can import and export certificates from other sources. 

In R81, you manage your Mobile Access Policy from the Mobile Console. The Mobile Console is a separate web-based interface that allows you to configure and monitor Mobile Access features, such as VPN, portal, applications, users, devices, and certificates. The Mobile Console can be accessed from any browser by entering https:// /mobileconsole. References: [Mobile Console]

 In R81, more than one administrator can login to the Security Management Server with write permission at the same time. This feature is enabled by default and allows concurrent administration of the security policy. Every administrator works in a session that is independent of the other administrators. Changes made by one administrator are not visible to others until they are published. Administrators can also lock objects to prevent others from editing them until they are unlocked. References: R81 Security Management Administration Guide, page 43.

 A clientless remote access VPN deployment is used to provide remote users with secure access to internal corporate resources by authenticating the user through an internet browser. A clientless remote access VPN does not require any software installation or configuration on the user’s device. Instead, it uses a web-based portal that acts as a proxy between the user and the corporate resources. The user can access web applications and services through the portal using a standard web browser that supports SSL/TLS encryption. The portal can also provide single sign-on (SSO) capabilities for SAML-enabled applications. A clientless remote access VPN is suitable for scenarios where users need to access mainly web-based resources from unmanaged devices or devices that cannot run VPN clients.

The other options are incorrect because:

• A client-based remote access VPN deployment is used to provide remote users with secure access to internal corporate resources by installing a VPN client software on the user’s device. A client-based remote access VPN requires software installation and configuration on the user’s device. It uses IPsec or SSL/TLS protocols to create a secure tunnel between the user’s device and the VPN gateway. The user can access any type of resource through the tunnel using any application that supports TCP/IP protocols. A client-based remote access VPN is suitable for scenarios where users need to access various types of resources from managed devices or devices that can run VPN clients.
• A clientless direct access deployment is not a valid term for a VPN deployment. Direct access is a feature of Windows Server that allows remote users to securely access internal corporate resources without using a VPN connection. Direct access uses IPv6 transition technologies and IPsec protocols to create a secure connection between the user’s device and the direct access server. The user can access any type of resource through the connection using any application that supports TCP/IP protocols. Direct access requires software installation and configuration on both the user’s device and the direct access server.
• A direct access deployment is not a term for a VPN deployment, but a feature of Windows Server that allows remote users to securely access internal corporate resources without using a VPN connection. Direct access uses IPv6 transition technologies and IPsec protocols to create a secure connection between the user’s device and the direct access server. The user can access any type of resource through the connection using any application that supports TCP/IP protocols. Direct access requires software installation and configuration on both the user’s device and the direct access server.

The correct Check Point command to verify that the installed tools on the new target security management machine are able to handle the R81.10 release is $FWDIR/scripts/migrate_server print_installed_tools -v R81.10. This command will print the list of installed migration tools and their versions, and check if they match the specified version (R81.10 in this case). If the tools are not installed or do not match, the command will print an error message3. References: Check Point R81 Installation and Upgrade Guide

By default, Threat Emulation updates the engine on the Security Gateway once per day. This is the recommended frequency for optimal performance and security. However, the admin can change the update frequency to a different value, such as once an hour, once a week, or twice per day, depending on the network needs and resources. The admin can also manually update the engine at any time using the SmartConsole or the command line interface. References: Threat Emulation Engine Release Updates - Check Point Software, Check Point R81.20 Gaia Fresh Install and upgrade

 SecureXL uses templates to accelerate the connection rate by creating a connection entry in the SecureXL Connections Table without notifying the Firewall kernel for a predefined period of time1. This reduces the load on the Firewall kernel and improves the performance of new connections1. SecureXL uses five attributes to identify a connection and create a template: source address, destination address, source port, destination port, and protocol2. These attributes form a unique 5-tuple that defines a connection2.

References: : ATRG: SecureXL for R80.20 and higher : Performance Tuning Administration Guide R80

SandBlast Threat Emulation is a technology that protects against zero-day and unknown malware by inspecting files in a secure sandbox environment and emulating their behavior. SandBlast Threat Emulation can be deployed in three modes: Cloud, Appliance and Hybrid1.

• Cloud mode: The files are sent to the Check Point cloud service for emulation. This mode does not require any additional hardware or software installation. It is the easiest and most cost-effective way to deploy SandBlast Threat Emulation.
• Appliance mode: The files are sent to a dedicated appliance (TE1000X, TE2500X, or TE100X) for emulation. This mode provides the highest level of performance and scalability, as well as data privacy and compliance. It is suitable for large organizations with high security and throughput requirements.
• Hybrid mode: The files are first sent to the Check Point cloud service for emulation, and if the cloud service cannot determine the verdict, they are then sent to a dedicated appliance for further analysis. This mode combines the benefits of both cloud and appliance modes, offering fast response time and high accuracy.

References: 1: SandBlast Threat Emulation Deployment Modes

To manually failover a cluster during a zero-downtime upgrade, you can use the command clusterXL_admin down on the active cluster member. This command will gracefully change the state of the cluster member to down and trigger a failover to the standby cluster member. This way, you can upgrade the cluster member that is now down without affecting the traffic processed by the other cluster member. You can then use the command clusterXL_admin up to bring the upgraded cluster member back online and repeat the process for the other cluster member. This command is useful for testing and debugging purposes and does not survive reboot unless you add the -p option or use the set cluster member admin down/up permanent command in clish1. The other commands are not valid for initiating a manual failover. The set cluster member down command is used to remove a cluster member from a cluster. The cpstop command is used to stop all Check Point services on a gateway. The set clusterXL down command does not exist.

Security Gateway Clusters in Load Sharing mode are not supported by the Central Deployment feature in R81.10 SmartConsole. According to the Check Point R81.10 Known Limitations article1, Central Deployment in SmartConsole does not support:

• Connection from SmartConsole Client to the Management Server through a proxy server. In this case, use the applicable API command
• ClusterXL in Load Sharing mode
• VRRP Cluster
• Installation of a package on a VSX VSLS Cluster that contains more than 3 members.
• On Multi-Domain Servers: Global Domain, or the MDS context
• Standalone server
• Standby Security Management Server or Multi-Domain Security Management
• Scalable Platforms 40000 / 60000
• SMB Appliances

The other options are supported by the Central Deployment feature in R81.10 SmartConsole. Dedicated Log Server, Dedicated SmartEvent Server, and Security Gateways/Clusters in ClusterXL HA new mode can be selected as targets for installing packages using the Central Deployment wizard.

 The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities. This option lets you specify which VPN communities are allowed or denied by the rule. A VPN community is a group of VPN gateways or hosts that share the same VPN policy and keys. You can create different types of VPN communities, such as star, meshed, or remote access, depending on your network topology and security requirements. You can also use tags to group VPN gateways or hosts into logical categories. 

Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

 The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them. It runs on the Log Server machine or on a dedicated machine1. To check the status of the SmartEvent Correlation Unit, you can use the command cpstat cpsead on the machine where it is installed. This command will show you information such as the number of logs processed, the number of events generated, the CPU and memory usage, and the status of the connection to the SmartEvent Server23.

References: SmartEvent Administration Guide R76, SmartEvent Administration Guide R75, SmartEvent Performance Tuning Guide

Check Point SandBlast Zero-Day Protection offers flexibility in implementation to meet individual business needs. One of the deployment options for Check Point SandBlast Zero-Day Protection is:

Smart Cloud Services (Option A): Smart Cloud Services allow organizations to leverage cloud-based threat intelligence and protection services provided by Check Point.

The other options, Load Sharing Mode Services (Option B), Threat Agent Solution (Option C), and Public Cloud Services (Option D), may also be components of a security strategy, but they are not specific deployment options for Check Point SandBlast Zero-Day Protection.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

The component of R81 Management that is used for indexing is SOLR. SOLR is an open-source enterprise search platform that provides fast and scalable indexing and searching capabilities. SOLR is used by SmartConsole to index the objects and rules in the security policy, as well as the logs and events in SmartLog and SmartEvent. SOLR enables quick and easy access to the relevant information in the management database. References: Check Point Security Expert R81 Course, SOLR Troubleshooting

To deploy a TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway, you can utilize Check Point Cloud Services. In this scenario, you can leverage cloud-based email security services provided by Check Point without the need for an on-premises Security Gateway.

Option C correctly states that you can use only Check Point Cloud Services for this scenario, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

ClusterXL supports Dynamic Routing for both Unicast and Multicast traffic. Dynamic Routing protocols, such as OSPF, BGP, or PIM, can be configured on cluster members to exchange routing information with other routers. ClusterXL supports two modes of operation for Dynamic Routing: New Mode and Legacy Mode. References: ClusterXL Administration Guide, SK98226 - ClusterXL New Mode Overview

 The Threat Prevention profile in Check Point R81.10 SmartConsole application allows you to enforce the following software blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. These software blades provide comprehensive protection against various types of threats, such as network attacks, malware, ransomware, phishing, and zero-day exploits. You can configure the profile settings for each software blade, such as the action to take, the protection scope, and the exceptions. References: Check Point Security Expert R81 Course, Threat Prevention Administration Guide

The purpose of a SmartEvent Correlation Unit is to evaluate logs from the log server component to identify patterns/threats and convert them to events. The SmartEvent Correlation Unit is a software module that runs on the SmartEvent server or on a dedicated server. It applies correlation rules and logic to the logs received from various sources, such as security gateways, endpoints, or third-party devices. It then generates events that represent security incidents or trends that require attention or action. References: Check Point Security Expert R81 Course, SmartEvent Administration Guide

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: https:// /smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

• A. The link https:///smartviewweb/ is missing a slash (/) between the host name and smartviewweb.
• C. The link https://smartviewweb is missing a slash (/) after the host name and before smartviewweb.
• D. The link https:///smartview is missing a slash (/) at the end.

References: Views and Reports Tutorial R80

Multiple administrators can connect to a Security Management Server at the same time. Each administrator has their own username and works in a session that is independent of other administrators. This allows for collaboration and simultaneous management tasks by different administrators.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

In a Cpinfo (Checkpoint information) command, various information is collected from a Security Gateway. However, firewall logs are NOT collected from a Security Gateway in a Cpinfo.

A. Firewall logs

The Cpinfo command typically collects information such as configuration and database files, system message logs, OS and network statistics, but it does not include firewall logs. Firewall logs are usually obtained separately using other methods or tools.

References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on Cpinfo.

SecureXL is a technology that improves the performance of Security Gateway by offloading the processing of some packets from the Firewall kernel to the SecureXL device driver1. SecureXL can handle packets in three different paths, depending on the type and state of the packet2:

• Firewall Path: This is the slowest path, where packets are processed by the Firewall kernel and all the inspection blades. This path is used for packets that require full inspection, such as the first packet of a connection, packets that match a rule with a UTM blade, or packets that are not eligible for acceleration.
• Accelerated Path: This is the fastest path, where packets are processed by the SecureXL device driver and bypass the Firewall kernel. This path is used for packets that belong to an established connection that is marked for acceleration, and do not require any further inspection by the Firewall or other blades.
• Medium Path: This is a hybrid path, where packets are processed by both the SecureXL device driver and the Firewall kernel, but skip some inspection steps. This path is used for packets that belong to an established connection that is not marked for acceleration, but do not require full inspection by all the blades.

The other options are not correct because:

• A. Initial Path; Medium Path; Accelerated Path: There is no such thing as Initial Path in SecureXL terminology. The initial packet of a connection is always handled by the Firewall Path.
• B. Layer Path; Blade Path; Rule Path: These are not paths of traffic flow, but components of the unified policy in R80 and above versions. The Layer Path refers to the order of layers in the policy, the Blade Path refers to the order of blades within a layer, and the Rule Path refers to the order of rules within a blade3.
• C. Firewall Path; Accept Path; Drop Path: These are not paths of traffic flow, but possible actions that the Firewall can take on a packet. The Firewall Path is one of the paths of traffic flow, but the Accept Path and Drop Path are not. The Accept Path means that the packet is allowed to pass through the Firewall, and the Drop Path means that the packet is blocked by the Firewall4.

References: Part 3 - SecureXL, What is CoreXL & SecureXL, SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above, QUANTUM 7000 SECURITY GATEWAY

The most recommended way to install patches and hotfixes is CPUSE (Check Point Update Service Engine). CPUSE is a tool that automates the process of upgrading and installing software packages on Check Point devices. CPUSE can work in online mode or offline mode. Online mode requires an Internet connection to download the packages from Check Point servers. Offline mode allows you to download the packages manually from another device and transfer them to the target device using a USB drive or SCP. References: Check Point Security Expert R81 Course, CPUSE Administration Guide

 SecureXL is a technology that accelerates the performance of the Check Point Security Gateway by offloading CPU-intensive operations from the Firewall kernel to the SecureXL device. SecureXL can handle various types of traffic, such as TCP, UDP, ICMP, non-IP, VPN, NAT, etc. SecureXL can also work with various features, such as CoreXL, ClusterXL, QoS, etc.

One way to indicate that SecureXL is enabled is to use the fwaccel commands in clish. Clish is a command-line shell that provides a user-friendly interface for configuring and managing Check Point products. The fwaccel commands are used to control and monitor SecureXL operations, such as enabling or disabling SecureXL, viewing SecureXL statistics, managing SecureXL templates, etc. For example, the command fwaccel stat shows the status of SecureXL, such as whether it is on or off, how many packets are accelerated or not accelerated, etc.

The other options are not valid indicators of SecureXL being enabled:

• A. Dynamic objects are available in the Object Explorer: Dynamic objects are objects that represent IP addresses that change over time, such as VPN clients, DHCP clients, etc. Dynamic objects are available in the Object Explorer regardless of whether SecureXL is enabled or not.
• B. SecureXL can be disabled in cpconfig: Cpconfig is a command-line tool that allows you to configure various settings of Check Point products, such as administrator password, GUI clients, SNMP extension, etc. SecureXL can be disabled in cpconfig only if it was enabled before. Therefore, this option does not indicate that SecureXL is enabled.
• D. Only one packet in a stream is seen in a fw monitor packet capture: Fw monitor is a command-line tool that allows you to capture and analyze network traffic passing through the Security Gateway. Fw monitor shows the traffic at different inspection points in the Firewall kernel. If SecureXL is enabled, some packets may be accelerated by SecureXL and bypass the Firewall kernel inspection. Therefore, fw monitor may not see all packets in a stream. However, this does not mean that only one packet in a stream will be seen by fw monitor. Some packets may still go through the Firewall kernel inspection and be seen by fw monitor. Therefore, this option does not indicate that SecureXL is enabled.

Therefore, the correct answer is C.

References: How to enable/disable Check Point SecureXL via CLI, Part 3 - SecureXL, What is SecureXL?, Clish - Command Line Interface Shell, sk30583: What is FW Monitor?

SecureXL is a performance-enhancing technology used in Check Point firewalls. It improves the throughput of both non-encrypted firewall traffic and encrypted VPN traffic. The statement in option C is true because SecureXL does improve both types of traffic by offloading processing to dedicated hardware acceleration, optimizing firewall and VPN operations.

Option C correctly states that SecureXL improves this traffic, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

 The correct command to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI is mgmt: add host name emailserver1 ip-address 10.50.23.90. This command will create a new host object in the Security Management Server database, with the specified name and IP address. The mgmt: prefix indicates that the command is executed on the Security Management Server, and not on the local GAiA machine. The other commands are either missing the mgmt: prefix, or have incorrect syntax or parameters. 

 The log server sends logs to the Correlation Unit. The Correlation Unit analyzes the logs and generates events based on the event policy. The events are then sent to the SmartEvent Server, which displays them in the SmartEvent GUI. References: [SmartEvent Administration Guide]

 The correct command for checking the Deployment Agent status over the GAIA CLISH is “show installer status”. This command displays information about the Deployment Agent such as its version, status, last update time, and last operation result. The other commands are either invalid or irrelevant for this purpose. References: [Check Point Security Expert R81 Installation and Upgrade Guide], page 23.

The component that is not required to communicate with the Web Services API is the API key. The Web Services API uses a session ID token for authentication, which is obtained by sending a login request with a valid username and password. The other components are required for sending requests and receiving responses from the Web Services API. The content-type specifies the format of the data being sent or received, such as JSON or XML. The request payload contains the data and parameters for the API call, such as command name, object name, etc. References: [Web Services API Reference Guide]

When configuring SmartEvent Initial settings, you must specify a basic topology for SmartEvent to help it calculate traffic direction for events. This setting is called Internal network(s) and you are defining your networks. You can specify one or more networks or IP addresses that are considered internal for SmartEvent. This helps SmartEvent to determine the direction of the traffic (inbound, outbound, or internal) and generate events accordingly. References: [SmartEvent Administration Guide]

The "Network Access VPN Domain" feature allows remote-access VPN users to access resources across a site-to-site VPN tunnel. This feature allows remote users to securely access internal network resources as if they were physically connected to the network. This is achieved by adding the remote-access VPN users to a "VPN Domain" that has access to the internal network resources via a site-to-site VPN tunnel. This VPN Domain is also referred to as a "Network Access VPN Domain".

When using the Mail Transfer Agent, the debug logs are stored in /var/log/mail.mta.elg. This file contains information about the email messages that are processed by the Mail Transfer Agent, such as sender, recipient, subject, size, action, etc. You can use the command mailq to view the current mail queue and the command maild -d to enable debug mode for the Mail Transfer Agent. References: [Mail Transfer Agent]

 The reason why the web session is being disconnected after 10 minutes is that the idle timeout for the web session is specified with the “set web session-timeout” command, not the “set inactivity-timeout” command. The “set inactivity-timeout” command only affects the CLI session, not the web session. To prevent the web session from being disconnected after 10 minutes of inactivity, you need to use the “set web session-timeout” command with a higher value than 10 minutes. References: [Check Point Security Expert R81 Administration Guide], page 77.

To see historical data with cpview, you can use the cpview -t command, where is the date and time you want to view. For example, cpview -t Jan 01 2023 12:00:00 will show you the cpview data for January 1st, 2023 at noon. You can also enter a partial date, such as Jan 02, to see the data for the whole day. This feature is available in R77.10 and higher versions of Check Point software1. You can also access the historical data by pressing the “t” key while running cpview in live mode and entering the desired date and time1. The historical data is stored in the CPViewDB.dat file in the /var/log/CPView_history directory on your gateway2. You can export this file and import it into other tools for visualization, such as Grafana3.

Firewall Management (fwm) is available on any management product, including Multi-Domain and on products that requite direct GUI access, such as SmartEvent, It provides the following:

– GUI Client communication

– Database manipulation

– Policy Compilation

– Management HA sync

CoreXL is a performance-enhancing technology that enables the processing CPU cores to concurrently perform multiple tasks on Security Gateways with multiple CPU cores. CoreXL replicates the Firewall kernel multiple times, creating multiple Firewall instances that run on different CPU cores. These Firewall instances handle traffic concurrently, and each Firewall instance is a complete and independent Firewall inspection kernel. To show the current connections distributed by CoreXL FW instances, you can use the command fw ctl multik stat on the Security Gateway. This command will display information such as the number of connections, packets, bytes, drops, and errors handled by each CoreXL FW instance, as well as the CPU utilization and affinity of each instance. The other options are not correct because:

• B. fw ctl affinity -l: This command will show the CPU affinity of all processes and IRQs on the Security Gateway. It will not show the current connections distributed by CoreXL FW instances.
• C. fw ctl instances -v: This command will show the details of all CoreXL FW instances on the Security Gateway, such as their ID, type, state, priority, and interfaces. It will not show the current connections distributed by CoreXL FW instances.
• D. fw ctl iflist: This command will show the list of all interfaces on the Security Gateway, along with their names

References: Part 3 - SecureXL, What is CoreXL & SecureXL, SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server, where it is forwarded to fwm via cpd. The fwm process is responsible for managing the log files and the cpd process is responsible for communication between processes. The other options are incorrect because they involve processes that are not related to logging or communication. References: Check Point Certified Security Expert R81.20 Course Overview, sk163413: Support, Support Requests, Training … - Check Point Software, Check Point Certified Security Expert R81.20

The minimum open server hardware requirements for a Security Management Server/Standalone in R81 are:

• CPU: Intel Core i5-4590 or equivalent (4 cores)
• Memory: 8 GB RAM
• Disk space: 500 GB

The other options do not match the minimum requirements. Option A has insufficient CPU cores, memory and disk space. Option B has excessive CPU cores and disk space. Option D has excessive CPU cores, memory and disk space.

References: Check Point R81 Release Notes, page 6

The options that are given on features, when editing a Role on Gaia Platform are Read/Write, Read Only, and None. These options determine the level of access that a user has to a specific feature or command in Gaia. If a user has Read/Write access to a feature, they can view and modify the settings of that feature. If a user has Read Only access to a feature, they can only view the settings of that feature, but not change them. If a user has None access to a feature, they cannot view or modify the settings of that feature. 

High Availability (HA) is a deployment scenario where two or more Security Management Servers are configured to work together as a cluster. One server acts as the Primary server and handles all management operations, while another server acts as the Secondary server and serves as a backup. If the Primary server fails, the Secondary server takes over and becomes active. The cluster members communicate using a Virtual IP (VIP) address, which is used by SmartConsole to connect to the active server. If the Primary server is temporarily down, the administrator does not need to do anything, as SmartConsole will automatically connect to the VIP address and reach the Secondary server that has become active. Therefore, the correct answer is A.

References: 6: High Availability Administration Guide

 The feature that is not provided by all Check Point Mobile Access solutions is support for IPv6. Check Point Mobile Access is a comprehensive solution that provides secure remote access to corporate applications and resources using various methods, such as SSL VPN, IPsec VPN, clientless VPN, and mobile VPN. However, not all of these methods support IPv6, which is the latest version of the Internet Protocol that uses 128-bit addresses. According to the Check Point Mobile Access R81 Administration Guide1, only the following Mobile Access methods support IPv6:

• SSL Network Extender (SNX) - a thin client that enables remote users to connect securely to the corporate network using SSL/TLS VPN.
• Mobile VPN - a full VPN client that enables remote users to connect securely to the corporate network using IPsec VPN.
• Capsule Connect - a mobile VPN app for iOS and Android devices that enables remote users to connect securely to the corporate network using IPsec VPN.

The following Mobile Access methods do not support IPv6:

• Clientless VPN - a web-based method that enables remote users to access web applications and services using a web browser without installing any software on their devices.
• Endpoint Security VPN - a full VPN client that enables remote users to connect securely to the corporate network using IPsec VPN and also provides endpoint security features such as firewall, anti-virus, anti-malware, etc.
• Capsule Workspace - a mobile app for iOS and Android devices that enables remote users to access email, calendar, contacts, and corporate applications securely without requiring a VPN connection.

Proxy ARP is a technique that allows a device to respond to ARP requests on behalf of another IP address. Proxy ARP is required for Manual Static NAT when the translated IP address does not belong to one of the firewall’s interfaces. This is because the firewall needs to intercept the packets destined to the translated IP address and forward them to the original IP address after applying the NAT rule. Without Proxy ARP, the packets would not reach the firewall and the NAT would not work. Proxy ARP is not required for Automatic Static NAT or Automatic Hide NAT, because these types of NAT use IP addresses that belong to the firewall’s interfaces. Proxy ARP is also not required for Manual Hide NAT, because this type of NAT does not change the destination IP address of the packets, only the source IP address. References: Check Point R81 Security Management Administration Guide, page 115

VPN Link Selection is a feature that allows the Security Gateway to select the best link for each VPN tunnel based on the network topology and the Link Selection configuration1. When the primary VPN link goes down, the Firewall can update the Link Selection entries to start using a different link for the same tunnel, as long as the remote peer supports this feature and has multiple IP addresses configured2. This way, the VPN tunnel can be maintained without interruption or renegotiation. The other options are not correct because:

Firewall

• A. The Firewall will not drop the packets, but will try to send them over another link if possible.

Firewall

• C. The Firewall will not send out the packet on all interfaces, but will use the routing table to determine the best interface for each destination.

Firewall

• D. The Firewall will not inform the client that the tunnel is down, but will try to keep the tunnel up by switching to another link.

References: IPSec VPN - Link Selection, Outgoing VPN Link Selection on a gateway with multiple external interfaces

The API command to create a new host with the name "New Host" and IP address "192.168.0.10" is:

This command adds a host object with the specified name and IP address to the Check Point configuration.

References: Check Point documentation or training materials related to API commands.

NAT (Network Address Translation) is one item that will not be configured on the R81 Security Management Server when setting up an externally managed log server. NAT is a technique that allows devices with private IP addresses to communicate with devices with public IP addresses by translating the private addresses to public ones. NAT is not relevant for configuring an externally managed log server, which requires only the IP address, SIC (Secure Internal Communication), and FQDN (Fully Qualified Domain Name) of the log server. References: Check Point Security Expert R81 Course, Logging and Monitoring Administration Guide

To determine the cause of a cluster gateway showing "Down" despite running "clusterXL_admin up" on the down member, you can run the following command:

This command will provide a list of cluster members along with their statuses and can help diagnose the issue with the down member.

References: Check Point documentation or training materials related to High Availability and ClusterXL.

 In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall. References: Check Point Security Expert R81 Course, Wire Mode Configuration Guide

Threat Emulation downloads packages by default once per day. The packages contain updates for the Threat Emulation engine, signatures, and images. The download frequency can be changed in the Threat Prevention policy settings. References: Threat Emulation Administration Guide, Threat Prevention R81 Release Notes

The Correlation Unit in SmartEvent architecture has the function of analyzing each log entry as it arrives at the log server according to the Event Policy. When it identifies a threat pattern, it forwards an event to the SmartEvent Server. This is an essential function in threat detection and analysis, as it helps in identifying and alerting about security threats based on the configured policies.

Option A correctly describes the function of the Correlation Unit, making it the verified answer.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

In R81, the Mobile Access policy is created and modified in SmartConsole. SmartConsole is the management interface for configuring and managing various security policies, including Mobile Access policies.

References: Check Point Certified Security Expert R81 documentation and learning resources.

The Check Point daemon that monitors the other daemons is cpwd (Check Point Watchdog). It is responsible for monitoring the health and status of various Check Point daemons and processes running on the Security Gateway. If any daemon or process stops responding or encounters an issue, cpwd can restart it to ensure the continued operation of the Security Gateway.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

 The inspection point Big l is the first point immediately following the tables and rule base check of a packet coming from outside of the network. It is also the last point before the packet leaves the Security Gateway to the internal network1. The other inspection points are either before or after the rule base check, or in a different direction of traffic flow2. References: Check Point R81 Security Gateway Architecture and Packet Flow, 156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics

The CLI command to reset the IPS (Intrusion Prevention System) pattern matcher statistics is option D: ips pmstats reset. This command will reset the statistics related to the IPS pattern matcher.

Options A, B, and C are not the correct syntax for resetting the IPS pattern matcher statistics.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

In R81, you can manage your Mobile Access Policy through the Unified Policy. The Unified Policy is a single policy that combines access control, threat prevention, data protection, and identity awareness. You can create rules for mobile access in the Unified Policy rulebase and apply them to mobile devices, users, and applications. You can also use the Mobile Access blade to configure additional settings for mobile access, such as authentication methods, VPN settings, and application portal.

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

The CPD daemon is a Firewall Kernel Process that does not pull application monitoring status. The CPD daemon is responsible for Secure Internal Communication (SIC), restarting daemons if they fail, transferring messages between Firewall processes, and managing policy installation. References: CPD process

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

The clusterXL_admin down -p command disables a Cluster Member permanently, meaning that it will not rejoin the cluster even after a reboot. The other commands either disable a Cluster Member temporarily or are invalid. References: [ClusterXL Administration Guide]

 The API command add host name ip-address  can be used in a script to create 100 new host objects with different IP addresses. This command adds a new host object with the specified name and IP address to the database. The other commands are either not valid or not suitable for creating new host objects. References: Check Point - Management API reference

 SmartEvent automatically defines events based on IPS (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent. 

The methods of SandBlast Threat Emulation deployment are Cloud, Appliance, and Private. SandBlast Threat Emulation is a solution that detects and prevents zero-day attacks by emulating files in a sandbox environment and analyzing their behavior for malicious indicators. SandBlast Threat Emulation can be deployed in three different methods: Cloud, Appliance, and Private. Cloud method is when the files are sent to the Check Point cloud service for emulation and analysis. This method does not require any additional hardware or software on the customer’s side, and provides the fastest updates and feeds from ThreatCloud. Appliance method is when the files are sent to a dedicated appliance on the customer’s network for emulation and analysis. This method provides more control and privacy for the customer, and supports more file types and sizes. Private method is when the files are sent to a private cloud service on the customer’s network for emulation and analysis. This method provides the highest level of control and privacy for the customer, and supports customizing the emulation environment and scenarios.

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction. 

Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_report.pdf file was delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing some graphs, tables and links.

The component of SandBlast protection that her company is using on a Gateway is SandBlast Threat Extraction. SandBlast Threat Extraction is a software blade that provides protection against malicious files by removing potentially risky elements, such as macros, embedded objects, scripts, etc. The sanitized files are delivered to the users with a notification about the removed elements. SandBlast Threat Extraction can also reconstruct the original files after they are scanned by SandBlast Threat Emulation, which is another software blade that provides protection against malicious files by emulating them in a virtual sandbox and analyzing their behavior. References: R81 Threat Prevention Administration Guide, page 37.

 The command switch to specify the Gaia API context is mgmt_cli --context gaia_api . This switch allows the user to execute Gaia OS commands through the management API. The Gaia API context is different from the default management API context, which is used to execute commands related to the security policy and objects1. References: Check Point R81 Management API Reference Guide

https://resources.checkpoint.com/datasheet/certified-security-expert-ccse-r8120-course-overview

Dynamic log distribution is a feature that allows you to configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy. This means that each log is sent to only one Log Server and the load is balanced between the primary Log Servers. If all the primary Log Servers are disconnected, the logs are distributed between the backup Log Servers. If no Log Servers are connected, the gateway writes the logs locally. This feature improves the performance and reliability of logging and reduces the network traffic and disk space consumption. You can enable this feature on the SmartConsole -> Gateways & Servers -> Logs -> Dynamic Log Distribution1.

The other options are incorrect because they do not describe the dynamic log distribution feature. Option B is wrong because the Management High Availability does not store the logs dynamically on the member with the most available disk space, but rather synchronizes the logs between the members using the cpd process2. Option C is wrong because the dynamic log distribution feature does not synchronize the logs between the primary and secondary management server, but rather distributes the logs between the Log Servers. Option D is wrong because the dynamic log distribution feature does not save disk space in case of a firewall cluster, but rather distributes the logs between the Log Servers. The firewall cluster members do not store local logs, but rather send them to the Log Servers3.

 The process that is used mainly for backward compatibility of gateways in R81.X is fwm. The fwm daemon handles communication with GUI-client, database manipulation, policy compilation and Management HA synchronization for legacy gateways that do not support the cpm daemon. The cpm daemon is the new Check Point Management Server daemon that handles these tasks for R80 and higher gateways. The cpd daemon is the Check Point Management daemon that handles communication between SmartConsole applications and Security Management Servers. The fwd daemon is the Firewall Daemon that handles communication between Security Gateways and Security Management Servers2. References: 2: Check Point Software, Getting Started, Processes.

After verifying that API Server is not running, you can start the API Server by running the command “api start” in Expert mode. This command will start the API Server process (cpm_api) and enable it to run automatically after reboot. You can also use the command “api enable” to enable the API Server without starting it immediately. The other commands are either incorrect or not related to the API Server. The set api command is used in CLISH mode to configure API settings, such as port, domain, or certificate. The mgmt_cli command is used in Expert mode to execute API commands, such as login, logout, show, set, etc. References: [API Server]

 Check Point Support in many cases asks you for a configuration summary of your Check Point system. This is also called cpinfo. Cpinfo is a utility that collects diagnostic data on a Check Point gateway, management server, or log server. It generates a file that contains information such as product version, license details, OS details, network configuration, installed hotfixes, status of Check Point processes, firewall tables, etc. This file can be used by Check Point Support to troubleshoot issues or analyze performance. References: [Cpinfo Utility]

 The CLI utility that runs connectivity tests from a Security Gateway to an AD domain controller is test_ad_connectivity -d . This command tests the connectivity between the gateway and the domain controller using LDAP, Kerberos, and WMI protocols. It also verifies the identity awareness configuration and shows the relevant logs3. The other options are not valid commands for testing AD connectivity. References: 3: Check Point Software, Getting Started, Testing Active Directory Connectivity.

The command that should be used to remove the policy from the gateway by logging in through console access is “fw unloadlocal”. This command will unload all security policies from a gateway or cluster member and allow all traffic to pass through it. This command can be useful for troubleshooting purposes or for emergency access to a gateway. References: [Check Point R81 CLI Reference Guide]

 The correct syntax to add a new host named “emailserver1” with IP address 10.50.23.90 using GAiA Management CLI is mgmt_cli add host name "emailserver1" ip-address 10.50.23.90. The name and ip-address parameters are required and must be enclosed in double quotes. The other options are missing the double quotes or have incorrect parameter names1. References: 1: Check Point Software, Getting Started, Adding a Host.

 The default shell of Gaia CLI is clish. Clish stands for Command Line Interface Shell and it is a restrictive shell that controls the number of commands available in the CLI. Clish provides a user-friendly interface that supports command completion, history, and help functions. Clish also supports role-based administration, which means that different users can have different levels of access to Gaia features and commands based on their roles. 

 The NAT property ‘Translate destination or client side’ is used to determine whether the destination IP address of a packet should be translated on the client side or the server side of a connection. If this property is not enabled, then the destination IP address is translated on the server side, which means that the gateway takes care of all details necessary for NAT to work. The gateway will send an ARP request for the translated IP address and will reply to any ARP requests for that address. Therefore, there is no need to configure a host route, use the local.arp file, or enable bi-directional NAT for NAT to work correctly. References: R81 Security Management Administration Guide, page 1010.

To see the cluster status in CLI expert mode, you can use the command cphaprob stat. This command displays the status of the Check Point High Availability cluster. It provides information about the state of the cluster members, such as "Active," "Standby," or "Collision."

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Using fw monitor, the inspection point notation E and i means that E shows the packet after the VPN encryption, and i shows the packet before the inbound firewall VM. E (for example, eth4:E) is the Post-Outbound inspection point, which captures packets after they are encrypted by VPN Outbound. i (for example, eth4:i) is the Pre-Inbound inspection point, which captures packets before they are inspected by the in-bound FireWall VM2. References: Check Point R81 CLI Reference Guide

Threat Extraction (Answer B): Threat Extraction always delivers a file, but it removes potentially malicious content from the file before delivering it to the user. It is designed to provide a safe version of the file quickly, taking less than a second to complete.

Threat Emulation (Option A): Threat Emulation does not deliver the original file to the user until it has been thoroughly analyzed for threats. It may take more than 3 minutes to complete the analysis. The emphasis here is on safety and thorough inspection, which may result in a longer processing time.

Therefore, Option B correctly describes the main difference between Threat Extraction and Threat Emulation.

References: Check Point Certified Security Expert (CCSE) R81 training materials and documentation.

Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".

References: VPN Administration Guide

The API server is a service that runs on the Security Management Server and enables external applications to communicate with the Check Point management database using REST APIs. You can verify that the API server is responding by using the following command in Expert mode:

This command will display the current status of the API server, such as running, stopped, or initializing. It will also show the API version, port number, and SSL certificate information. References: Check Point R81 REST API Reference Guide

Check Point Protect is a lightweight app that can be used to gather and analyze threats to your mobile device. It provides real-time threat intelligence, device posture assessment, and secure browsing protection3. The other applications are either not designed for mobile devices, or do not offer threat analysis features. References: R81 CCSA & CCSE exams released featuring Promo for… - Check Point …, Check Point Protect - Apps on Google Play

On R81.10, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

 When doing a Stand-Alone Installation, you would install the Security Management Server with the Security Gateway as the other Check Point architecture component. A Stand-Alone Installation is where the Security Management Server and the Security Gateway are installed on the same machine2. The other options are either not Check Point architecture components, or not suitable for a Stand-Alone Installation. References: Check Point R81 Installation and Upgrade Guide

 R81.10 management server can manage gateways with versions R75.20 and higher. However, some features may not be supported on older gateway versions. For example, R81 introduces a new feature called Infinity Threat Prevention, which requires R81 gateways to work properly. Therefore, it is recommended to upgrade your gateways to the latest version to take advantage of all the new features and enhancements in R81. 

The least amount of CPU cores required to enable CoreXL is 2. CoreXL is a technology that improves the performance of Security Gateways by using multiple CPU cores to process traffic in parallel. CoreXL requires at least two CPU cores, one for SND (Secure Network Distributor) and one for a Firewall instance. The other options are either too few or too many CPU cores for enabling CoreXL. References: [Check Point R81 SecureXL Administration Guide], [Check Point R81 Performance Tuning Administration Guide]

 fwssd is a child process of fwd, which is the firewall daemon that handles policy installation, logging, and state synchronization. cpwd is the watchdog process that monitors and restarts other processes. fwm is the management server process that handles communication with GUI clients. cpd is the infrastructure daemon that handles SIC, licensing, and policy code generation. References: Check Point Processes Cheat Sheet – LazyAdmins, Check Point R81 Gaia Administration Guide, Certified Security Expert (CCSE) R81.20 Course Overview

 The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345. 

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic.

During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.

References:

The features that are only supported with R81.10 Gateways and not with R77.x are described in option C:

"C. The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence."

This feature, known as Rule Base Layers, allows for greater flexibility and control in organizing and prioritizing security rules within the rule base.

Options A, B, and D do not specifically pertain to features introduced in R81.10 and are available in earlier versions as well.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The cphaconf set_ccp multicast command is used to set the Cluster Control Protocol (CCP) to Multicast mode. This mode allows cluster members to communicate with each other using multicast packets. The other commands are either incorrect or set the CCP to Broadcast mode. References: ClusterXL Administration Guide

 In R81, IPS is managed by the Threat Prevention Policy. The Threat Prevention Policy is a unified policy that allows you to configure and enforce IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction settings in one place. References: Threat Prevention Administration Guide

When configuring Management HA, you have to take into consideration that the Database revisions will not be synchronized between the management servers. Database revisions are snapshots of the database that are created manually or automatically when installing a policy or saving changes. They are stored locally on each management server and are not replicated by Management HA. The other options are either not true or not relevant to Management HA. References: Check Point R81 Installation and Upgrade Guide

Sticky Decision Function (SDF) is a feature that ensures that VPN traffic is handled by the same core on a Security Gateway with multiple CPU cores. This improves the performance and stability of VPN tunnels by avoiding out-of-order packets and reducing encryption overhead. However, the limitation of employing SDF is that acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF. This means that SDF may reduce the overall throughput and scalability of the Security Gateway. Therefore, SDF should be used only when necessary and only on gateways that are dedicated to VPN traffic. References: R81 Performance Tuning Administration Guide

Check Point currently supports four types of APIs: R81 Management API, Identity Awareness Web Services API, OPSEC SDK, and Gaia REST API. The Open REST API is not a valid option. References: Check Point APIs

To fully enable Dynamic Dispatcher on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled without Firewall Priority Queues. Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Dynamic Dispatcher can improve the throughput and scalability of the Security Gateway, especially for traffic that is not accelerated by SecureXL. The other commands are not valid or do not enable Dynamic Dispatcher. References: R81 Performance Tuning Administration Guide

The Event List within the Event tab contains events generated by a query. The Event List shows the events that match the query criteria, such as time range, filter, and aggregation. The events can be sorted by different columns, such as severity, time, action, and source3. The other options are either not part of the Event tab or not related to the Event List. References: Check Point R81 Logging and Monitoring Administration Guide

The Check Point ThreatCloud is a worldwide collaborative security network that collects and analyzes threat data from millions of sensors, security gateways, and other sources, and delivers real-time threat intelligence and protection to Check Point products. References: Check Point ThreatCloud

 The process that pulls application monitoring status is cpd. cpd is a daemon that runs on Check Point products and performs various tasks related to management communication, policy installation, license verification, logging, etc. cpd also monitors the status of other processes and applications on the system and reports it to the management server. cpd uses SNMP to collect information from various sources, such as blades, gateways, servers, etc. You can view the application monitoring status in SmartConsole by using the Gateways & Servers tab in the Logs & Monitor view. References: Check Point Processes and Daemons

 Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Firewall Priority Queues is a feature that prioritizes traffic based on its type and importance by assigning it to different queues with different weights and limits. To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled with Firewall Priority Queues. The other commands are not valid or do not enable both features. References: R81 Performance Tuning Administration Guide

References:

 Check Point Mobile Web Portal is a Mobile Access Application that allows a secure container on mobile devices to give users access to internal websites, file shares and emails. The Mobile Web Portal is a web-based application that can be accessed from any browser on any device. It provides a user-friendly interface to access various resources on the corporate network without requiring a VPN client or additional software installation. The Mobile Web Portal supports authentication methods such as user name and password, certificate, one-time password (OTP), etc. The Mobile Web Portal also supports security features such as encryption, data leakage prevention (DLP), threat prevention, etc. References: R81 Mobile Access Administration Guide

 The host having a Critical event found by Anti-Bot should be remediated first, as it indicates that the host is infected by a botnet malware that is communicating with a Command and Control server. This poses a serious threat to the network security and data integrity. The other events may indicate potential malware infection or attack attempts, but not necessarily successful ones. References: Threat Prevention Administration Guide

 Gateway API is not an example of a Check Point API. Check Point APIs are interfaces that enable interactions with Check Point products using automation scripts or external applications. The examples of Check Point APIs are Management API, OPSEC SDK, Threat Prevention API, Identity Awareness Web Services API, and others4. Gateway API is not a valid Check Point API name. References: Check Point R81 Security Management Administration Guide, Check Point APIs

 You can communicate with the API server using three command sources: SmartConsole GUI Console, mgmt_cli Tool, and Gaia CLI. Web Services are not a command source, but a way to access the API server using HTTP requests. References: Check Point Management APIs

 TACACS+ is not an authentication method that is used for Mobile Access. Mobile Access supports the following authentication methods: username and password (internal, LDAP, or RADIUS), certificate, SecurID, DynamicID, and SMS2. TACACS+ is a protocol that provides access control for routers, network access servers, and other network devices, but it is not supported by Mobile Access3. References: Check Point R81 Mobile Access Administration Guide, TACACS+ - Wikipedia

The cpinfo tool generates a R81 Security Gateway configuration report that includes information about the hardware, operating system, product version, patches, and configuration settings. References: cpinfo - Check Point Support Center

SandBlast Mobile has four components: Management Dashboard, Gateway, Behavior Risk Engine, and On-Device Network Protection. Personal User Storage is not part of the SandBlast Mobile solution. References: SandBlast Mobile Architecture

 Automatic affinity means that if SecureXL is running, the affinity for each interface is automatically reset every 60 seconds based on the current traffic load. This ensures optimal performance and load balancing of SecureXL instances. References: SecureXL Mechanism

When requiring certificates for mobile devices, the authentication method should be set to one of the following:

Username and Password

RADIUS

SecurID (RSA SecurID)

So, the correct answer is option B, "SecurID."

Options A, C, and D are not standard authentication methods for mobile devices in this context.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

The fw ctl affinity -l -a -r -v command is the most accurate CLI command to get info about assignment (FW, SND) of all CPUs in your SGW. This command displays the affinity settings of all interfaces and processes in a verbose mode, including the Firewall (FW) and Secure Network Distributor (SND) instances. References: CoreXL Administration Guide

 Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions . References: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

Anti-Bot is a post-infection malware protection that detects and blocks botnet communications from infected hosts to Command & Control servers. It is different from other Threat Prevention mechanisms that prevent malware from entering the network or executing on the hosts. References: Anti-Bot Software Blade

According to the Check Point website, INSPECT Engine is the technology that extracts detailed information from packets and stores that information in state tables. INSPECT Engine is the core of Check Point’s Stateful Inspection technology, which enables Security Gateways to inspect traffic at multiple layers and enforce security policies. The other technologies are either not related or not specific enough. References: INSPECT Engine

The “fw monitor” tool can be best used to troubleshoot network traffic issues. Fw monitor is a tool that allows administrators to capture packets at different inspection points in the Firewall kernel, and apply filters and flags to analyze the traffic. Fw monitor can help troubleshoot network connectivity problems, packet drops, NAT issues, VPN issues, and more. The other options are either not related or less suitable for fw monitor.

A star community is a VPN topology where one or more satellites connect to a center gateway. The center gateway can be a Security Gateway or a Security Management Server. The VPN routing option determines how the traffic is routed between the satellites and the center, and between the satellites themselves. There are three VPN routing options available in a star community12:

• To center only: The satellites can only communicate with the center gateway, and not with each other or with any other VPN targets. This option is useful for remote access clients that only need to access resources on the center gateway.
• To center, or through the center to other satellites, to Internet and other VPN targets: The satellites can communicate with the center gateway, and also with other satellites, Internet hosts, and other VPN targets through the center gateway. This option is useful for branch offices that need to access resources on the center gateway, as well as on other branch offices, Internet hosts, and other VPN targets.
• To center and to other satellites through center: The satellites can communicate with the center gateway, and also with other satellites through the center gateway. However, they cannot communicate with Internet hosts or other VPN targets. This option is useful for branch offices that need to access resources on the center gateway and on other branch offices, but not on Internet hosts or other VPN targets.

Therefore, the options A (To satellites through center only) and D (To center only) are not valid VPN routing options in a star community.

References: 1: Remote Access VPN R81.20 Administration Guide - Check Point Software, page 13 2: Gaia R81.20 Administration Guide - Check Point Software, page 1030

 Office mode is a feature that allows a security gateway to assign a remote client an IP address from a network that is protected by the security gateway. This way, the remote client can access resources on the internal network as if it was physically connected to it. The IP address is assigned to the remote client after the user authenticates for a tunnel, and it is routable, meaning that it can be reached by other hosts on the network. Office mode is useful for scenarios where the remote client needs to use applications that rely on IP addresses, such as VoIP or file sharing12.

References: 1: Support, Support Requests, Training … - Check Point Software 2: Gaia R81.10 Administration Guide - Check Point Software

 According to the Check Point R81 Mobile Access Administration Guide, the recommended number of physical network interfaces in a Mobile Access cluster deployment is three. One interface should be connected to the organization network, one interface should be connected to the Internet, and one interface should be used for synchronization between cluster members. This configuration provides optimal performance and security for Mobile Access traffic. 

 What can cause Vanessa unnecessary problems, if she didn’t check all requirements for migration to R81, is missing an installed R77.20 Add-on on Security Management Server. R77.20 Add-on is a package that adds new features and enhancements to R77 Security Management Server, such as support for new appliances, Gaia OS features, VPN features, etc. One of the requirements for migrating to R81 from R77 Security Management Server is to have R77.20 Add-on installed on the server. If Vanessa did not check this requirement and tried to migrate without R77.20 Add-on, she would encounter errors and failures during the migration process. The other options are either not relevant or not problematic for migration to R81. 

The command that would show the API server status is api status. API stands for Application Programming Interface, and it is a web service that allows external applications to interact with the Check Point management server using standard methods such as HTTP(S) requests and JSON objects. API status is a command that shows the current status of the API server, such as whether it is enabled or disabled, running or stopped, listening on which port, using which certificate, etc. The other commands are either invalid or perform different functions. 

To change the number of firewall instances used by CoreXL, the cpconfig command must be used, followed by a reboot. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The number of firewall instances determines how many cores are dedicated to CoreXL. The cpconfig command allows the administrator to configure various settings on the Security Gateway, including the number of firewall instances. After changing this setting, a reboot is required for the changes to take effect. The other commands are either incorrect or do not require a reboot.

SandBlast agent extends zero-day prevention to web browsers and user devices. Zero-day prevention is a capability that protects devices from unknown and emerging threats that exploit vulnerabilities that have not been patched or disclosed. SandBlast Agent provides zero-day prevention by using various technologies such as threat emulation, threat extraction, anti-exploitation, anti-ransomware, and behavioral analysis. SandBlast Agent protects web browsers and user devices from malicious downloads, phishing links, drive-by downloads, browser exploits, malicious scripts, and more. 

 Identity Awareness AD-Query is using the Microsoft WMI API to learn users from AD. WMI stands for Windows Management Instrumentation, and it is an API that allows remote management and monitoring of Windows systems. Identity Awareness AD-Query is a feature that enables the Security Gateway to query Active Directory servers for user and computer information, such as login events, group membership, and IP addresses. By using the WMI API, Identity Awareness AD-Query can receive real-time notifications from Active Directory servers without installing any agents or scripts on them. 

 To ensure that VMAC mode is enabled, the CLI command that should be run on all cluster members is fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1. VMAC mode is a feature that allows ClusterXL to use virtual MAC addresses for cluster interfaces, instead of physical MAC addresses. This improves the failover performance and compatibility of ClusterXL with switches and routers. To check if VMAC mode is enabled, the command fw ctl get int fwha_vmac_global_param_enabled can be used, which returns 1 if VMAC mode is enabled, and 0 if VMAC mode is disabled. 

 The first thing that must be done if “fwm sic_reset” could not be completed is to change internal CA via cpconfig. Fwm sic_reset is a command that allows administrators to reset Secure Internal Communication (SIC) between Security Management Server and Security Gateways or other Check Point modules. SIC is a mechanism that ensures secure and authenticated communication between Check Point components by using certificates issued by an internal Certificate Authority (ICA). If fwm sic_reset fails, it means that there is a problem with the ICA or the certificates that prevents SIC from being reset. To resolve this problem, administrators need to change internal CA via cpconfig, which is a command that allows administrators to configure various settings on Security Gateways or Management Servers, including the ICA. Changing internal CA via cpconfig will create a new ICA with a new certificate, and allow SIC to be reset with the new certificate.

SmartEvent Unit is not a blade option when configuring SmartEvent. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. SmartEvent Unit is not a valid component or blade of SmartEvent.

 When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions: CIFS packets. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, some packets cannot be accelerated by SecureXL due to various reasons, such as unsupported features, security policy settings, or protocol limitations. One example of packets that cannot be accelerated by SecureXL are CIFS packets, which are used for file sharing and access over SMB protocol. CIFS packets are not accelerated by SecureXL because they require stateful inspection by the Firewall kernel. 

The path to monitor the compliance status of the Check Point R81.10 based management is Logs & Monitor > New Tab > Open compliance View. Compliance View is a feature that allows administrators to monitor and assess the compliance level of their Check Point products and security policies based on best practices and industry standards. Compliance View provides a dashboard that shows the overall compliance status, compliance score, compliance trends, compliance issues, compliance reports, and compliance blades for different security aspects, such as data protection, threat prevention, identity awareness, etc. To access Compliance View in R81.10 SmartConsole, administrators need to go to Logs & Monitor > New Tab > Open compliance View. The other options are either incorrect or not available in R81.10.

Ken can use either of the two commands lock database override or unlock database to obtain a configuration lock from another administrator on R81 Security Management Server via CLI. These commands allow him to override the existing lock and gain exclusive access to the database. He can also use the WebUI to perform the same action. References: Training & Certification | Check Point Software, New Courses and Certificates for R81.10 - Check Point CheckMates

 Log Consolidator is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

 The Logs and Monitor tab is used to monitor network and security performance in SmartConsole. The Logs and Monitor tab lets you view and analyze logs, events, reports, and alerts from various sources, such as Security Gateways, Security Management Servers, Endpoint Security Servers, and SmartEvent Servers. You can also use the Logs and Monitor tab to create custom views, filters, queries, and charts to display the data that is relevant to your needs12.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 23 2: Check Point R81 SmartConsole User Guide - Check Point Software, page 9

 The command that would be used to set the network interfaces’ affinity in Manual mode is sim affinity -s. Sim affinity is a command that allows administrators to view and modify the CPU core affinity of network interfaces and SecureXL instances. Core affinity is a feature that binds network interfaces and SecureXL instances to specific CPU cores, which improves the performance and load balancing of the Security Gateway. Sim affinity -s sets the network interfaces’ affinity in Manual mode, which means that administrators can manually assign network interfaces to CPU cores. The other options are either invalid or perform different functions. 

The way SSL VPN and IPSec VPN are different is that IPSec VPN uses an additional virtual adapter; SSL VPN uses the client network adapter only. SSL VPN and IPSec VPN are two types of VPN technologies that provide secure remote access to network resources over the internet. SSL VPN uses SSL/TLS protocol to establish an encrypted tunnel between the client and the server, and does not require any additional software or hardware on the client side. IPSec VPN uses IPSec protocol to establish an encrypted tunnel between the client and the server, and requires a dedicated virtual adapter on the client side to handle the IPSec traffic. The other options are either incorrect or not relevant to SSL VPN and IPSec VPN.

The port that the CPM process runs on is TCP 19009. CPM stands for Check Point Management, and it is the main process that runs on the Security Management Server and interacts with SmartConsole clients. CPM is responsible for managing policies, objects, logs, tasks, and other management functions. CPM listens on TCP port 19009 for incoming connections from SmartConsole clients. The other ports are either used by other processes or not related to CPM. 

 The statement that is most correct regarding about “CoreXL Dynamic Dispatcher” is: The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores. CoreXL Dynamic Dispatcher is a feature that allows the Security Gateway to dynamically assign connections to the most available CoreXL FW instance, based on the CPU core utilization. This improves the performance and load balancing of the Security Gateway, especially when handling connections with different processing requirements. The other statements are either incorrect or describe the CoreXL Static Dispatcher mechanism, which assigns connections based on a hash function of the Source IP, Destination IP, and IP Protocol type.

Browser-based Authentication is a method of acquiring identities from unidentified users by sending them to a web page where they can log in and authenticate. Browser-based Authentication uses two techniques to acquire identities: Captive Portal and Transparent Kerberos Authentication1.

Captive Portal is a simple method that attempts authentication through a web interface before granting a user access to Intranet resources. When a user tries to access a protected resource, they are redirected to a web page where they have to enter their credentials. The credentials are verified by the Identity Awareness Security Gateway or an external authentication server. If the authentication is successful, the user’s identity is associated with their IP address and they are allowed to access the resource12.

Transparent Kerberos Authentication is a more seamless method that leverages the existing Kerberos infrastructure in the network. When a user tries to access a protected resource, the Identity Awareness Security Gateway intercepts the Kerberos ticket request and extracts the user’s identity from it. The user’s identity is then associated with their IP address and they are allowed to access the resource without any additional prompts. This method requires that the Identity Awareness Security Gateway is configured as a trusted proxy in the Active Directory domain12.

Therefore, the correct answer is B. Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication.

References:

• 1, THE IMPORTANCE OF ACCESS ROLES - Check Point Software, page 2
• 2, Browser-based Authentication Check Point - Bing
• 3, How to Configure Client Authentication - Check Point Software, page 1
• 4, Identity Sources - Check Point Software
• 5, Configuring Browser-Based Authentication - Check Point Software
• 6, Two Factor Authentication - Check Point Software

According to the Check Point website, SmartUpdate is the application that should be used to install a contract file. A contract file contains information about the licenses and services that are purchased from Check Point. SmartUpdate can also be used to install software packages and patches on Security Gateways and Management Servers. The other applications are either not relevant or not capable of installing a contract file. References: SmartUpdate

According to the Check Point R81 training course, the Proxy ARP feature for Manual NAT in R81.10 requires the configuration of the local.arp file on the Security Gateway. This file contains the mapping of IP addresses to MAC addresses for NATed hosts. The other options are either incorrect or irrelevant. References: Certified Security Expert (CCSE) R81.20 Course Overview