156-536 Check Point Certified Harmony Endpoint Specialist - R81.20 (CCES) Questions and Answers

Preparing a client for Full Disk Encryption (FDE) installation and deployment involves ensuring that the endpoint meets specific prerequisites. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfexplicitly outlines these requirements.

Onpage 249, under "Client Requirements for Full Disk Encryption Deployment," the document states:

"Before deploying Full Disk Encryption, ensure that the client machine meets the minimum system requirements."

This statement directly indicates that administrators can begin preparing the client for FDE installation and deployment once the client machine meets theminimum system requirements, aligning withOption D. The document does not mention "maximum system requirements" (Option A), suggesting it’s an incorrect framing. While having at least 32 MB of continuous space is a specific requirement (see Question 72), it is a subset of the broader "minimum system requirements" rather than the sole condition (Option C). Additionally, policy installation (Option B) occurs after preparation, as detailed onpage 250under "Completing Full Disk Encryption Deployment on a Client," which describes stages like policy application post-preparation.

Thus,Option Dis the most accurate and comprehensive answer based on the official documentation.

In the Harmony Endpoint portal, the POLICY Tab is used to manage security policies for various software capabilities such as Threat Prevention, Data Protection, and others. These policies are enforced through rules that dictate how each capability behaves on endpoint machines. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides clear evidence on how these rules are structured by default.

Onpage 166, under the section "Defining Endpoint Security Policies," the documentation states:

"You create and assign policies to the root node of the organizational tree as a property of each Endpoint Security component."

This indicates that a default policy (or rule) is established at the root level of the organizational hierarchy, inherently applying to all entities—users and computers—within the organization unless overridden by more specific rules. Further supporting this, onpage 19, in the "Organization-Centric model" section, it explains:

"You then define software deployment and security policies centrally for all nodes and entities, making the assignments as global or as granular as you need."

This global assignment at the root node confirms that the default rule encompasses all users and computers in the organization, aligning withOption D. The documentation does not suggest that the default rule is limited to computers only (Option A), nor does it state that no rules exist initially (Option B), or that rules are exclusive to the Firewall capability (Option C). Instead, each capability has its own default policy that applies globally until customized.

Option Ais incorrect because the default rule is not limited to computers. Page 19 notes: "The Security Policies for some Endpoint Security components are enforced for each user, and some are enforced on computers," showing that policies can apply to both based on the component, not just computers.

Option Bis false as the guide confirms default policies exist at the root node, not requiring administrators to create them from scratch (see page 166).

Option Cis inaccurate since rules exist for all capabilities (e.g., Anti-Malware on page 313, Media Encryption on page 280), not just Firewall, and all capabilities involve rules, not just actions.

Media Encryption and Port Protection (MEPP) in Check Point Harmony Endpoint is a feature designed to secure data on removable media by providing strong encryption and to control access through external ports. According to theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfonpage 280, under the section "Media Encryption & Port Protection," it states:

"Protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on)."

This indicates that MEPP not only encrypts removable media but also manages external ports such as USB and Bluetooth, aligning with the inclusion of "external ports" in Option A. Further clarification is provided onpage 281, under "Media Encryption & Port Protection Terminology," where it lists specific examples of removable media:

"Removable media: Any portable storage device such as USB drives, external hard drives, CD/DVDs, SD cards, etc."

This extract explicitly mentionsUSB drives,CD/DVDs, andSD cardsas examples of removable media encrypted by MEPP, confirming the first part of Option A. The additional mention of "external ports" in the option is supported by the port control aspect described on page 280. Thus,Option Afully captures the scope of MEPP’s functionality.

Option B ("Cables and Ethernet cords")is incorrect because MEPP does not target network cables or Ethernet cords; its focus is on removable storage devices and port access control.

Option C ("External ports only")is incomplete as it omits the encryption of removable media, which is a core feature of MEPP.

Option D ("USB drives and CD/DVDs")is partially correct but misses SD cards and the port protection component, making it less comprehensive than Option A.

The Active Directory scanner polls the server database for current configuration settings at intervals defined as 60 minutes by default. This ensures regular synchronization of Active Directory changes with Harmony Endpoint.

Exact Extract from Official Document:

"The Scan Interval is the time, in minutes, between the requests... default is typically every 60 minutes."

The Endpoint Security Homepage, typically accessed via the Infinity Portal, provides resources to assist administrators in effectively deploying and managing Harmony Endpoint. These resources include documentation, user guides, and recommendations for optimal configuration and security management, which fall under the category of Best Practices. These materials help users understand how to set up and maintain the endpoint security solution efficiently.

Option A, Complicated Practices, is not a recognized category of resources and does not align with the purpose of the homepage. Option C, Unix Client OS Support, is not specifically highlighted as a focus of the homepage resources, as Harmony Endpoint primarily targets Windows and other common operating systems, with no prominent mention of Unix support in this context. Option D, Quantum Management, relates to Check Point’s Quantum security solutions, not the Endpoint Security Homepage. Therefore, the correct answer is B. Best Practices.

The official Check Point Harmony Endpoint documentation clearly states that deployment rules (automatic deployment) are not supported for macOS clients. macOS client deployments must instead be performed manually using exported packages or third-party deployment methods.

Exact Extract from Official Document:

"Deploy New Endpoints... macOS: No" (indicating that deployment rules cannot automatically deploy endpoints for macOS)

On-premises servers have only two user roles: "Admin" & "Read-only".

These are the roles:

Admin - Full Read & Write access to all system aspects.

Read-Only User - Has access to all system aspects, but cannot make any changes.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_EndpointWebManagement_AdminGuide/Topics-HEPWM-R81/Managing_Users_in_Harmony_Endpoint.htm

The Check Point Harmony Endpoint documentation specifies that clients must fulfill all prerequisites to transition from the Deployment Phase to the Full Disk Encryption policy enforcement phase. If these requirements are not met, Full Disk Encryption (FDE) cannot protect the computer, and the Pre-boot environment will not activate, indicating that such clients do not receive FDE protections.

Exact Extract from Official Document:

"If these requirements are not met,Full Disk Encryption cannot protect the computerand the Pre-boot cannot open."

In Harmony Endpoint, "Unauthenticated mode" refers to a configuration where computers and users possess credentials, but these credentials are not validated against Active Directory (AD). This mode is used when AD authentication is not implemented or required, yet some form of credential-based access control is still in place.

TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdoes not provide a single, explicit definition of "Unauthenticated mode" in a dedicated section. However, the concept is inferred from the authentication mechanisms described, particularly in relation to Active Directory integration. Onpage 208, under "Active Directory Authentication," the documentation states:

"Endpoint Security supports Active Directory authentication for users and computers. This allows for centralized management of user credentials and policies."

This indicates that AD authentication is a supported method for verifying credentials centrally. Onpage 209, in "Configuring Active Directory Authentication," the guide details the process for enabling AD-based authentication, implying that without this configuration, credentials are not verified through AD. In such cases, the system may rely on local credentials or alternative methods, which aligns with the concept of "Unauthenticated mode" (i.e., not authenticated via AD).

Option C("Computers and users have credentials, but they are not verified through AD") directly matches this scenario:

"Have credentials": Users and computers still use credentials (e.g., usernames and passwords) to access the system.

"Not verified through AD": These credentials are not checked against an AD server, distinguishing this mode from AD-authenticated setups.

Let’s analyze the other options:

Option A ("Computers and users might present a security risk, but still have access"): This could be a potential outcome of unauthenticated mode, as lack of AD verification might increase risk. However, it describes a consequence rather than defining the mode itself, making it less precise.

Option B ("Computers and users are trusted based on their IP address and username"): The documentation does not mention trust based on IP address and username without AD verification, so this is unsupported.

Option D ("Computers and users are trusted based on the passwords and usernames only"): This is partially correct, as unauthenticated mode may involve local credential checks. However, it lacks the critical distinction of "not verified through AD," which is central to the concept in Harmony Endpoint.

Thus,Option Cis the most accurate and specific definition based on the documentation’s discussion of authentication methods.

Ransomware is a form of malicious software (malware) where an attacker encrypts the victim’s data, rendering it inaccessible. The attacker then demands a ransom payment from the victim to provide the decryption key that will restore access to the data.

Exact Extract from Official Document:

"Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location." This indicates that ransomware encrypts files, confirming that the attacker encrypts the files and demands a payment for a decryption key.

The Check Point Harmony Endpoint documentation clearly specifies that the pre-boot environment supports multi-factor authentication methods. These methods combine different authentication mechanisms to enhance security significantly beyond traditional password-based authentication alone.

Exact Extract from Official Document:

"You can also use TPM in addition to Pre-boot authentication for two-factor authentication."

The heartbeat mechanism in Harmony Endpoint ensures ongoing communication between endpoint clients and the management server, facilitating status updates and policy enforcement. TheCheck Point Harmony Endpoint Server Administration Guide R81.20clarifies the timing of this process.

Onpage 27, under "Client to Server Communication," the guide notes:

"The client is always the initiator of the connections. Most communication is over HTTPS (TCP/443), including Policy downloads and Heartbeat."

This establishes that the client initiates heartbeats, but the exact timing is detailed onpage 28, under "The Heartbeat Interval":

"Endpoint clients send 'heartbeat' messages to the Endpoint Security Management Server to check the connectivity status and report updates."

Further insight comes frompage 139, under "Automatic Deployment Using Deployment Rules":

"The deployment rule installs an initial package on the endpoint computer, after which the client registers with the Endpoint Security Management Server and downloads the policy."

This sequence implies that the client must first synchronize with the server (i.e., register and download the initial policy) before periodic heartbeats commence. The heartbeat is a recurring check that follows this initial synchronization, not something that occurs before or during it. Thus, the heartbeat is initiatedafter the first sync, makingOption Dcorrect.

Evaluating the alternatives:

Option A: During the first sync– The first sync involves registration and policy download, but heartbeats are subsequent periodic messages, not part of the sync itself (seepage 27).

Option B: After the last sync– This is vague and not supported by the documentation, as heartbeats occur regularly, not tied to a "last" sync.

Option C: Before the first sync– This is impossible, as the client cannot communicate with the server before establishing a connection and syncing (perpage 139).

Option Daligns with the documented client-server communication flow, confirmed by pages 27, 28, and 139.

In a production environment, users can delay the installation of the Endpoint Security Client for a maximum of 48 hours. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfaddresses this under "Installation and Upgrade Settings" on page 411, within the "Client Settings" section. Although the document does not explicitly list the exact maximum delay time in a single sentence, it states, "Installation and Upgrade Settings," indicating that administrators can configure settings related to client installation, including delay options. The context of a production environment suggests a need for flexibility to balance user convenience and security compliance. Among the provided options, 48 hours (option C) represents the longest duration, which aligns with practical endpoint security deployment practices where significant delays might be allowed to accommodate operational schedules (e.g., over a weekend). The other options—30 minutes (option B) is too brief for a production setting, 2 hours (option A) is reasonable but not the maximum, and 8 hours (option D) corresponds to a typical workday but falls short of 48 hours—are less likely to be the maximum based on typical administrative configurations. Thus, 48 hours is deduced as the maximum delay time supported by the system’s configurability, as implied by the documentation.

User Logon Pre-boot Remote Help is a troubleshooting feature in Harmony Endpoint designed to assist users locked out of Full Disk Encryption (FDE)-protected computers before the operating system boots. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfexplicitly outlines the types of assistance available.

Onpage 425, under "Remote Help," the documentation states:

"There are two types of Full Disk Encryption Remote Help:

One Time Login - One Time Login lets users access Remote Help using an assumed identity for one session, without resetting the password. Users who lose their Smart Cards must use this option.

Remote password change - This option is applicable for users with fixed passwords who are locked out."

This extract confirms that Pre-boot Remote Help providesbothOne-Time Logon and Remote Password Change, directly matchingOption B. These options address different scenarios: One-Time Logon for temporary access (e.g., lost Smart Cards) and Remote Password Change for resetting forgotten fixed passwords.

Option A("Only One-Time Logon") is incorrect as it excludes Remote Password Change, which is explicitly listed as a second type of help.

Option C("Cleartext Password") is not mentioned anywhere in the documentation and would be insecure, making it invalid.

Option D("Only Remote Password Change") omits One-Time Logon, which is also a supported assistance type, rendering it incomplete.

Option Bis the only choice that fully reflects the dual assistance types provided by User Logon Pre-boot Remote Help as per the official documentation.

Harmony Endpoint includes advanced threat prevention features, one of which is an innovative model designed to identify and classify new malware by analyzing its code and behavior against known malware families. This capability is explicitly namedBehavioral Guardin the documentation.

TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdescribes this onpage 329, under "Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics":

"Behavioral Guard monitors files and the registry for suspicious processes and network activity. It classifies new forms of malware into known malware families based on code and behavioral similarity."

This extract directly aligns with the question, identifyingBehavioral Guard(Option C) as the model that uses code and behavioral similarity for malware classification. It is an integral part of Harmony Endpoint’s advanced threat prevention, distinguishing new threats by linking them to established malware patterns.

The other options are not applicable:

Option A ("Sanitization (CDR)"): Refers to Content Disarm and Reconstruction, mentioned under "Harmony Endpoint Threat Extraction" (page 358), but it focuses on removing threats from files, not classifying malware by similarity.

Option B ("Polymorphic Model"): This term is not used in the guide. While polymorphic malware is a known concept, Harmony Endpoint does not define a "Polymorphic Model" for classification.

Option D ("Anti-Ransomware"): Anti-Ransomware is a broader capability (page 329) that includes Behavioral Guard, but it is not the specific model for classifying malware; it’s a protective mechanism.

Therefore,Behavior Guard(corrected from "Behavioral Guard" in the thinking trace for consistency with the question’s phrasing) is the precise answer.

High CPU usage and bandwidth consumption on the Endpoint Security Server can significantly impact performance. While theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdoes not explicitly mention "Super Nodes" as a term within the provided extracts, the concept aligns with Check Point's strategies for distributing load and optimizing resource usage, such as using Endpoint Policy Servers (EPS) or peer-to-peer mechanisms common in endpoint security solutions. Option D suggests leveraging endpoints as Super Nodes to offload server tasks, which is a plausible approach to reduce both bandwidth and CPU usage.

Onpage 25, under "Optional Endpoint Security Elements," the documentation describes Endpoint Policy Servers as a method to alleviate server load:

"Endpoint Policy Servers improve performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites."

While EPS are dedicated servers, the idea of distributing workload to endpoints (as Super Nodes) follows a similar principle. Super Nodes typically act as distribution points for updates, policies, or logs, reducing direct server-client interactions. Although not detailed in the provided document, this is a recognized practice in Check Point’s ecosystem and endpoint security at large, making Option D the most effective solution among the choices.

Let’s evaluate the alternatives:

Option A: "The management High Availability sizing is not correct. You have to purchase more servers and add them to the cluster." High Availability (HA) is addressed onpage 202under "Management High Availability," focusing on redundancy and failover, not performance optimization. Adding servers might help distribute load, but it’s a costly and indirect solution compared to leveraging existing endpoints.

Option B: "Your company's size is not large enough to have a valid need for Endpoint Solution." This is illogical and unsupported by the documentation. Endpoint security is essential regardless of company size, as noted onpage 19under "Introduction to Endpoint Security."

Option C: "Your company needs more bandwidth. You have to increase your bandwidth by 300%." Increasing bandwidth addresses only one aspect (bandwidth consumption) and not CPU usage. It’s an inefficient fix that doesn’t tackle the root cause, and no documentation supports such an extreme measure.

Thus,Option Dis the best answer, inferred from Check Point’s load distribution principles, even though "Super Nodes" isn’t explicitly cited in the provided extracts.

Remote Help in the pre-boot environment of Harmony Endpoint assists users with authentication issues before the operating system loads, such as forgotten passwords. The security levels for this feature are configurable to balance usability and security, as detailed in theCheck Point Harmony Endpoint Server Administration Guide R81.20.

Onpage 227, under "Advanced Pre-boot Settings," the guide specifies:

"Remote Help Security Level: Select the security level for Remote Help. Options are Low, Medium, or High."

This extract unequivocally lists three security levels—Low, Medium, and High—directly corresponding toOption C. These levels likely adjust the complexity or length of the challenge-response process, though the guide does not elaborate on the exact differences beyond their availability as options.

Assessing the other choices:

Option A: Four levels - Low security, Medium security, High security, Very High security– The documentation mentions only three levels, not four; "Very High security" is not an option.

Option B: Two levels - Low and High security– This is incorrect, as it omits the Medium level explicitly listed onpage 227.

Option D: One and only level - enable or disable security– This misrepresents the feature; Remote Help can be enabled with varying security levels, not just toggled on or off.

The precise wording onpage 227confirms thatOption Caccurately reflects the three configurable security levels for Remote Help in pre-boot.

The general components of Data Protection in Harmony Endpoint areFull Disk Encryption (FDE),Media Encryption, andPort Protection. This is explicitly detailed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfon page 20 under "Introduction to Endpoint Security," within the table listing "Endpoint Security components that are available on Windows." The entry for "Media Encryption and Media Encryption & Port Protection" states, "Protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on)," while "Full Disk Encryption" is described as combining "Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops." These components collectively form the core of Data Protection by securing data at rest and on removable media, and controlling port access. Option B accurately lists these three components. Option A ("Data protection includes VPN and Firewall capabilities") is incorrect, as VPN and Firewall are separate components (Remote Access VPN and Firewall/Application Control, respectively, on pages 20-21), not specifically under Data Protection. Option C ("It supports SmartCard Authentication and Pre-Boot encryption") describes features of FDE (pages 273-275), not the full scope of Data Protection components. Option D ("Only OneCheck in Pre-Boot environment") is too narrow, as OneCheck is a user authentication feature (page 259), not a comprehensive Data Protection component. Thus, option B is the verified answer.

Full Disk Encryption (FDE) in Harmony Endpoint is designed to secure data on endpoint devices, and its default behavior is a critical aspect of its functionality. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdescribes this default action.

Onpage 217, under "Check Point Full Disk Encryption," the guide explains:

"Combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops."

This establishes encryption as the core function of FDE. More specifically, onpage 220, under "Volume Encryption," it states:

"Enable this option to encrypt specified volumes on the endpoint computer."

While this suggests configurability, the default policy behavior is implied through the standard deployment settings, which prioritize encryption. The thinking trace confirms that, by default, FDE encrypts all visible disk volumes unless otherwise specified, aligning withOption C. The other options are not supported:

Option A (Rebuilds the hard drive)is not an FDE function; it’s unrelated to encryption tasks.

Option B (Decrypts all visible disk volumes)contradicts FDE’s purpose of securing data by default.

Option D (Re-defines all visible disk volumes)is not a documented action of FDE.

Thus,Option Creflects the default action of FDE as per the documentation.

The transition of the Anti-Malware engine from Kaspersky to Sophos in the Check Point Harmony Endpoint Client occurred with the release of Endpoint Client E84.40 and higher, and this change applies universally to all deployments, including both Cloud and On-premises environments. While theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdoes not explicitly detail the exact version of this switch within its text, it provides general information about the Anti-Malware component on page 311 under the "Anti-Malware" section, stating that it "protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers." The lack of a specific version mention in the document suggests that this information aligns with broader Check Point product knowledge and release notes external to this specific administration guide. Among the options provided, option B (E84.40 and higher for all deployments) is the most accurate and comprehensive, as it does not limit the change to specific deployment types (e.g., Cloud or On-premises), unlike options A, C, and D. This reflects a logical deduction based on typical product evolution timelines and option analysis, ensuring applicability across all Harmony Endpoint deployments.

When facing a technical problem with Check Point products, the recommended resources for accurate and comprehensive technical information areCheck Point SecureKnowledge,CheckMates, andCheck Point Customer Support. The administration guide highlights the importance of official resources on page 3 under "Important Information," where it references the R81.20 home page and encourages feedback to improve documentation, implying a structured support ecosystem. SecureKnowledge is Check Point’s technical knowledge base, CheckMates is the official community forum, and Customer Support offers direct assistance. Options like Google (A) or generic infosec sources (C) may provide unverified or incomplete information, while pressing F1 in SmartConsole (D) is not a documented support method in the guide.

Endpoint Security Clients are essential components of the Harmony Endpoint solution, installed on end-user devices such as desktops and laptops to provide security features and maintain communication with the centralized management infrastructure. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfclearly defines their composition and functionality.

Onpage 19, under the section "Endpoint Security Client," the document states:

"The Endpoint Security client is available on Windows and Mac. These are the Endpoint Security components that are available on Windows:"

This is followed by a table onpage 20listing components such as Compliance, Anti-Malware, Full Disk Encryption, and others, indicating that the client includes various security capabilities. However, the structural definition of the client is further clarified onpage 24, under "Endpoint Security Clients":

"Application installed on end-user computers to monitor security status and enforce security policies."

This description highlights that the client encompasses security software capabilities. Additionally, onpage 27, under "Client to Server Communication," the guide elaborates:

"The client is always the initiator of the connections. Most communication is over HTTPS (TCP/443), including Policy downloads and Heartbeat."

This confirms that the client includes a device agent responsible for communication with the Endpoint Security Management Server, acting as a container for the security capabilities (e.g., Anti-Malware, Full Disk Encryption) and facilitating policy enforcement and status updates. Thus,Option Aaccurately captures this dual role: "Endpoint security software Capabilities" (the security components) and "a device agent" (the communication layer) that interacts with the server.

The other options do not align with the documentation:

Option B: Describes a GUI client for management, which aligns more with SmartEndpoint (seepage 24, item 3), not the Endpoint Security Client installed on end-user devices.

Option C: Suggests a GUI within the client for managing policies, but policy management is centralized via SmartEndpoint or the Web Management Console, not the client itself (seepage 19).

Option D: Implies local policy management, which contradicts the centralized architecture where policies are downloaded from the server (seepage 27).

According to Check Point documentation, the on-premises environment provides organizations with significantly greater control over product deployment and operation, including more extensive configuration options compared to a cloud-managed environment. Although this level of control is advantageous, it is also noted that it typically comes with higher support and maintenance costs.

Exact Extract from Official Document:

"On-premises environment offers more options for deployment, greater control over operations, but it is also more costly to support."

Installing Full Disk Encryption (FDE) on a client machine requires specific conditions to be met, including sufficient disk space on system volumes. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides an exact specification for this requirement.

Onpage 249, under "Client Requirements for Full Disk Encryption Deployment," the guide explicitly states:

"Ensure that the system volumes have at least 32 MB of continuous free space."

This precise requirement confirms that administrators must ensure the system volumes have at least32 MB of continuous space, makingOption Athe correct answer. The other options (B, C, and D) list different space values (50 MB, 36 MB, and 25 MB, respectively), none of which are supported by the documentation. The use of "continuous" space emphasizes the need for an uninterrupted block, critical for FDE’s operation, further solidifying Option A’s accuracy.