CCCS

Question 1

Meaning SDDC

Answer 1

Software defined datacenter

Question 2

Meaning CSP

Answer 2

Cloud Service Provider

Question 3

SDN Benefits

Answer 3

Deliver and share system resources quickly and efficiently.

Question 4

3 layers of SDN framework

Answer 4

Control Layer
Infrastructure Layer
Application Layer

Question 5

How does Control Layer of the SDN operate

Answer 5

SDN operations using OpenFlow protocol to connect supported devices

Question 6

What is contained within Infrastructure Layer SDN

Answer 6

Represents physical components e.g. switches and routers

Question 7

What does the Application Layer of an SDN provide

Answer 7

Open areas to develop end-user apps and services. It also includes configuration, management, monitoring, t-shooting, policies and security

Question 8

Conventional Network V SDN Architecture

Answer 8

Control plane and data plane fused; therefore limits capacity of virtualizing network resources.

Question 9

What role API play SDN

Answer 9

API’s are send to send and receive requests to resources

Question 10

How is SDN routing differ from conventional

Answer 10

direct software programming of routing instead of relying routing protocols

Question 11

Three Types of Cloud Deployment

Answer 11

1. Public
2. Private
3. Hybrid

Question 12

Three Cloud Service Model

Answer 12

Infrastructure-as-a-Service (IaaS)
Platform-as-a-Service (PaaS)
Software-as-a-Service (SaaS)

Question 13

What are the features Infrastructure-as-a-Service (IaaS)

Answer 13

IaaS solutions host data center infrastructure and help customize design of their SDNs.

Question 14

What features Platform-as-a-Service (PaaS)

Answer 14

PaaS provides organizations with virtual resources that support developing software

Question 15

What features Software-as-a-Service (SaaS)

Answer 15

SaaS refers to a cloud service that delivers applications to an organization’s end users through a web browser.

Question 16

What is AWS network called

Answer 16

VPC

Question 17

What is Azure network called

Answer 17

vNet

Question 18

What is GCP network called

Answer 18

VPC Network

Question 19

What is AWS access to the internet called

Answer 19

Internet Gateway

Question 20

What is Azure internet called

Answer 20

Public IP

Question 21

What is GCP access to the internet called

Answer 21

Internet Gateway Route

Question 22

What is AWS autoscaling called

Answer 22

AutoScaling Groups

Question 23

What is Azure autoscaling called

Answer 23

Virtual Machine scale sets

Question 24

What is GCP autoscaling called

Answer 24

Instance groups

Question 25

What is the basis for AWS access control

Answer 25

Security groups

Question 26

What is the basis for Azure access control

Answer 26

Network security group

Question 27

What is the basis for GCP access control

Answer 27

Firewall rules

Question 28

What is AWS automation called

Answer 28

Cloud Formation

Question 29

What is Azure automation called

Answer 29

Cloud Deployment Manager

Question 30

What are advantages of cloud

Answer 30

1. Flexible
2. Efficiency
   3, Accessibility
3. Savings
4. Innovation
5. Opportunities

Question 31

What is a limitation of CSP Native Security Controls

Answer 31

Lacking and generally only cover the infrastructure

Question 32

What direction are attacks not often protected from

Answer 32

Lateral Threats

Question 33

Why are traditional network attacks more abundant in the cloud.

Answer 33

rapidly changing workloads

Question 34

Four Cloudguard offerings for private and public cloud

Answer 34

IaaS for Public Cloud
IaaS for Private Cloud
SaaS
Dome9

Question 35

What is the difference between Public and Private CloudGuard IaaS

Answer 35

Public (AWS) v Private Vendors (ESXi)

Question 36

What type of applications CloudGuard SaaS protect

Answer 36

Email and other SaaS based apps (dropbox..Etc)

Question 37

What type of Cloudguard provides security posture management and compliance.

Answer 37

CloudGuard Dome9

Question 38

What characteristics best define CloudGuard

Answer 38

Centralized Management
Cloud Diversity
Dev Ops Ready
Adaptive and Automatic

Question 39

What do security layers in policy provide

Answer 39

Granular control and access delegation

Question 40

What are the primary components of SMS

Answer 40

1. SmartConsole
2. Management Server
3. SmartEvent (optional)

Question 41

What does the Cloud GuardController do?

Answer 41

provides visibility and allows for automation and adaptive secuirty

Question 42

What do CloudGuard IaaS security Gateways provide

Answer 42

perimeter and east-west traffic protection in public / private cloud

Question 43

In Cloudguard what functionality does the identity awareness blade provide.

Answer 43

Allows security policy to be defined by cloud resources collected by the CloudGuard controller

Question 44

Elastic licensing

Answer 44

Licensing that provides quick provisioning of assets using cores licensed to deployed gateways.

Question 45

The shared security model requires consumers to provide what 2 items.

Answer 45

Data Security

Network access security

Question 46

CloudGuard IaaS defends cloud resources via

Answer 46

firewall
data security
advanced threat prevention
forensic analysis

Question 47

What are the five underlying security principles of secure public cloud

Answer 47

Security with Advanced Threat Prevention
Network Segmentation
Agility
Automation. Efficiency, and Elasticity 
Borderless

Question 48

What are the three layers of network segmentation within the CloudGuard solution.

Answer 48

1. The first layer applies a Security Gateway that enforces firewall policies to accept legitimate network traffic flows and deny unauthorized network traffic.
2. The second layer uses advanced Threat Prevention Software Blades to extend the Security Gateway’s traffic inspection by identifying and blocking malicious behavior within east-west traffic flows.
3. The third layer advances security with micro-segmentation to allow a clear separation of networks and different operating concerns associated with Development. Operations, and IT teams.

Question 49

Define micro-segmentation

Answer 49

Micro-segmentation creates boundaries by placing inspection points between different applications, sendees, senders, and single hosts within the same network segment.

Question 50

Why use hub and spoke for Cloud Blueprint

Answer 50

All traffic that enters and exits each spoke must travel through a hub. Spokes use network segmentation to clearly separate SDNs from one another and isolate their workloads. This allows differing ownership in the spoke while controlling security in the hubs

Question 51

What is a hub in a secure public cloud blueprint layout

Answer 51

Hubs operate as software defined data centers that use Security Gateways in combination with network traffic load balancers to protect the cloud’s perimeter according to its current scale. Each hub manages and delivers traffic to the spoke networks. Individual hubs communicate with one another through the SDN’s routing switches.

Question 52

What type of traffic does the northbound hub protect

Answer 52

The Northbound hub serves as the front end of the SDDC that permits inbound web communications such as HTTP traffic from the Internet to reach spoke SDNs.

Question 53

What components commonly in northbound hub

Answer 53

Public IP
External Load Balancers
Security Gateways

Question 54

Does any inbound traffic not go through northbound hub

Answer 54

Non-transitive traffic, done through peering

Question 55

What does southbound hub do

Answer 55

outbound transit traffic from the spokes
communication applications
software updates
VPN

Question 56

What do you use to avoid double NAT in a Azure Southbound peering

Answer 56

UDR (User defined routes)

Question 57

How do you route transit transit traffic without a UDR in AWS & GCP

Answer 57

VPN’s, leveraging VTI (VPN tunnel Interface) and BGP

OSPF cannot be used layer 2, which does not exist cloud

Question 58

Checkpoint HA CSP Hub Limitations

Answer 58

two Security Gateway members
AWS and Azure require Security Gateways to reside in the same location in a region
SDNs do not allow HA with state synchronization failover

Question 59

Which hub (north or South) allows automatic HA deployment

Answer 59

Northbound

Question 60

What components are commonly found southbound hub to support SDDC connectivity

Answer 60

Load Balancers

VPN Gateways

Question 61

At a minimum what components should be present in a secure public cloud blueprint

Answer 61

SMS
one or two hubs with security gateways (IaaS)
Peering connection between spokes

Question 62

Following the Secure Cloud Blueprint what is the Azure recommended config

Answer 62

1. Northbound Hub - Supports incoming public facing Internet traffic.
2. Southbound Hub - Manages outbound access to Internet and VPN connections to corporate on-premise locations
3. Spoke - Represents segmented SDNs with different resources, security, and access levels (IPSEC + BGP)
4. CloudGuard Auto Scaling - Protects the Northbound hub entrance with an elastic set of automated Security Gateway deployments.
5. Spoke - Represents segmented SDNs with different resources, security, and access levels.
   (See document for diagram for more specifics)

Question 63

Moving applications or services in an SDDC significantly improves what?

Answer 63

Less time

Resources

Question 64

in a public cloud what are two ways of IaaS Security gateway deployment.

Answer 64

Standalone=Combined security gateway and management

distributed= seperate vm for gateway and management

Question 65

Why might it be preferred to deploy SMS not in the cloud, but on prem

Answer 65

Can then manage on prem gateways as well as cloud instances

Question 66

SDDN cluster limitations

Answer 66

1. Cluster installations support High Availability mode only. This cluster configuration excludes ClusterXL load sharing or the Virtual Router Redundancy Protocol (VRRP)
2. Security Gateways with HA configurations must communicate with the SDDC to achieve failover with the secondary Security Gateway member. The failover process requires extra time to complete since the Security Gateways must communicate with the SDDC first.
3. Clusters must include a maximum of two members.
4. Avoid deploying management servers and cluster members in a stand alone configuration.
5. Both cluster members must reside in the same region and location.

Question 67

Three ways you can deploy CloudGuard IaaS

Answer 67

1. CSP Portal - Provides access to create, view, and manage CloudGuard resources.
2. PowerShell - Uses predefined CloudGuard IaaS Security Gateway templates for automated deployments.
3. Command Line Interface (CLI) - Launches CloudGuard Security Gateways with command line scripts.

Question 68

Understanding CSP resources “Geographic Region”

Answer 68

AWS uses Availability Zones
Azure refers to them as Locations
GCP describes them as Zones

Question 69

Understanding CSP resources “Network”

Answer 69

Make sure correct network association

New cloudguard IaaS will be needed to protect each network segment

Question 70

Understanding CSP resources “Subnets”

Answer 70

only contains itself and no other VM’s

Question 71

Understanding CSP resources “Public IP”

Answer 71

Public IP: Ensure static IP for external

Question 72

Understanding CSP resources “Private IP”

Answer 72

Private IP: Internal resource connectivity

Question 73

Understanding CSP resources “Load Balancers”

Answer 73

1. In the cloud’s inbound perimeter, external load balancers direct Internet traffic to spoke networks with an inbound NAT configuration.
2. Within spoke networks, internal load balancers distribute traffic loads between servers.

Question 74

Understanding CSP resources “Security Group”

Answer 74

1. protects inbound and outbound traffic access to virtual machines.
2. VMs in the same subnet receive coverage from different Security Groups
3. VMs do not receive a Security Group assignment during their deployment, the CSP assigns a default Security Group to them.

Question 75

Understanding CSP resources “Tags”

Answer 75

CSPs use tags (labels) to attach identifying information to cloud resources
CloudGuard Controller uses tags to discover new. automated CloudGuard IaaS Security Gateway deployments to include in the Security Policy.

Question 76

Understanding CSP resources “Identity and Access Management”

Answer 76

Identity and Access Management (IAM) credential represents a user or application that needs to contact the SDDC to cany out an operation.
Activating IAM permission on CloudGuard IaaS required add client-id during VM deployment

Question 77

What to check when deplying CloudGuard IaaS

Answer 77

Tags - Review each VM to confirm it reflects the correct tag associations.
IAM - Verify each CloudGuard IaaS deployment contains the relevant IAM client-id and client-secret credentials.
Networks and Subnets - Examine each CloudGuard deployment and validate that it maps to the correct SDN and subnet.
Installation Time - Wait for the deployment process to finish completely before proceeding with the next phase of configuring security protections.

Question 78

Some CSP related issues when deploying IaaS

Answer 78

AWS - Register software subscription agreements before deploying CloudGuard IaaS VMs or the CSP will roll back the deployment.
Azure - CloudGuard IaaS deployments require approximately fifteen minutes to finish.

Question 79

What are the five management tools in CloudGuard IaaS to create and manage policy

Answer 79

1. Gaia Portal
2. Smartconsole
3. CLI
4. Security Objects
5. Rule base

Question 80

What is Gaia Portal

Answer 80

Functions as the primary web user interface for the Gaia OS platform. Through this portal, Security Administrators may configure the SMS and Security Gateway properties.

Question 81

What is SmartConsole

Answer 81

Acts as a GUI that configures and enforces the Security Policies that protect the environment)

Question 82

What are Security Objects

Answer 82

Represent all the network components such as Security Gateways, web servers, networks, and services.

Question 83

What is CLI

Answer 83

Provides the interface that activates commands to configure the operation of the CloudGuard IaaS security solution.

Question 84

What is Rule Base

Answer 84

Establishes a set of rules that define and protect the SDDC’s perimeter and connections to SDNs.

Question 85

What are to types of policy approaches used in Check Point Policy

Answer 85

1. Ordered

2. Inline

Question 86

What is Ordered Policy

Answer 86

Performs one or more security actions to the rule base in a top-down order against every layer of the Security Policy.

Question 87

What is Inline Policy

Answer 87

Optimizes the rule matching process by reusing the same security layer in the same policy or in multiple policies.

Question 88

CloudGuard IaaS security policy combines what two policy types

Answer 88

1. Traditional Security Policy

2. Context Aware / Adaptive Policy

Question 89

What does an adaptive security policy provide

Answer 89

1. This policy format broadens the scope of network security by protecting resources created from one or more CSPs.
2. application owners gain control of their application deployments since they can add and remove resources without impacting security.

Question 90

Which cloud defined objects assist in security policy creation

Answer 90

1. Data Center Objects

2. Tags

Question 91

What can an imported data center object contain

Answer 91

subnets,
hosts,
tags
entire cloud data center

Question 92

What options are available when importing data center objects

Answer 92

Region View - Imports SDNs, subnets, and VMs as security objects by region.
Tags View - Identifies all VM resources with a specific tag key or tag value.
Search View - Uses a search field to locate a specific cloud resource.

Question 93

What are some guidelines when creating tags

Answer 93

AWS allows only one data center per region to use a specific tag.
Azure and GCP associate tags with one data center per CSP subscription.
All CSPs permit assigning multiple tags to a single virtual machine

Question 94

What components are required automated security policy

Answer 94

SMS
CloudGuard Controller
Security Gateway

Question 95

What is the one thing that all gateways require to make API calls to SDDC

Answer 95

IAM private key registration

Question 96

Where do you activate cloud guard controller to communicate via API calls to the SDDC

Answer 96

SMS

Question 97

What does the SMS require to enforce policy on gateway

Answer 97

SIC

Question 98

What component of CloudGuard scans the environment for changes in cloud resources.

Answer 98

CloudGuard Controller

Question 99

What happens when CloudGuard Controller detects a new or modified object

Answer 99

New=create a new DC object

Modified=updates IA and then object configuration and then updates policy

Question 100

How many phases in the cloudguard workflow.

Answer 100

2

Question 101

What are the steps in phase 1

Answer 101

1. Connect to the Cloud - Requires the Security Gateway to authenticate with the cloud environment with an IAM registration.
2. Retrieve Cloud Resources - Imports cloud resources from Data Center A and stores them inside the CloudGuard Data Center server’s repository. After each scan, the system compares cloud objects m Data Center A against the Data Center objects stored m the Data Center Repository to synchronize any changes to the Security Policy.

Question 102

What are the steps in phase 2

Answer 102

1. Import Data Center Object - Add the Data Center object or its tag into a rule.
2. Manual Security Policy Installation - Converts Data Center objects into an Identity Awareness Access Role, which authorizes the Security Gateway to receive dynamic updates any time the Data Center object’s configuration changes.
3. Automated Access Role Updates - Uses the CloudGuard Enforcer to deliver Access Rol updates from the SMS to the Security Gateway.

Question 103

What must gateways maintain with SMS to receive automated security policy updates

Answer 103

SIC

Question 104

How do you check the state of the CloudGuard process

Answer 104

go to the CLI of the SMS and execute cloudguard on

Question 105

How do you verify connectivity between SMS and SDDC

Answer 105

Open data center object in the SMS and select test configuration button

Question 106

What log is used for t-shooting CloudGuard Controller

Answer 106

Cloud_proxy.elg

Question 107

What type of traffic needs to be allowed between SDDC and security gateway

Answer 107

http
VPN connections
HIgh availability sync
SDDC traffic

Question 108

What does the forward proxy provide in traffic management

Answer 108

converts web traffic going from spoke to internet 8080 to 80 so can be delivered northbound hub

Question 109

Does each security gateway require a VPN domain for connectivity

Answer 109

yes

Question 110

What type of VPN domain configuration is required to communicate SDN

Answer 110

Star

Question 111

What is the required setting for high availability gateway sync

Answer 111

Eth0 & Eth1 must have Sync as their type (may need to be changed depending on CSP mods)

Question 112

Does the CSP or the gateway provide anti-spoofing

Answer 112

The CSP, if not disabled on gateway may reject load balancer traffic

Question 113

What setting is required to ensure the original IP address information

Answer 113

Gateways X-forward setting (CSP does not hide the source IP of internet traffic behind load balancers

Question 114

Describe the components that CloudGuard IaaS uses to develop a Security Policy.

Answer 114

• Gaia Portal - Functions as the primary web interface for the Gaia OS platform. This tool configures SMS and Security Gateway properties
• Smart Console -Acts as a GUI that configures and enforces the Securityt Policies that protect the environment
• Security Objects - Represent all the network components in the cloud environment such as Security Gateways, web sewers, networks, and sendees
• CLI - Provides the interface that activates commands to configure the operation of the CloudGuard IaaS security solution
• Rule Base - Establishes a set of rules that define and protect the SDDC’s perimeter and connections to SDNs

Question 115

Discuss the phases of the CloudGuard Controller workflow process to import and secure cloud Data Center objects.

Answer 115

Phase I:
The Security Gateway must establish a secure connection to the cloud with an IAM registration.
Then the CloudGuard Controller scans the cloud and pulls Data Center objects from the data center and stores them inside the Data Center Repository. The Controller continues to scans the environment to fmd changes to Data Center objects. When the system finds a modified Data Center object, it updates the Security Policy with the changes.
Phase 11: Incorporates Data Center object changes into the Security Policy:
First, import the Data Center object or its tag into a rule.
Next, manually install the Security Policy so the object converts into an Identity Awareness Access Role that the Security Gateway can monitor and update any time the Data Center object changes.
After, the manual Security Policy installation, the CloudGuard Enforcer automates the deiner of Access Role updates from the SMS to the Security Gateway.

Question 116

Discuss the traffic management settings that Security Gateways to accept traffic from the cloud.

Answer 116

The Forward Proxy setting allows the Security Gateway to transfer outgoing proxy traffic out of a spoke to reach the Internet.
Security Gateways require a VPN domain configuration to connect with SNDs in the SDDC. The VPN domain requires a star configuration that accepts center-to-satellite connections
High Availabililty Security Gateway cluster members require their ethO and ethl interfaces to include the Sync network type setting.
Security Gateways must include a configuration that disables Anti-Spoofing to accept legitimate traffic from load balancers.
The X-Forwarding setting allows Security Administrators to see original packet’s IP address information.

Question 117

Describe the two advantages of deploying resources in the cloud.

Answer 117

1. Creating new deployments or transferring resources to another SDN requires less time.
2. Issuing new applications instead of deploying hardware streamlines deployment processes and involves fewer resources.

Question 118

Identify the limitations associated with deploying a CloudGuard Security Gateway cluster.

Answer 118

Cluster installations support High Availability mode only.
The failover process requires extra time to complete since the Security Gateways must communicate with the SDDC first.
Clusters must include a maximum of two members.
Avoid deploying management servers and cluster members in a stand alone configuration. Both cluster members must reside in the same region and location.

Question 119

Discuss which network setting misconfigurations impact the success of CloudGuard deployments.

Answer 119

Missing tags prevent VMs from reflecting the correct network associations.
VMs without 1AM user credentials cannot communicate with the SDDC.

Question 120

Describe the elements of the CloudGuard architecture

Answer 120

Security Management Platform - includes a Management server core, SmartConsole, GUI, and SmartEvent to perform security operations and reporting functions

CloudGuard Controller - a sub-component of the Security Management Server that gathers cloud resources to define Security Policy with an identity-based context.

Security Gateway Protections - Virtual Machines that operate in the cloud to protect its perimeter, secure east-west traffic, and establish l^PNs to securely connect SDNs with onpremises networks.

Next Generation Threat Prevention - Inspects cloud applications and virtual resources for malicious threat activity.

Identity Awareness - Monitors and logs traffic based on the identity of cloud resources.

Elastic Licensing - Uses a central license pool to add/remove licenses to Security Gateway deployments.

Question 121

Discuss the components of the Secure Public Cloud Blueprint.

Answer 121

Hubs - Operate as Software Defined Data Centers that permit inbound/outbound web traffic into the perimeter of the data center. Northbound hubs include public IP addresses, external load balancers, and automated CloudGuard IaaS Security Gateways. Southbound hubs manage outbound Internet traffic and transit traffic connections between the SDDC and on-premise networks.

Spokes - Function as isolated environments for applications and services. Spokes allow internal access and/or public access to their contents.

Network Connections - Peering connects SDNs directly without going through hubs to reach spoke networks.

Question 122

Identify the minimum system requirements of a secure public cloud.

Answer 122

A secure public cloud should include a Security Management Server that resides in the SDDC or in an on-premise location. The environment should also contain one or two hubs with CloudGuard IaaS Security Gateways, and Peering connections between spoke networks.

Question 123

Discuss the advantages of cloud network architecture?

Answer 123

Enables direct programming of the network configuration to improve network performance and monitoring.

Uses a centralized management layer to deliver faster performance than conventional networks.

Allows virtualization of network resources to process at faster speeds and dynamically respond to network loads.

Question 124

Describe the cloud service models and their benefits

Answer 124

laaS - Hosts an infrastructure to create custom SDNs and store data. This service model meets the requirements of network architects.

PaaS - Build software applications, web servers, and databases in an SDN managed by CSP. 77iis service model also provides organizations with needs to develop, test, and deploy their applications.

SaaS - Delivers applications for end-users to consume through a web browser. CSPs manage and host data for the application and the OS. This service model reduces operating expenses and IT resources to deploy SaaS.

Question 125

Which SDN components provide advantages to cloud networking in comparison to traditional networking.

Answer 125

The SDN controller centralizes management of SDN operations.

Programmable routing switches deliver network traffic in the most optimal, efficient route possible.

The Application layer provides automation capabilities for network functions and services.

Question 126

Describe the CSP resources that support automation.

Answer 126

REST APIs support the interactions between cloud resources, on-premise equipment, scripts, orchestration playbooks, and CloudGuard IaaS.

CLIs carries out repetitive tasks, communicates with the SDN’s OS, and perform scripts that automate processes.

Scripts represent written programs that automate the execution of operational tasks.

PowerShell operates as an open source platform with a command line shell and a scripting language that can access services in the OS to automate tasks.

Templates use text files to generate scripts to create automated deployments.

Question 127

Describe the orchestration playbook process for creating a new spoke and an automated Security Gateway.

Answer 127

An event trigger initiates an orchestration playbook.

The playbook launches a template to deploy an automated resource and configure its application software.

To protect the new resource, the playbook deploys a Security Gateway.

The Security Gateway receives a new inline Security Policy to protect the spoke.

Question 128

What is the primary difference between vertical and horizontal autoscaling?

Answer 128

Vertical scaling requires a virtual machine to completely shut down while system resources move to a different size machine.

Horizontal scaling achieves the transfer of resources to a different VAS automatically without the need to power down the VM

Question 129

Identify the process CloudGuard Dome9 uses to integrate with cloud accounts.

Answer 129

Dome9 requires LAM account credentials to connect to public cloud accounts through REST APIs. Once connected it gathers cloud configuration data to deploy protections.

Question 130

Describe the CloudGuard Dome9 mechanisms that administer automated compliance remediation’s.

Answer 130

Automated software applications known as CloudBots address non-compliance issues. CloudBots operate in the cloud account to perform remediations such as quarantining or germinating cloud instances. Automatic remediation may apply to a single cloud account or several cloud accounts at one time.

Question 131

Discuss the module that uses cloud data analytics to provide an overview of the cloud account’s security status.

Answer 131

Magellan operates as an intelligent threat prevention technology and an investigative tool that examines and gathers information about cloud activity. This module gathers cloud inventory, cloud configurations, system monitoring, and intelligence. Security Administrators may use this information to streamline Network Security operations, reduce the lead time for threat detection, and detect abnormal use of cloud resources.

Question 132

The Cloud Blueprint Provides

Answer 132

Automating or auto-provisioning Security Gateway deployments follows a predefined repeated, consistent deployment process to adapt to the environment’s capacity.

Question 133

Which hub provides the ability for automating Cloud deployment

Answer 133

Northbound

Question 134

Auto deployment follows these steps

Answer 134

1. An event trigger or a set of triggers monitors the traffic volume and responds when traffic increases.
2. When (the Security Gateway capacity reaches a defined threshold, the event trigger initiates deploying a new automated Security Gateway.
3. The new Security Gateway operates in a High Availability mode after it receives a Security Policy to enforce.

Question 135

What CSP automation tools are used to provide automated deployment

Answer 135

1. API
2. CLI
3. Scipts
4. Powershell
5. Templates

Question 136

API

Answer 136

Public clouds and Hybrid clouds use Representational State Transfer (REST) APIs to support the interactions between cloud resources, on-premise equipment, scripts, orchestration playbooks.

Question 137

What operations are done via API with CloudGuard IaaS

Answer 137

• Automate creating and deleting policy objects
• Access Roles, VPN domains, and session management
• Build, publish, and install Access Control and Threat Prevention Security Policies
• Contact the SDDC
• Authorize the identity of Data Center objects

Question 138

What does CLI allow

Answer 138

efficient tool for carrying out repetitive tasks in an automated manner.

Question 139

What functions of CLI does the SMS server leverage

Answer 139

• Process scripting commarjds
• Transfer data between SDNs
• Manage day-to-day troubleshooting
• Examine configuration and operational issues

Question 140

What are scriptsand how is it used

Answer 140

Scripts represent written programs that send instructions to APIs in order to automate the execution of operational tasks. CloudGuard uses JavaScript Object Notation (JSON), a language independent script, to develop templates that automate Security Gateway deployments.

Question 141

What is powershell and how is it used

Answer 141

PowerShell operates as an open source platform tool that includes a command line shell and a scripting language. The command line shell provides access to services within the OS for the purpose of automating tasks. Each CSP provides their own PowerShell tool to develop automation scripts.

Question 142

What are templates and how is it used

Answer 142

• Templates represent text files with JSON scripts that automate cloud deployments.
• CloudGuard IaaS deployment templates support SMS and Security Gateway configurations
• An infrastructure deployment service in a CSP Portal creates and manages automated deployment templates

Question 143

What is the name of each CSP Template resource

Answer 143

AWS :CloudFormation
Azure: Resource Manager
Google Clouds: Deployment Manager

Question 144

What component is essential in SDDC to automation.

Answer 144

APIs as they have an orchestration layer

Question 145

What initiates a playbook for automation

Answer 145

event trigger

Question 146

A common orchestration platform that has a checkpoint module

Answer 146

Ansible

Question 147

What is autoscaling

Answer 147

Autoscaling deploys identical VMs, and other resources such as Security Gateways, as a single group

Question 148

What tools does autoscaling leverage within the CSP

Answer 148

1. CSP Portal
2. CLI
3. Powershell

Question 149

Does autoscaling require pre-provisioning

Answer 149

No

Question 150

What determine the scale of the automated deployements

Answer 150

Rules

Question 151

Common event triggers

Answer 151

1. performance metrics
2. Application resources
3. Time schedules

Question 152

What are two types of autoscaling

Answer 152

1. Vertical

2. Horizontal

Question 153

Characteristics of vertical scaling

Answer 153

1. Tune env up and down (e.g. smaller to bigger VM)

2. Requires shutdown of resources

Question 154

Characteristics of horizontal scaling

Answer 154

1. adds or removes resources

2. no system shutdown

Question 155

Which autoscaling method is recommended by Check Point Secure Cloud Blueprint

Answer 155

Horizontal

Question 156

api status

Answer 156

Performs a system check of the API status.

Question 157

api restart

Answer 157

Restarts the API

Question 158

api reconf

Answer 158

Reconfigures the API instead of restarting it.

Question 159

service autoprovision test

Answer 159

Checks the connectivity of auto- provisioned resources and identifies auto-provisioning issues.

Question 160

tail -f$FWDIR/log/autoprovision.elg

Answer 160

Reveals any issues that occur during the autoprovision process.

Question 161

‘tail -f $FWDIR/log/api.

Answer 161

Investigates system issues with API calls

Question 162

Important log files to debug

Answer 162

/var/log/doiid-user-data 
/varlog/ ftwinstall. log 
SFWDIR/log'autopro vision. elg * files 
SFWDIR/conf/autoprovision j son file
/opt'CPsuite-RSO/fw 1 /scripts/monitor.py

Question 163

Describe the CSP resources that support automation

Answer 163

1. REST APIs support the interactions between cloud resources, on-premise equipment, scripts, orchestration playbooks, and CloudGuard IaaS.
2. CLI carries out repetitive tasks, communicates with the SDN’s OS, and perform scripts that automate processes.
3. Scripts represent written programs that automate the execution of operational tasks.
4. PowerShell operates as an open source platform with a command line shell and a scripting language that can access services in the OS to automate tasks.

Question 164

Describe the orchestration playbook process for creating a new spoke and an automated Security Gateway.

Answer 164

1. An event trigger initiates an orchestration playbook.
2. The playbook launches a template to deploy an automated resource and configure its application software.
3. To protect the new resource, the playbook deploys a Security Gateway.
4. The Security Gateway> receives a new> inline Security Policy to protect the spoke.

Question 165

What is the primary difference between vertical and horizontal autoscaling?

Answer 165

1. Vertical scaling requires a virtual machine to completely shut down while system resources move to a different size machine.
2. Horizontal scaling achieves the transfer of resources to a different VÙT automatically without the need to power down the VM.

Question 166

CloudGuard Dome9 capabilities

Answer 166

• Detect and remediate cloud native security misconfigurations
• Protect against identity theft and data loss prevention
• Visualize and assess the security posture of hybrid clouds
• Enforce compliance standards across multi-cloud environments

Question 167

CloudGuard Dome9 serves organizations that support following characteristics:

Answer 167

• Environments that support an integrated DevOps culture
• Public clouds for Development and Testing operations
• Organizations using IaaS public clouds such as AWS, Azure, and GCP
• Data centers with cloud-based production systems

Question 168

Dome9 uses what to connect, communicate, and collect information from cloud accounts and third party tools.

Answer 168

APIs

Question 169

CloudGuard Dome9 consists of what modules

Answer 169

• Cloud Inventory
• Network Security
• Compliance and Governance
• IAM Safety
• Magellan

Question 170

What does the Cloud Inventory module provide.

Answer 170

Automates collecting inventory data from cloud environments.

Question 171

What does the Network Security module provide.

Answer 171

Provides a real-time regional topology map of cloud networks.

Question 172

What does the Compliance and Governance module provide.

Answer 172

Verifies compliance against industry standards.

Question 173

What does the IAM Safety module provide.

Answer 173

Granularly controls IAM users, roles, and actions

Question 174

Magellan

Answer 174

Analyzes cloud traffic and audits security events to provide an overview of the cloud’s security status.

Question 175

What allows CloudGuard Dome 9 to connect to the CSP’s

Answer 175

IAM credentials

Question 176

What fundamental operations do rest Rest APIs provide in Dome9

Answer 176

1. system notifications
2. detect new cloud resources
3. deliver threat intelligence feeds
4. Enforce compliance policies
5. Apply security enhancements to the environment

Question 177

What procedures do Rest APIs perform

Answer 177

• Manage locking and unlocking cloud-based Security Groups and regions
• Create time-sensitive, on-demand dynamic access leases to services and ports
• Run the compliance engine and Security Policy groups
• Remediate non-compliant cloud resources with Cloudbots

Question 178

Is CloudGuard Dome 9 install an agent

Answer 178

No, it is agentless

Question 179

Does CloudGuard Dome 9 set a default security posture after install

Answer 179

yes

Question 180

What authentication method does CloudGuard Dome 9 support for administration

Answer 180

1. Username and Password
2. SSO
3. 2-Factor

Question 181

What are the role designation in CloudGuard Dome 9

Answer 181

• Super User - Accesses and manages account resources, creates new users, and modifies other user’s privileges.
• Account Owner - Retains Super User privileges and manages CloudGuard Dome9 account related issues such as billing and subscription plans.
• Normal User - Assigns privileges to manage account access, create new servers, or issue Security Groups.

Question 182

Which 2 role definitions can grant user permissions actions in CloudGuard Dome 9

Answer 182

1. Super Users

2. Account Owners

Question 183

What are the permission typed provided by CloudGuard Dome 9

Answer 183

• Dynamic Access - Issue dynamic access leases to cloud accounts.
• Create - Generate Dome9 agents on hosts using legacy software versions.
• Manage - Create, change, or remove Dome9 account assets.
• View - Access all system resources with read-only privileges.

Question 184

Two rule base bundles in CloudGuard Dome 9

Answer 184

• Best Practices Bundle - Contains all CloudGuard Dome9 rules.
• Network Security Bundle - Includes all port based rules and Network Security rules.

Question 185

What is GSL, and what does it provide

Answer 185

Governance Specific Language (GSL), GSL provides a simple, but expressive language that defines configurations and network traffic flows.

Format: should < Condition
Ex. [key=’owner].

Question 186

What feature of CloudGuard Dome 9 allows administrators to test policy without any damaging effects

Answer 186

CloudGuard Dome 9 Playground

Question 187

Does CloudGuard Dome 9 provide an audit trail of access and actions

Answer 187

Yes

Question 188

Where does a CloudGuard Dome 9 administrator manage cloud accounts and access

Answer 188

Cloud Inventory module

Question 189

What operations does Cloud Inventory module perform

Answer 189

• Search for Cloud Accounts
• Review the security posture of cloud accounts)
• Apply uniform changes to the environment
• Respond to cloud account permissions behaviors

Question 190

During CloudGuard Dome 9 acquisition in AWS, Azure, or GCP what are three operational roles you can assign, and what do they allow

Answer 190

• Read Only - Monitors and visualizes cloud accounts through CloudGuard Dome9.
• Full Protection - Enforces access to cloud accounts and reverts system changes to cloud assets or Security Groups
• Region Lock - Adds new Security Groups with Full Protection mode, which deletes all inbound ‘outbound Security Policy rules to the group.

Question 191

What activities does the network security cloud module perform

Answer 191

• Visualizes Security Policies in cloud environments
• Manages Network Security Groups
• Controls access to protected cloud assets with short-term dynamic access leases

Question 192

What does Clarity in CloudGuard Dome 9 provide to the administrator

Answer 192

Clarity displays the security posture of public clouds, which represents the cloud’s overall cyber security strength.

Question 193

What are the two layers of visibility provided by Clarity CloudGuard Dome9

Answer 193

1. contains a regional overview of the public clouds. This layer uses a topology map view to define each cloud’s relationship to one another.
2. includes a Security Group view that maps cloud resources and services into security zones. Cloud resources and services reside in different Security Groups based on their level of exposure to the external world.

Question 194

What CloudGuard Dome9 module provide a place to adjust security precautions and explains the effect of the changes

Answer 194

Network Security Module

Question 195

What CloudGuard Dome9 module provides predefined reports about compliance and security

Answer 195

Compliance and Governance Module

Question 196

What are the steps in the compliance workflow

Answer 196

1. Initial Assessment
2. Review Results
3. Customize
4. Continuous Monitoring
5. Automated Remediation

Question 197

Describe the Initial Assessment phase of the compliance workflow

Answer 197

Requires defining the compliance framework and assets that require compliance assessments.

Question 198

Describe the Review Results phase of the compliance workflow

Answer 198

Identifies any system controls that counteract compliance and discovers non-compliant assets.

Question 199

Describe the Customize phase of the compliance workflow

Answer 199

Creates a custom continuous compliance configuration with rules and exceptions to apply to specific resources in the cloud environment.

Question 200

Describe the Continuous Monitoring phase of the compliance workflow

Answer 200

Delivers system notifications and compliance reports that reveal cloud resources which require compliance updates.

Question 201

Describe the Automated Remediation phase of the compliance workflow

Answer 201

Administers compliance remediation efforts with automated software applications known as CloudBots and integrates with third party remediation tools.

Question 202

What dashboard provides an overview of security policy configuration

Answer 202

Compliance Dashboard

Question 203

What tool automates the notification and remediation of compliance issues

Answer 203

The continuous compliance tool

Question 204

What features of CloudGuard Dome9 actively fixes out of compliance assets

Answer 204

CloudBots

Question 205

Can CloudBots remediate a single or multiple clouds.

Answer 205

Multiple Clouds

Question 206

What automatic remediation’s can be done by CloudBots

Answer 206

• Encrypt databases
• Rotate encryption keys
• Force password changes
• Quarantine instances
• Add privacy settings to storage buckets
• Suspend users or roles

Question 207

What platform supports CloudBot auto remediation.

Answer 207

AWS

Question 208

What authentication mechanisms are used for CloudGuard Dome9 IAM account protections

Answer 208

1. Two-factor

2. Attribute based authorization

Question 209

What does CloudGuard Dome9 Privileged Access Protection provide

Answer 209

time-sensitive authorization

Question 210

Is it recommended to apply CloudGuard Dome9 protections before or after IAM accounts have receive access to protected assets

Answer 210

Before

Question 211

CloudGuard Dome9 IAM protections fall into 2 types

Answer 211

1. Protected - Blocks any protected IAM user from applying protected actions to cloud services
2. Protected with Elevation - Authorizes CloudGuard Dome9 users access to protected services for a limited time period.

Question 212

What feature of CloudGuard Dome9 protects security groups from unapproved changes

Answer 212

CloudGuard Dome9 tamper protection

Question 213

How many types of IAM reports are available

Answer 213

2

Policy
Credential

Question 214

What information is provided to CloudGuard Dome9 Magellan in determining security status.

Answer 214

1. Cloud account configurations

2. Data flows

Question 215

What functions does CloudGuard Dome9 Magellan serve

Answer 215

1. intelligent threat prevention technology

2. investigative tool that examines cloud activity

Question 216

What does Magellan cloud-native security intelligence mechanism deliver

Answer 216

1. Intrusion Detection
2. Network Traffic visualization
3. Activity Analytics

Question 217

What type of algorithms does CloudGuard Dome9 Magellan use

Answer 217

Object-mapping

Question 218

How does Magellan streamline Network Security operations

Answer 218

1. reduce the lead time for threat detection
2. detect abnormal use of cloud resources
3. compliance validation
4. list of unapproved assets

Question 219

What is included in Magellan’s enrichment engine.

Answer 219

• threat feeds
• geographic databases
• inventory, configuration
• traffic flow logs
• cloud native compliance and auditing data

Question 220

What format is Maegllan’s enriched data displayed

Answer 220

Graphical

Question 221

What graphical item are presented by Magellan

Answer 221

1. Compliance notifications
2. Intrusion Alerts
3. Enriched log data stream

Question 222

What predefine queries are provided by Magellan

Answer 222

• Login and Authentication - Reflects console logins from new regions, creating API keys in a new region, and brute force attacks on a cloud account.
• Security Configurations - Identifies outbound traffic using SSH or RDP, changes in the cloud account’s activity monitoring settings, and internal port scans.
• Resource Abuse - Scans the environment for new machine types in use. modifications to storage size, and database deletions.

Question 223

Describe the CloudGuard Dome9 mechanisms that administer automated compliance remediation’s.

Answer 223

Automated software applications known as CloudBots address non-compliance issues. CloudBots operate in the cloud account to perform remediation’s such as quarantining or terminating cloud instances. Automatic remediation may apply to a single cloud account or several cloud accounts at one time.

Question 224

Discuss the module that uses cloud data analytics to provide an overview of the cloud account’s security status.

Answer 224

Magellan operates as an intelligent threat prevention technology and an investigative tool that examines and gathers information about cloud activity. This module gathers cloud inventory, cloud configurations, system monitoring, and intelligence. Security Administrators may use this information to streamline Network Security operations, reduce the lead time for threat detection, and detect abnormal use of cloud resources.

Question 225

Do you need to turn off Anti-spoofing in Azure

Answer 225

Yes, interfered with routing

Question 226

What unit are AWS cloud formation templates organized into

Answer 226

Stacks

Question 227

What CSP service do you need to employ to allow the SMS to autoprovision resources

Answer 227

IAM

Question 228

What command do you run on SMS to see version of the autoprovision module

Answer 228

cat $FWDIR|/scripts/autoprovision/version

Question 229

What is the command to establish autoprovision on the SMS server

Answer 229

autoprov-cfg

Question 230

What is the command to check autoprovision configuration details on SMS

Answer 230

autoprov-cfg show all

Question 231

What is the command to test autoprovision configuration on the SMS server

Answer 231

service autoprovision test

Question 232

What is the command to set autoprovision template configuration on the SMS server

Answer 232

autoprov-cfg set template