CCSE

Question 1

What is the port used for SmartConsole to connect to the Security Management Server:

Answer 1

CPMI port 18191/TCP

Question 2

Which is the correct order of a log flow processed by SmartEvents components

Answer 2

Firewall > Log Server > Correlation Unit > SmartEvent Server Database > SmartEvent Client

Question 3

In SmartEvent, what are the different types of automatic reactions that the administrator can configure?

Answer 3

Mail, Block Source, Block Event Activity, External Script, SNMP Trap

Question 4

Which components allow you to reset a VPN tunnel?

Answer 4

SmartView monitor only

Question 5

When synchronizing clusters, which of the following statements is FALSE?

A. The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized.
B. Only cluster members running on the same OS platform can be synchronized.
C. In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization.
D. Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails.

Answer 5

Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails.

Question 6

Which of the following is a new R80.10 Gateway feature that had not been available in R77.X and older?

Answer 6

The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control
over the rule base flow and which security functionalities take precedence.

Question 7

In R80.10, how do you manage your Mobile Access Policy?

Answer 7

From SmartDashboard

Question 8

You find one of your cluster gateways showing “Down” when you run the “cphaprob stat” command. You then run the “clusterXL_admin up” on the down member
but unfortunately the member continues to show down. What command do you run to determine the case?

Answer 8

cphaprob -a list

Question 9

SandBlast offers flexibility in implementation based on their individual business needs. What is an option for deployment of Check Point SandBlast Zero-Day
Protection?

Answer 9

Threat Agent Solution

Question 10

Which of the following is NOT a valid way to view interface’s IP address settings in Gaia?

Answer 10

Using the command sthtool in Expert Mode

Question 11

Check Point recommends configuring Disk Space Management parameters to delete old log entities when available disk space is less than or equal to?

Answer 11

15%

Question 12

What API command below creates a new host with the name “New Host” and IP address of “192.168.0.10”?

Answer 12

add host name “New Host” ip-address “192.168.0.10”

Question 13

What are types of Check Point APIs available currently as part of R80.10 code?

Answer 13

Management API, Threat Prevention API, Identity Awareness Web Services API and OPSEC SDK API

Question 14

Which of the following is NOT an internal/native Check Point command?

A. fwaccel on
B. fw ct1 debug
C. tcpdump
D. cphaprob

Answer 14

tcpdump

Question 15

What is the SandBlast Agent designed to do?

Answer 15

If malware enters an end user’s system, the SandBlast Agent prevents the malware form spreading with the network

Question 16

The SmartEvent R80 Web application for real-time event monitoring is called:

Answer 16

SmartView Monitor

Question 17

What Shell is required in Gaia to use WinSCP?

Answer 17

Bash

Question 18

Which one of the following is true about Threat Emulation?

Answer 18

Takes minutes to complete (less than 3 minutes)

Question 19

What are the minimum open server hardware requirements for a Security Management Server/Standalone in R80.10?

Answer 19

4 CPU cores, 8GB of RAM and 500GB of disk space

Question 20

The “MAC magic” value must be modified under the following condition:

Answer 20

A firewall cluster is configured to use Broadcast for CCP traffic

Question 21

The Correlation Unit performs all but which of the following actions:

Answer 21

Assigns a severity level to the event

Question 22

The following command is used to verify the CPUSE version:

Answer 22

HostName:0>show installer status build

Question 23

Which statement is true regarding redundancy?

Answer 23

Both Cluster XL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.

Question 24

Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_ report.pdf file was
delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing
some graphs, tables and links. Which component of SandBlast protection is her company using on a Gateway?

Answer 24

SandBlast Threat Extraction

Question 25

Which command collects diagnostic data for analyzing customer setup remotely?

Answer 25

cpinfo

Question 26

When deploying multiple clustered firewalls on the same subnet, what does the firewall administrator need to configure to prevent CCP broadcasts being sent to
the wrong cluster?

Answer 26

Set the cluster global ID using the command “cphaconf cluster_id set “

Question 27

Which of these options is an implicit MEP option?

Answer 27

Primary-backup

Question 28

John detected high load on sync interface. Which is most recommended solution?

Answer 28

For short connections like http service - delay sync for 2 seconds

Question 29

What is the SOLR database for?

Answer 29

Used for full text search and enables powerful matching capabilities

Question 30

What is a feature that enables VPN connections to successfully maintain a private and secure VPN session without employing Stateful Inspection?

Answer 30

Wire Mode

Question 31

On R80.10 the IPS Blade is managed by:

Answer 31

Threat Prevention policy

Question 32

Which packet info is ignored with Session Rate Acceleration?

Answer 32

source port

Question 33

What is the purpose of Priority Delta in VRRP?

Answer 33

When an Interface fail, Effective Priority = Priority - Priority Delta

Question 34

What is the purpose of a SmartEvent Correlation Unit?

Answer 34

The Correlation unit role is to evaluate logs from the log server component to identify patterns/threats and convert them to events.

Question 35

The CDT utility supports which of the following?

Answer 35

All upgrades

The Central Deployment Tool (CDT)

Question 36

The Firewall kernel is replicated multiple times, therefore:

Answer 36

The Firewall can run the same policy on all cores

Question 37

Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an Active-Active cluster.

Answer 37

Asymmetric routing

Question 38

Which is not a blade option when configuring SmartEvent?

A. Correlation Unit
B. SmartEvent Unit
C. SmartEvent Server
D. Log Server

Answer 38

SmartEvent Unit

Question 39

What command would show the API server status?

Answer 39

api status

Question 40

You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. How can you enable them?

Answer 40

fw cti multik set_mode 9

Question 41

You have existing dbedit scripts from R77. Can you use them with R80.10?

Answer 41

dbedit scripts are being replaced by mgmt._cli in R80.10

Question 42

SecureXL improves non-encrypted firewall traffic throughput and encrypted VPN traffic throughput.

Answer 42

This statement is true because SecureXL does improve this traffic

Question 43

What are the three components for Check Point Capsule?

Answer 43

Capsule Workspace, Capsule Docs, Capsule Cloud

Question 44

Using mgmt_cli, what is the correct syntax to import a host object called Server_1 from the CLI?

Answer 44

mgmt_ cli add host name “Server_ 1” ip-address “10.15.123.10” - format json

Question 45

When defining QoS global properties, which option below is not valid?

A. Weight
B. Authenticated timeout
C. Schedule
D. Rate

Answer 45

Schedule

Question 46

Check Point APIs allow system engineers and developers to make changes to their organization’s security policy with CLI tools and Web Services for all of the following except?

A. Create new dashboards to manage 3rd party task
B. Create products that use and enhance 3rd party solutions.
C. Execute automated scripts to perform common tasks.
D. Create products that use and enhance the Check Point Solution.

Answer 46

Create new dashboards to manage 3rd party task

Question 47

What happen when IPS profile is set in Detect-Only Mode for troubleshooting?

Answer 47

It will not block malicious traffic

Question 48

When simulating a problem on CLusterXL cluster with cphaprob -d STOP -s problem -t 0 register, to initiate a failover on an active cluster member, what
command allows you remove the problematic state?

Answer 48

cphaprob -d STOP unregister

Question 49

You are investigating issues with two gateway cluster members that are not able to establish the first initial cluster synchronization. What service is used by the
FWD daemon to do a Full Synchronization?

Answer 49

TCP port 256

Question 50

Which command shows the current connections distributed by CoreXL FW instances?

Answer 50

fw ctl multik stat

Question 51

What is the most ideal Synchronization Status for Security Management Server High Availability deployment?

Answer 51

Synchronized

Question 52

What GUI client would you use to view an IPS packet capture?

Answer 52

SmartView Tracker

Question 53

What is the valid range for VRID value in VRRP configuration?

Answer 53

1 - 255

Question 54

Which one of these features is NOT associated with the Check Point URL Filtering and Application Control Blade?

A. Detects and blocks malware by correlating multiple detection engines before users are affected.
B. Configure rules to limit the available network bandwidth for specified users or groups.
C. Use UserCheck to help users understand that certain websites are against the company’s security policy.
D. Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels.

Answer 54

Detects and blocks malware by correlating multiple detection engines before users are affected.

Question 55

Which command will reset the kernel debug options to default settings?

Answer 55

fw ctl debug 0

Question 56

You need to change the number of firewall instances used by CoreXL. How can you achieve this goal?

Answer 56

cpconfig; reboot required

Question 57

As a valid Mobile Access Method, what feature provides Capsule Connect/VPN?

Answer 57

Full layer3 VPN -IPSec VPN that gives users network access to all mobile applications

Question 58

What does the command vpn crl__zap do?

Answer 58

Erases all CRL’s from the gateway cache

Question 59

Firewall policies must be configured to accept VRRP packets on the GAiA platform if it runs Firewall software. The Multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for VRRP is:

Answer 59

224.0.0.18

Question 60

Full synchronization between cluster members is handled by Firewall Kernel. Which port is used for this?

Answer 60

TCP port 256

Question 61

GAiA greatly increases operational efficiency by offering an advanced and intuitive software update agent, commonly referred to as the:

Answer 61

Check Point Upgrade Service Engine.

Question 62

Which one of these is NOT a firewall chain?

A. RTM packet in (rtm)
B. VPN node add (vpnad)
C. IP Options restore (in) (ipopt_res)
D. Fw SCV inbound (scv)

Answer 62

VPN node add (vpnad)

Question 63

Which is a suitable command to check whether Drop Templates are activated or not?

Answer 63

fwaccel stat

Question 64

Which directory below contains log files?

Answer 64

/opt/CPsuite-R80/fw1/log

Question 65

What is the responsibility of SOLR process on R80.10 management server?

Answer 65

It generates indexes of data written to the database

Question 66

VPN Tunnel Sharing can be configured with any of the options below, EXCEPT One:

A. Gateway-based
B. Subnet-based
C. IP range based
D. Host-based

Answer 66

IP range based

Question 67

You want to store the GAiA configuration in a file for later reference. What command should you use?

Answer 67

save configuration

Question 68

What can you do to see the current number of kernel instances in a system with CoreXL enabled?

Answer 68

Execute command cpconfig

Question 69

When Dynamic Dispatcher is enabled, connections are assigned dynamically with the exception of

Answer 69

VolP & VPN Encrypted Traffic

Question 70

Why would you not see a CoreXL configuration option in cpconfig?

Answer 70

The gateway only has one processor

Question 71

In SPLAT the command to set the timeout was idle. In order to achieve this and increase the timeout for Gaia, what command do you use?

Answer 71

set inactivity-timeout

Question 72

What makes Anti-Bot unique compared to other Threat Prevention mechanisms, such as URL Filtering, Anti-Virus, IPS, and Threat Emulation?

Answer 72

Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection to a Command & Control Center

Question 73

SmartEvent does NOT use which of the following procedures to identify events?

A. Matching a log against each event definition
B. Create an event candidate
C. Matching a log against local exclusions
D. Matching a log against global exclusions

Answer 73

Matching a log against local exclusions

Question 74

In Gaia, if one is unsure about a possible command, what command lists all possible commands.

Answer 74

show commands

Question 75

In which case is a Sticky Decision Function relevant?

Answer 75

Load Sharing - Multicast

Question 76

The Security Gateway is installed on GAiA R80. The default port for the Web User Interface is _______.

Answer 76

TCP 443

Question 77

When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?

Answer 77

SmartEvent

Question 78

Fill in the blank: The tool ___________ generates a R80 Security Gateway configuration report.

Answer 78

cpinfo

Question 79

Fill in the blank: The R80 utility fw monitor is used to troubleshoot __________.

Answer 79

Traffic issues

Question 80

You are working with multiple Security Gateways enforcing an extensive number of rules. To simplify security administration, which action would you choose?

Answer 80

Create a separate Security Policy package for each remote Security Gateway.

Question 81

Tom has been tasked to install Check Point R80 in a distributed deployment. Before Tom installs the systems this way, how many machines will be need if he
does NOT include a SmartConsole machine in his calculations?

Answer 81

Two machines

Question 82

Fill in the blank: The command _______________ provides the most complete restoration of a R80 configuration.

Answer 82

upgrade_import

Question 83

Which of the following statements is TRUE about R80 management plug-ins?

Answer 83

A management plug-in interacts with a Security Management Server to provide new features and support for new products.

Question 84

Fill in the blank: The R80 feature ________ permits blocking specific IP addresses for a specified time period.

Answer 84

Suspicious Activity Monitoring

Question 85

In R80 spoofing is defined as a method of:

Answer 85

Making packets appear as if they come from an authorized IP address.

Question 86

Which features are only supported with R80.10 Gateways but not R77.x?

Answer 86

The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control
over the rule base flow and which security functionalities take precedence.

Question 87

For best practices, what is the recommended time for automatic unlocking of locked admin accounts?

Answer 87

30 minutes at least

Question 88

What scenario indicates that SecureXL is enabled?

Answer 88

fwaccel commands can be used in clish

Question 89

What is the command to show SecureXL status?

Answer 89

fwaccel stat

Question 90

Which web services protocol is used to communicate to the Check Point R80 identity Awareness Web APi?

Answer 90

REST

Question 91

Which file gives you a list of all security servers in use, including port number?

Answer 91

$FWDIR/conf/fwauthd.conf

Question 92

What CLI command will reset the IPS pattern matcher statistics?

Answer 92

ips pmstats reset

Question 93

GAiA Software update packages can be imported and installed offline in situation where:

Answer 93

Security Gateway with GAiA does NOT have access to Internet.

Question 94

The Event List within the Events tab contains:

Answer 94

events generated by a query.

Query
Statistics
List
Preview

Question 95

What is mandatory for ClusterXL to work properly?

Answer 95

The Magic MAC number must be unique per cluster node.

Question 96

Which one of the following processes below would not start if there was a licensing issue.

Answer 96

CPD

Question 97

Aaron is a Cyber Security Engineer working for Global Law Firm with large scale deployment of Check Point Enterprise Appliances using GAiA/R80.10.
Company’s Network Security Developer Team is having issue testing new API with newly deployed R80.10 Security Management Server and blames Check
Point Security Management Server as root cause. The ticket has been created and issue is at Aaron’s desk for an investigation. What do you recommend as the
best suggestion for Aaron to make sure API testing works as expected?

Answer 97

Aaron should check API Server status from expert CLI by “api status” and if it’s stopped he should start using command “api start” on Security Management
Server.

Question 98

What utility would you use to configure route-based VPNs?

Answer 98

vpn shell

Question 99

Where do you create and modify the Mobile Access policy in R80?

Answer 99

SmartDashboard

Question 100

Customer’s R80 management server needs to be upgraded to R80.10. What is the best upgrade method when the management server is not connected to the Internet?

Answer 100

CPUSE offline upgrade

Question 101

CPD is a core Check Point process that does all of the following EXCEPT:

A. AMON status pull from the Gateway
B. Management High Availability (HA) sync
C. SIC (Secure Internal Communication) functions
D. Policy installation

Answer 101

Management High Availability (HA) sync

Question 102

What processes does CPM control?

Answer 102

web_services, dle_server and object_Store

Question 103

Please choose correct command syntax to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI?

Answer 103

mgmt. add host name emailserver1 ip-address 10.50.23.90

Question 104

Where you can see and search records of action done by R80 SmartConsole administrators?

Answer 104

In the Logs & Monitor view, select “Open Audit Log View”

Question 105

What are the different command sources that allow you to communicate with the API server?

Answer 105

SmartConsole GUI Console, mgmt_cli Tool, Gaia CLI, Web Services

Question 106

Both ClusterXL and VRRP are fully supported by Gaia R80.10 and available to all Check Point appliances. Which of the following command is NOT related to
redundancy and functions?

A. cphaprob stat
B. cphaprob -a if
C. cphaprob -l list
D. cphaprob all show stat

Answer 106

cphaprob all show stat

Question 107

What are the steps to configure the HTTPS Inspection Policy?

Answer 107

Go to Manage&Settings>Blades>HTTPS Inspection>Policy

Question 108

To find records in the logs that shows log records from the Application & URL Filtering Software Blade where traffic was blocked, what would be the query
syntax?

Answer 108

blade: “application control” AND action:block

Question 109

Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new multicore CPU to replace the existing single core
CPU. After installation, is the administrator required to perform any additional tasks?

Answer 109

Go to clish-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig |Reboot Security Gateway

Question 110

Identify the API that is not supported by Check Point currently.

A. R80 Management API-
B. Identify Awareness Web Services API
C. Open REST API
D. OPSEC SDK

Answer 110

Open REST API

Question 111

Which command can you use to enable or disable multi-queue per interface?

Answer 111

cpmq set

Question 112

Which of the following is NOT a type of Check Point API available in R80.10?

A. Ientity Awareness Web Services
B. OPSEC SDK
C. Mobile Access
D. Management

Answer 112

Mobile Access

Question 113

What is the limitation of employing Sticky Decision Function?

Answer 113

Acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF

Question 114

When configuring Third-Party devices to read the logs using the LEA (Log Export API) the default Log Server uses port:

Answer 114

18184

Question 115

Mobile Access supports all of the following methods of Link Translation EXCEPT:

A. Hostname Translation (HT)
B. Path Translation (PT)
C. URL Translation (UT)
D. Identity Translation (IT)

Answer 115

Identity Translation (IT)

Question 116

What is true of the API server on R80.10?

Answer 116

By default, the API server is active on management servers with 4 GB of RAM (or more) and on stand-alone servers with 8 GB of RAM (more)

Question 117

How many images are included with Check Point TE appliance in Recommended Mode?

Answer 117

2 (OS) images

Question 118

Which deployment methods can an administrator choose when deploying the Sandblast agent?

Answer 118

Use both SCCM and GPO for the deployment agent and End Point Management to push the Agent.

Question 119

Which Check Point software blades could be enforced under Threat Prevention profile using Check Point R80.10 SmartConsole application?

Answer 119

IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction

Question 120

What’s true about Troubleshooting option in the IPS profile properties?

Answer 120

Temporarily set all protections to track (log) in SmartView Tracker

Question 121

What is the mechanism behind Threat Extraction?

Answer 121

Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast.

Question 122

Which command will allow you to see the interface status?

Answer 122

cphaprob -a if

Question 123

What is the least ideal Synchronization Status for Security Management Server High Availability deployment?

Answer 123

Lagging

Question 124

If the Active Security Management Server fails or if it becomes necessary to change the Active to Standby, the following steps must be taken to prevent data
loss. Providing the Active Security Management Server is responsive, which of these steps should NOT be performed:

Answer 124

Rename the hostname of the Standby member to match exactly the hostname of the Active member.

Question 125

During inspection of your Threat Prevention logs you find four different computers having one event each with a Critical Severity. Which of those hosts should
you try to remediate first?

Answer 125

Host having a Critical event found by Threat Emulation

Question 126

What is correct statement about Security Gateway and Security Management Server failover in Check Point R80.X in terms of Check Point Redundancy driven
solutions?

Answer 126

Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure.

Question 127

You want to verify if your management server is ready to upgrade to R80.10. What tool could you use in this process?

Answer 127

pre_upgrade_verifier

Question 128

After successfully exporting a policy package, how would you import that package into another SMS database in R80.10?

Answer 128

upgrade_import

Question 129

Choose the ClusterXL process that is defined by default as a critical device?

Answer 129

fwd

Question 130

Security Checkup Summary can be easily conducted within:

Answer 130

Views

Question 131

Which of the SecureXL templates are enabled by default on Security Gateway?

Answer 131

Accept

Question 132

As an administrator, you may be required to add the company logo to reports. To do this, you would save the logo as a PNG file with the name ‘cover-company-
logo.png’ and then copy that image file to which directory on the SmartEvent server?

Answer 132

$RTDIR/smartview/conf

Question 133

Which NAT rules are prioritized first?

Answer 133

Manual/Pre-Automatic NAT

Question 134

What CLI command compiles and installs a Security Policy on the target’s Security Gateways?

Answer 134

fwm load

Question 135

What is the command to see cluster status in cli expert mode?

Answer 135

cphaprob stat

Question 136

What are the methods of SandBlast Threat Emulation deployment?

Answer 136

Cloud, Appliance and Hybrid

Question 137

Which command is used to display status information for various components?

Answer 137

show sysenv all

Question 138

Which is NOT an example of a Check Point API?

A. Gateway API
B. Management API
C. OPSEC SDK
D. Threat Prevention API

Answer 138

Gateway API

Question 139

NAT rules are prioritized in which order?

1. Automatic Static NAT
2. Automatic Hide NAT
3. Manual/Pre-Automatic NAT
4. Post-Automatic/Manual NAT rules

Answer 139

3, 1, 2, 4

Question 140

Events can be categorized and assigned to System Administrators to track their path through the workflow. Which of the following is NOT an option?

A. Under Investigation
B. Pending Investigation
C. False Positive
D. Open

Answer 140

Open

Question 141

How is the processing order for overall inspection and routing of packets?

Answer 141

Firewall, NAT, Routing

Question 142

When Configuring Endpoint Compliance Settings for Applications and Gateways within Mobile Access, which of the three approaches will allow you to configure -individual policies for each application?

A. Basic Approach
B. Strong Approach
C. Advanced Approach
D. Medium Approach

Answer 142

Advanced Approach

Question 143

What is true about VRRP implementations?

Answer 143

You cannot have a standalone deployment

Question 144

When using Monitored circuit VRRP, what is a priority delta?

Answer 144

When an interface fails the priority delta is subtracted from the priority

Question 145

Which one of the following is true about Threat Extraction?

Answer 145

almost instantaneous

Question 146

Daisy need to review how the Security Gateway Cluster, Jonas, behaves when a cluster member comes back on line. Where would she review the behavior of
cluster member recovery in the Dashboard?

Answer 146

Open SmartDashboard, select and open the Cluster Object Jonas, Select Topology - Advanced Options and review the High Availability recovery options.

Question 147

What is considered Hybrid Emulation Mode?

Answer 147

Load sharing of emulation between an on premise appliance and the cloud

Question 148

To accelerate the rate of connection establishment, SecureXL groups all connection that match a particular service and whose sole differentiating element is the
source port. The type of grouping enables even the very first packets of a TCP handshake to be accelerated. The first packets of the first connection on the same service will be forwarded to the Firewall kernel which will then create a template of the connection. Which of these IS NOT a SecureXL template?

A. Accept Template
B. Deny template
C. Drop Template
D. NAT Template

Answer 148

Deny template

Question 149

What is the difference between an event and a log?

Answer 149

A log entry becomes an event when it matches any rule defined in Event Policy

Question 150

Jack is using SmartEvent and does not see the identities of the users on the events. As an administrator with full access, what does he need to do to fix his issue?

Answer 150

Open SmartEvent, go to the Policy Tab, select General Settings from the left column > User Identities and check the box Show Identities

Question 151

What command can you use to have cpinfo display all installed hotfixes?

Answer 151

cpinfo -y all

Question 152

Check Point Management (cpm) is the main management process in that it provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web service using ______.

Answer 152

TCP Port 18190

Question 153

What is true about the IPS-Blade?

Answer 153

in R80, IPS is managed by the Threat Prevention Policy

Question 154

Which statement is correct about the Sticky Decision Function?

Answer 154

It is not supported with either the Performance pack or a hardware based accelerator card

Question 155

Which of the following is NOT an attribute of packet acceleration?

A. Source address
B. Protocol
C. Destination port
D. Application Awareness

Answer 155

Application Awareness

Question 156

You have successfully backed up your Check Point configurations without the OS information. What command would you use to restore this backup?

Answer 156

migrate import

Question 157

You need to change the MAC-address on eth2 interface of the gateway. What command and what mode will you use to achieve this goal?

Answer 157

set interface eth2 mac-addr 11:11:11:11:11:11; CLISH

Question 158

What command verifies that the API server is responding?

Answer 158

api status

Question 159

Session unique identifiers are passed to the web api using which http header option?

Answer 159

Proxy-Authorization

Question 160

What does the command vpn crl_zap do?

Answer 160

Erases all CRL’s from the gateway cache

Question 161

What are the main stages of a policy installation?

Answer 161

Verification & Compilation, Transfer and Installation

Question 162

What are the available options for downloading Check Point hotfixes in Gaia WebUI (CPUSE)?

Answer 162

Manually, Scheduled, Automatic

Question 163

What is the main difference between Threat Extraction and Threat Emulation?

Answer 163

Threat Extraction always delivers a file and takes less than a second to complete

Question 164

The concept of layers was introduced in R80. What is the biggest benefit of layers?

Answer 164

Policy Layers and Sub-Policies enable flexible control over the security policy.

Question 165

What Factors preclude Secure XL Templating?

Answer 165

Source Port Ranges/Encrypted Connections

Question 166

Automation and Orchestration differ in that:

Answer 166

Automation relates to codifying tasks, whereas orchestration relates to codifying processes.

Question 167

You have a Gateway is running with 2 cores. You plan to add a second gateway to build a cluster and used a device with 4 cores. How many cores can be used
in a Cluster for Firewall-kernel on the new device?

Answer 167

2

Question 168

If an administrator wants to add manual NAT for addresses not owned by the Check Point firewall, what else is necessary to be completed for it to function
properly?

Answer 168

Add the proxy ARP configuration in a file called $FWDIR/conf/local.arp

Question 169

Which of the following commands shows the status of processes?

Answer 169

cpwd_admin list

Question 170

The Regulatory Compliance pane shows compliance statistics for selected regulatory standards, based on the Security Best Practice scan. Which of the
following does NOT show in this pane?

A. The total number of Regulatory Requirements that are monitored
B. The Average compliance score for each regulation shown
C. The average number of Regulatory Requirements that are monitored
D. The Number of Regulatory Requirements for each Regulation

Answer 170

The average number of Regulatory Requirements that are monitored

Question 171

In Threat Prevention, you can create new or clone profiles but you CANNOT change the out-of-the-box profiles of:

Answer 171

Basic, Optimized, Strict

Question 172

Advanced Security Checkups can be easily conducted within:

Answer 172

Reports

Question 173

The Firewall Administrator is required to create 100 new host objects with different IP addresses. What API command can he use in the script to achieve the

Answer 173

add host name ip-address

Question 174

Which Check Point ClusterXL mode is used to synchronize the physical interface IP and MAC addresses on all clustered interfaces?

Answer 174

Multicast Mode Load Sharing

Question 175

Return oriented programming (ROP) exploits are detected by which security blade?

Answer 175

Check Point Anti-Virus / Threat Emulation

Question 176

What is the protocol and port used for Health Check and State Synchronization in ClusterXL?

Answer 176

CCP and 8116

Question 177

If the first packet of an UDP session is rejected by a security policy, what does the firewall send to the client?

Answer 177

ICMP unreachable

Question 178

What has to be taken into consideration when configuring Management HA?

Answer 178

The Database revisions will not be synchronized between the management servers.

Question 179

You plan to automate creating new objects using new R80 Management API. You decide to use GAIA CLI for this task. What is the first step to run management
API commands on GAIA’s shell?

Answer 179

mgmt. login

Question 180

Which is NOT a SmartEvent component?

A. SmartEvent Server
B. Correlation Unit
C. Log Consolidator
D. Log Server

Answer 180

Log Consolidator

Question 181

To ensure that VMAC mode is enabled, which CLI command you should run on all cluster members?

Answer 181

fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1

Question 182

Which method below is NOT one of the ways to communicate using the Management API’s?

A. Typing API commands using the “mgmt._cli” command
B. Typing API commands from a dialog box inside the SmartConsole GUI application
C. Typing API commands using Gaia’s secure shell (clash)19+
D. Sending API commands over an http connection using web-services

Answer 182

Sending API commands over an http connection using web-services

Question 183

Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new multicore CPU to replace the existing single core
CPU. After installation, is the administrator required to perform any additional tasks?

Answer 183

Go to clash-Run cpconfig|Configure CoreXL to make use of the additional Cores|Exit cpconfig|Reboot Security Gateway

Question 184

When an encrypted packet is decrypted, where does this happen?

Answer 184

Inbound chain

Question 185

What are the main stages of a policy installation?

Answer 185

Verification & Compilation, Transfer and Installation

Question 186

Jack has finished building his new SMS server, Red, on new hardware. He used SCP to move over the Red-old.tgz export of his old SMS server. What is the
command he will use to import this into the new server?

Answer 186

. Expert@Red# ./migrate import Red-old.tgz

Question 187

What are the methods of SandBlast Threat Emulation deployment?

Answer 187

Cloud, Appliance and Hybrid

Question 188

What is the difference between an event and a log?

Answer 188

A log entry becomes an event when it matches any rule defined in Event Policy

Question 189

SandBlast agent extends 0 day prevention to what part of the network?

Answer 189

Web Browsers and user devices

Question 190

In a Client to Server scenario, which represents that the packet has already been checked against the tables and the Rule Base?

Answer 190

Big I

Question 191

When using Monitored circuit VRRP, what is a priority delta?

Answer 191

When an interface fails the priority delta is subtracted from the priority

Question 192

Which of the following is NOT an option to calculate the traffic direction?

A. Incoming
B. Internal
C. External
D. Outgoing

Answer 192

External

Question 193

During inspection of your Threat Prevention logs you find four different computers having one event each with a Critical Severity. Which of those hosts should
you try to remediate first?

Answer 193

Host having a Critical event found by Anti-Bot

Question 194

What command lists all interfaces using Multi-Queue?

Answer 194

cpmq get

Question 195

From SecureXL perspective, what are the tree paths of traffic flow:

Answer 195

Firewall Path; Accelerated Path; Medium Path

Question 196

Joey and Vanessa are firewall administrators in their company. Joey wants to run Management API server on his Security Management server. He is logging in
to a Smart Console and goes to the Manage & Settings > Blade. In Management API section, he proceeds to Advanced Settings. He likes to set up the
Management API server to automatic run at startup. He is surprised, because this functionality is already selected by default. What is the reason, that
functionality is already enabled?

Answer 196

Joey is an administrator of Distributed Security Management with at least 4GB of RAM.

Question 197

The system administrator of a company is trying to find out why acceleration is not working for the traffic. The traffic is allowed according to the rule base and
checked for viruses. But it is not accelerated. What is the most likely reason that the traffic is not accelerated?

Answer 197

The traffic is originating from the gateway itself.

Question 198

Security Checkup Summary can be easily conducted within:

Answer 198

Reports

Question 199

Select the right answer to export IPS profiles to copy to another management server?

Answer 199

SmartDashboard - IPS tab - Profiles - select profile + right click and select “export profile”

Question 200

SandBlast has several functional components that work together to ensure that attacks are prevented in real-time. Which the following is NOT part of the
SandBlast component?

A. Threat Emulation
B. Mobile Access
C. Mail Transfer Agent
D. Threat Cloud

Answer 200

Mail Transfer Agent

Question 201

You want to gather data and analyze threats to your mobile device. It has to be a lightweight app. Which application would you use?

Answer 201

Check Point Protect

Question 202

After making modifications to the $CVPNDIR/conf/cvpnd.C file, how would you restart the daemon?

Answer 202

cvpnrestart

Question 203

In the Check Point Firewall Kernel Module, each Kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Stateful Mode configuration, chain modules marked with ___________ will not apply.

Answer 203

2

Question 204

Joey is preparing a plan for Security management upgrade. He wants to upgrade management to R80.x. What is the lowest supported version of the Security
Management he can upgrade from?

Answer 204

R77.X with direct upgrade

Question 205

CPM process stores objects, policies, users, administrators, licenses and management data in a database. This database is:

Answer 205

Postgres SQL

Question 206

In what way in Secure Network Distributor (SND) a relevant feature of the Security Gateway?

Answer 206

SND is used to distribute packets among Firewall instances

Question 207

There are 4 ways to use the Management API for creating host object with R80 Management API. Which one is NOT correct?

A. Using Web Services
B. Using Mgmt_cli tool
C. Using CLISH
D. Using SmartConsole GUI console

Answer 207

Using CLISH

Question 208

By default, the R80 web API uses which content-type in its response?

Answer 208

JSON

Question 209

What information is NOT collected from a Security Gateway in a Cpinfo?

Answer 209

Firewall logs

Question 210

What is the command to check the status of the SmartEvent Correlation Unit?

Answer 210

cpstat cpsead

Question 211

R80.10 management server can manage gateways with which versions installed?

Answer 211

Versions R75.20 and higher

Question 212

Which statement is most correct regarding about “CorrectXL Dynamic Dispatcher”

Answer 212

The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores.

Question 213

Fred is troubleshooting a NAT issue and wants to check to see if the inbound connection from his internal network is being translated across the interface in the firewall correctly. He decides to use the fw monitor to capture the traffic from the source 192.168.3.5 or the destination of 10.1.1.25 on his Security Gateway,
Green that has an IP of 192.168.4.5. What command captures this traffic in a file that he can download and review with WireShark?

Answer 213

Expert@Green# fw monitor -e “accept src=192.168.4.5 or dst=10.1.1.25;” -o monitor.out

Question 214

Which process is available on any management product and on products that require direct GUI access, such as SmartEvent and provides GUI client
communications, database manipulation, policy compilation and Management HA synchronization?

Answer 214

fwm

Question 215

UserCheck objects in the Application Control and URL Filtering rules allow the gateway to communicate with the users. Which action is not supported in
UserCheck objects?

A. Ask
B. Drop
C. Inform
D. Reject

Answer 215

Reject

Question 216

SmartConsole R80 requires the following ports to be open for SmartEvent R80 management:

Answer 216

19009, 443

Question 217

Which command gives us a perspective of the number of kernel tables?

Answer 217

fw tab -s

Question 218

Which command would you use to determine the current Cluster Global ID?

Answer 218

Expert -> cphaconf cluster_id get

Question 219

Automatic affinity means that is SecureXL is running, the affinity for each interface is automatically reset every.

Answer 219

60 sec

Question 220

Check Point security components are divided into the following components:

Answer 220

GUI Client, Security Management, Security Gateway

Question 221

What’s true about Troubleshooting option in the IPS profile properties?

Answer 221

Temporarily set all protections to track (log) in SmartView Tracker

Question 222

When installing a dedicated R80 SmartEvent server, what is the recommended size of the root partition?

Answer 222

At least 20 GB

Question 223

How many confidence levels are there for IPS?

Answer 223

five

Question 224

Which file is not in the $FWDIR directory collected by the CPInfo utility from the server?

Answer 224

cpd.elg

Question 225

An administrator would like to troubleshoot why templating is not working for some traffic. How can he determine at which rule templating id disabled?

Answer 225

He can use the fwaccel stat command on the gateway

Question 226

How can SmartView Web application be accessed.

Answer 226

https://management IP address/smartview/

Question 227

The WebUI offers several methods for downloading hotfixes via CPUSE except:

A. Automatic
B. Force override
C. Manually
D. Scheduled

Answer 227

Force override

Question 228

How would you deploy TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway?

Answer 228

You can utilize only Check Point Cloud Services for this scenario

Question 229

With SecureXL enabled, accelerated packets will pass through the following:

Answer 229

Network Interface Card and the Acceleration Device

Question 230

Which command shows the connection table in human readable format?

Answer 230

fw tab -t connections -f

Question 231

What is the default size of NAT table fwx_alloc?

Answer 231

25000

Question 232

What is the least amount of CPU cores required to enable CoreXL?

Answer 232

2

Question 233

Which TCP-port does CPM process listen to?

Answer 233

19009

Question 234

In order to optimize performance of a Security Gateway you plan to use SecureXL technology. Your company uses different types of applications. Identify
application traffic that will NOT be accelerated

A. Corporate relational database TCP traffic
B. Custom application multicast traffic
C. Transactions to the external application server using UDP
D. TCP connections to the corporate Web-server

Answer 234

Custom application multicast traffic

Question 235

Using Threat Emulation technologies, what is the best way to block .exe and .bat file types?

Answer 235

tecli advanced attributes set prohibited_file_types exe,bat

Question 236

The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via which 2 processes?

Answer 236

cpm via cpd

Question 237

To help SmartEvent determine whether events originated internally or externally you must define using the initial settings under General Settings in the Policy
Tab. How many options are available to calculate the traffic direction?

Answer 237

4. Incoming; Outgoing; Internal; Other

Question 238

Jack needs to configure CoreXL on his Red Security Gateway. What are the correct steps to enable CoreXL?

Answer 238

SSH to Red Security Gateway, run cpconfig> select Configure Check Point CoreXL > enable CoreXL > exit cpconfig> reboot the Security Gateway

Question 239

In a ClusterXL high-availability environment, what MAC address will answer for Virtual IP in the default configuration?

Answer 239

MAC address of Active Member

Question 240

What tool exports the Management Configuration into a single file?

Answer 240

migrate export

Question 241

Which of the following process pulls applications monitoring status?

Answer 241

cpd

Question 242

SandBlast appliances can be deployed in the following modes:

Answer 242

inline/prevent or detect

Question 243

What utility would you use to configure route-based VPNs?

Answer 243

vpn shell

Question 244

What SmartEvent component creates events?

Answer 244

Correlation Unit

Question 245

In order to get info about assignment (FW, SND) of all CPUs in your SGW, what is the most accurate CLI command?

Answer 245

fw ctl affinity -l -a -r -v

Question 246

What is the proper CLISH syntax to configure a default route via 192.168.255.1 in Gaia?

Answer 246

set static-route default nexthop gateway address 192.168.255.1 priority 1 on

Question 247

What is the correct command to observe the Sync traffic in a VRRP environment?

Answer 247

fw monitor -e “accept dst=224.0.0.18;”

Question 248

To fully enable Dynamic Dispatcher on a Security Gateway:

Answer 248

run fw ctl multik set_mode 9 in Expert mode and then reboot

Question 249

How many interfaces can you configure to use the Multi-Queue feature?

Answer 249

5 interfaces

Question 250

A Threat Prevention profile is a set of configurations based on the following. (Choose all that apply.)

Answer 250

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings

Question 251

Selecting an event displays its configurable properties in the Detail pane and a description of the event in the Description pane. Which is NOT an option to adjust
or configure?

A. Severity
B. Automatic reactions
C. Policy
D. Threshold

Answer 251

Policy

Question 252

Which statement is NOT TRUE about Delta synchronization?

A. Using UDP Multicast or Broadcast on port 8161
B. Using UDP Multicast or Broadcast on port 8116
C. Quicker than Full Sync
D. Transfers changes in the Kernel labels between cluster members

Answer 252

Using UDP Multicast or Broadcast on port 8161

Question 253

SmartEvent has several components that function together to track security threats. What is the function of the Correlation Unit as a component of this
architecture?

Answer 253

Analyzes this log entry as it arrives at the log server according to the Event Policy. When a threat pattern is identified, an event is forwarded to the
SmartEvent Server.

Question 254

The Check Point installation history feature in R80 provides the following:

Answer 254

Policy Installation Date, view install changes and install specific version

Question 255

What is not a component of Check Point SandBlast?

A. Threat Emulation
B. Threat Simulation
C. Threat Extraction
D. Threat Cloud

Answer 255

Threat Simulation

Question 256

How can you see historical data with cpview?

Answer 256

cpview -t

Question 257

Which configuration file contains the structure of the Security Servers showing the port numbers, corresponding protocol name, and status?

Answer 257

$FWDIR/conf/fwauthd.conf

Question 258

SmartEvent provides a convenient way to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in a event provides a list of default and customized commands. They appear only on cells that refer to IP addresses because the IP address of the active cell is used as the destination of the command when run. The default commands are:

Answer 258

ping, whois, nslookup, and Telnet

Question 259

Check Point Management (cpm) is the main management process in that it provides the architecture for the consolidated management console. It empowers the migration from legacy Client side logic to Server side-logic. The cpm process:

Answer 259

Performs database tasks such as creating, deleting, and modifying objects and compiling policy.

Question 260

How long may verification of one file take for Sandblast Threat Emulation?

Answer 260

within seconds cleaned file will be provided

Question 261

For Management High Availability, which of the following is NOT a valid synchronization status?

A. Collision
B. Down
C. Lagging
D. Never been synchronized

Answer 261

Down

Question 262

To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, run the following command in Expert mode then reboot:

Answer 262

fw ctl multik set_mode 9

Question 263

How do you enable virtual mac (VMAC) on-the-fly on a cluster member?

Answer 263

fw ctl set int fwha_vmac_global_param_enabled 1

Question 264

Holds configuration settings for Advanced Upgrade with Database Migration.

Answer 264

migrate.conf

Question 265

migrate

Answer 265

Runs Advance Upgrade with migration.

Question 266

pre_upgrade_verifier

Answer 266

Analyzes compatibility of the currently installed configuration with the upgrade version. It gives a report on the actions to take before and after the upgrade.

Question 267

Upgrade Verification Service

Answer 267

• Updates released to correct an issue or provide enhancements and improvements.
• HFA is a collection of stability and quality fixes.
• The name of an hotfix identifies the version it is compatible with.

Question 268

CPUSE

Answer 268

̶ Manually
̶ Scheduled
̶ Automatic

Question 269

CDT

Answer 269

Automatically install CPUSE offline packages on multiple gateways and clusters members at same time

Question 270

Standard mode

Answer 270

(Clish) and provide commands for easy configuration and routine administration

Question 271

Expert mode

Answer 271

advanced Check Point system and underlying Linux functions

Question 272

Set client environment

Answer 272

set clienv

Question 273

save client environment

Answer 273

save client

Question 274

Acquire configuration lock

Answer 274

lock database override

Question 275

add and modify user accounts

Answer 275

add user “username” set “username”

Question 276

set message banner

Answer 276

set message banner on msgvalue “This system is private and confidential”

Question 277

enable SNMP

Answer 277

set snmp agent on

Question 278

To enable or disable core dumps

Answer 278

set core-dump [enable|disable]

Question 279

To create DHCP server subnets

Answer 279

add dhcp server
netmask
include-ip-pool start end
exclude-ip-pool start end

Question 280

CPM

Answer 280

Management process TCP 19009

Question 281

fwm

Answer 281

on all management products It provides GUI client communication, database manipulation, policy compilation, and Management High Availability synchronization

Question 282

fwd

Answer 282

allows other processes, including the kernel, to forward logs

Question 283

fwssd

Answer 283

child process of fwd

• which provide a higher level of protocol enforcement.

Question 284

cpd

Answer 284

Check Point Daemon (cpd) is a core process on every Check Point product. It allows Secure Internal Communication (SIC) functionality

Question 285

fwm

Answer 285

cpwd_admin utility shows the status of processes and configures cpwd

Question 286

Kernel Mode

Answer 286

Data Link layer

Every packet that goes through the Firewall is inspected

Question 287

User Mode

Answer 287

Firewall to function more efficiently in the Application layer.

Question 288

Input/Output

Answer 288

allow user and kernel processes to communicate

Question 289

Chain Modules

Answer 289

packet processing handlers,
decide which modules will inspect the packet and, based on the inspection, may then modify, pass, or drop the packets,
Inbound and outbound packets are inspected in both directions by chain modules

Question 290

Connections Table Format

Answer 290

6-tuple

Question 291

Verification & Compilation (6 stages)

Answer 291

Initiation 
Database Dump 
Verification
Conversion
Fwm rexec 
Code Generation and Compilation

Question 292

policy installation process

three main stages

Answer 292

Verification & Compilation
Transfer (CPTA)
Commit

Question 293

Commit stage

Answer 293

• The cpd process on the gateway will execute the following command to load the policy which was just transferred to the gateway:
fw fetchlocal -d $FWDIR/state/_tmp/FW1
• The policy will then be loaded into the kernel.
• If successful, the new policy will be copied to the $FWDIR/state/FW1 folder on the gateway.
• If the fetchlocal process fails, cpd will get a notification regarding the failed process and will inform the fwm process that loading the policy has failed.

Question 294

NAT rules are prioritized according to the list below:

Answer 294

1. Manual/Pre-Automatic NAT
2. Automatic Static NAT
3. Automatic Hide NAT
4. Post-Automatic/Manual NAT rules

Question 295

configuration files /opt

Answer 295

CPsuite-R80 — Manages Firewall modules
CPshrd-R80 — Stores cpd database, licenses
CPEdgecmp-R80 — Manages Edge devices

Question 296

/lib

/conf

Answer 296

store definition files

Ex. $FWDIR/conf/fwauth.NDB = user definitions
Ex. $FWDIR/conf/fwauthd.conf= Security server configuration

Question 297

cpconfig

Answer 297

command line version of the Check Point Configuration tool and configure or reconfigure a Security Gateway/Management installation

Question 298

cplic print

Answer 298

details of Check Point licenses

Question 299

four inspection points

passes through the kernel:

Answer 299

• i — Before the virtual machine, in the Inbound direction (pre-Inbound)
• I — After the virtual machine, in the Inbound direction (post-Inbound)
• o — Before the virtual machine, in the Outbound direction (pre-Outbound)
• O — After the virtual machine, in the Outbound direction (post-Outbound)

Question 300

Three Stateful features provided with the Connections

Answer 300

Streaming based applications, such as Web security
Sequence verification and translation
Hide NAT
Logging, accounting, and monitoring
Client and server identification
Data connections

Question 301

RESTful API

Answer 301

GET, PUT, POST, and DELETE

Question 302

packets that do not pass inspection send NACK

Answer 302

TCP=RST

USP=ICMP Unreachable

Question 303

processing order for the overall inspection

Answer 303

1. Firewall — Inspection on the Original Packet.
2. NAT — Translate the IP and/or port number as required.
3. Routing — Forward on the resulting packet.

Question 304

Cluster Virtual MAC (VMAC)

Answer 304

allows all cluster members to use the same Virtual MAC address and minimizes possible traffic outages during a failover

Question 305

State Synchronization two modes

Answer 305

Full Synchronization

Delta Synchronization

Question 306

fw ctl pstat

Answer 306

monitor synchronization

Question 307

restrictions synchronizing cluster members

Answer 307

same platform
same software version
number of cores

Question 308

Cluster Connectivity Upgrade

Answer 308

synchronizes existing connections to maintain connectivity and eliminate downtime during cluster upgrades.

Question 309

How many members can clusterXL support

Answer 309

8

Question 310

How add new member

Answer 310

1. Run cpconfig
2. Change the IP address of the new cluster member to reflect the correct topology.
   Ensure that all Check Point products are installed on the new cluster member. All Check Point software components must be identical on each member of the cluster.
   In the Cluster Members page of the cluster object, create a new cluster member
   ensure that SIC is initialized and the topology is correctly defined.
   Ensure that the proper interfaces on the new cluster member are configured as cluster interfaces if the cluster mode is Load Sharing or New High Availability.
   Install the Security Policy on the cluster. The new member is now part of the cluster.

Question 311

The Sticky Decision Function

Answer 311

avoids Asymmetric Routing, but disables acceleration technologies.

Question 312

Secondary and Standby Security Management Servers

Answer 312

This transition from Standby to Active must be initiated manually.

Question 313

Synchronizing Management HA Active and Standby Servers

Answer 313

Automatic or Manual

For Management HA to function properly, the following data is backed up and synchronized:
Network Security Management Databases (such as the Network Objects, policy settings, and the Security Policy itself)
Configuration and Internal Certificate Authority (ICA) data (such as Objects and Users databases, certificate information, and the CRL, which is available to be fetched by the Check Point Security Gateways)
Endpoint Security databases, if applicable

Question 314

Synchronization Status management HA

Answer 314

Never been synchronized
Synchronized
Lagging
Advanced

Question 315

OPSEC Certified HA and Load Sharing products

Answer 315

Decide which cluster member will deal with each connection.
Perform health checks
Perform failover

Question 316

Virtual Routing Redundancy Protocol (VRRP)

Answer 316

VRRP is a network management protocol that is used to increase the availability of default gateway servicing hosts on the same subnet.

Question 317

VRRP Types

Answer 317

Simple Monitored Circuit VRRP

Advanced VRRP

Question 318

Advanced VRRP can be configured via WebUI or CLI

Answer 318

set vrrp interface VALUE

show vrrp interface VALUE

Question 319

SecureXL

Answer 319

Check Point security acceleration technology that accelerates multiple, intensive security operations, including operations carried out by Check Point’s

Question 320

SecureXL traffic flow

Answer 320

Firewall Path (Slow) — Packets and connections that are inspected by the Firewall. These packets and connections are not processed by SecureXL. This path is also referred to as the Slow Path.
Accelerated Path — Packets and connections that are offloaded from the Firewall to SecureXL. These packets and connections are quickly processed.
Medium Path — Packets that cannot use the accelerated path because they require deeper inspection. Although it is not necessary for the Firewall to inspect these packets, they can be offloaded by another feature. For example, packets that are examined by IPS cannot use the accelerated path and can be offloaded to the IPS Passive Streaming Library (PSL), which provides stream reassembly for TCP connections. As a result, SecureXL processes these packets quicker than packets on the slow path.

Question 321

Packet Acceleration requires

Answer 321

Source address 
Destination address 
Source port 
Destination port
Protocol

Question 322

Secure XL session acceleration

Answer 322

To accelerate the rate of new connections, connections that do not match a specified 5-attributes are still processed by SecureXL by leveraging templates

Question 323

SecureXL connection templates

Answer 323

Accept Templates
Drop Templates
NAT Templates

Question 324

VPN Link Selection

Answer 324

allows multiple external interfaces to be configured for tunneling the VPN packets.

Question 325

Dynamic VPN Routing

Answer 325

allow the VPN domain to be determined dynamically instead of configuring a static VPN domain.

Question 326

Wire Mode Connections

Answer 326

allows trusted traffic to pass through without Stateful Inspection.

Question 327

CoreXL deafult number of cores

Answer 327

The default number of kernel instances is derived from the total number of cores in the system.

Question 328

Secure Network Distributor (SND)

Answer 328

Processing incoming traffic from the network interfaces.
Accelerating authorized packets (if SecureXL is running).
Distributing non accelerated packets among kernel instances

Question 329

Dynamic Dispatcher

Answer 329

Helps to improve load distribution and mitigates connectivity issues during traffic peaks

Question 330

fw ctl multik stat

Answer 330

distribution of connections across all CoreXL Firewall instances

Question 331

Firewall Priority Queues

Answer 331

Prioritizes traffic when the CPU cores are 100% utilized and packets need to be dropped.
Priorities packets based on the connection type

Question 332

How does CoreXL improve network performance

Answer 332

CoreXL acts as a load balancer and improves Security Gateway performance in situations where much of the traffic cannot be accelerated by SecureXL or when the gateway has many IPS features enabled, which disables SecureXL functionality

Question 333

When should you consider using Multi-Queue

Answer 333

1. The CPU load for SND is high (idle is < 20%).
2. The CPU load for CoreXL Firewall instances is low (idle is > 50%).
3. There are no CPU cores left to be assigned to the SND by changing interface affinity.

Question 334

SmartEvent clients manage the SmartEvent server and provide an overview of security information for an organization’s environment.

Answer 334

SmartConsole — installed as an external application
SmartEvent GUI — requires client installation
SmartView Web application

Question 335

SmartEvent Deployment

Answer 335

standalone=on the managment server

distributed=Seperate boxes

Question 336

SmartEvent uses the following procedures to identify events:

Answer 336

Matching a log against global exclusions
Matching a log against each event definition
Creating an event candidate
Updating an event

Question 337

SmartEvent Event Definition

Answer 337

contains a filter which is comprised of multiple criteria that must be found in any matching log

Question 338

SmartEvent Event Candidate

Answer 338

• Event Candidate allow SmartEvent to track logs until an event threshold is crossed and an event is generated.
• Each event definition may have multiple event candidates.

Question 339

What happens when a candidate becomes an event

Answer 339

Correlation Unit forwards the event to the Event Database.

Question 340

SmartEvent Event Queries

Answer 340

A view is an interactive dashboard made up of widgets

Question 341

Remediating Security Events

Answer 341

Threshold
Severity
Automatic reactions
Exceptions
Working hours

Question 342

VPN Installation Options

Answer 342

1. Client-based — In this solution, the client application is installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer or device. The client supplies access to most types of corporate resources according to the access privileges of the user.
2. Clientless — In this solution, users connect through a web browser and use HTTPS connections instead of connecting through a managed device. Clientless solutions usually supply access to web-based corporate resources.
3. On Demand Client — This remote access solution blends the first two options. A user connects with a web browser and installs a client when necessary. The client supplies access privileges to most types of corporate resources according to the access privileges of the user.

Question 343

IPSEC VPN how and what?

Answer 343

In a Layer 3 VPN solution, a resident VPN client is needed, which creates the Layer 3 virtual interface that any application can use. Better for managed devices

Question 344

SSL VPN how and what

Answer 344

only require a browser on the client side and allow mobile devices with a dedicated application to access corporate resources without establishing a VPN tunnel. Better for unmanaged devices

Question 345

Mobile Access Portal

Answer 345

clientless SSL VPN solution,requires a Mobile Access Software Blade license on the Security Gateway. used for web-based corporate resources

Question 346

SSL Network Extender (SNX)

Answer 346

thin SSL VPN on-demand client
a browser plug-in has 2 modes:
1.Network — Users can access all native IP-based and web-based applications in the internal network. Admin needs to define apps
2. Application — Users can access most native IP-based and web-based application types in the internal network. Admin needs to define apps

Question 347

Three main Clients Mobile Access

Answer 347

Check Point Mobile for Windows: IPSec, requires IPSec and mobile access software blade license
Check Point Mobile for iPhone and iPad: SSL required mobile access blade license
Check Point Mobile for Android: SSL required mobile access blade license

Question 348

Two additional client options

Answer 348

Check Point Capsule Workspace: Provides access separate applications

SecuRemote: limited fucntion IPSec VPN, requires IPSec blade license

Question 349

Check Point Capsule

Answer 349

Secure container with IAM control; helps control company data on personal devices
Capsule Workspace
Capsule Docs
Capsule Cloud

Question 350

Capsule Connect

Answer 350

Provide access to any application and uses IPSec vs SSL for capsule, but no data isolation

Question 351

Capsule Docs

Answer 351

Capsule Connect
Classify — Define a set of permissions, which may include markings such as headers, footers, and watermarks.
Share — Decide with whom to share the document.
Encrypt — Apply encryption (AES256 + RSA2048) to the document so that it is protected and accessed only by the authorized users and groups.

Offers cloud deployment

Question 352

Capsule Cloud

Answer 352

Capsule Cloud utilizes Check Point Software Blade solutions as a cloud-based service. Capsule Cloud enforces the organization’s in-network Security Policy to both on- and off-premise devices. It helps the enterprise to protect employees using laptops and mobile device when they are outside the secured office environment.

Question 353

Capsule Cloud

Answer 353

Set up policies for URL Filtering, Threat Prevention, and HTTPS Inspection
View user traffic and audit logs
Manage users and offices
Download Capsule Cloud applications and utilities
Change client and device settings
Access Capsule Cloud utilities
Determine location of roaming clients (via the Location Awareness feature)

Question 354

Check Point Mobile Access Software Blade

Answer 354

allows mobile and remote workers to easily and securely connect to the corporate network from any location. data is decrypted, filtered, and inspected in real-time by Check Point’s gateway security services. Can enforce security posture of the device

Question 355

Mobile Access User Authentication types

Answer 355

Certificate (Internal or External Certificate Authority)
RADIUS server
SecurID
Username and password (internal, LDAP)
Dynamic ID One-Time Password (OTP)

Question 356

Mobile Access Security

Answer 356

Server Side Security:
Mobile Access uses IPS Web Intelligence to protect the network from web-related threats and attacks

Client Side:
can scan endpoint devices to verify their security compliance and make sure that their protections are up-to-date.

Question 357

Mobile Access Policy (Firewall)

Answer 357

The Mobile Access Policy defines how remote users can securely access internal company applications and resources using mobile devices. Mobile Access Policy rules are defined and unified in the Access Control policy. This includes all rules related to the Mobile Access Portal, Capsule Workspace, and on-demand clients.

Question 358

Mobile Access in the Access Control Policy

Answer 358

1. The Mobile Access Software Blade must be enabled.
2. Security Gateways with Mobile Access enabled, are automatically added to the Remote Access VPN Community.
3. Mobile Access applications must be defined.
   Other application objects cannot be used for Mobile Access.
4. Create access roles to give access to resources through specified remote access clients.

Question 359

Mobile Access policy best practices

Answer 359

1. Place Mobile Access rules that authorize applications above rules that contain a related service.
2. Create an inline layer for Mobile Access rules.
   When creating rules, do not use a Security Gateway as the destination.

Question 360

What is the difference between an SSL VPN and an IPSec VPN?

Answer 360

1. In the SSL VPN solution, users can connect securely to business web-based applications through a web portal, which can be accessed using a web browser. This solution does not require users to install a VPN agent or client and can be configured to enforce two-factor authentication.
2. IPSec, Layer 3 VPN requires remote workers to install a VPN client before gaining access to corporate resources. Once a user installs the client, the Layer 3 VPN provides a secured connection to both web-based and native business applications.

Question 361

How do Capsule Docs and Capsule Workspace work together?

Answer 361

As business documents are edited and viewed on personal devices using Capsule Workspace, Capsule Docs protects business data and documents no matter where it is transmitted.

Question 362

Intrusion Prevention System (IPS)

Answer 362

Protects users from malware on legitimate websites, controls network usage of selected applications, and more.

Question 363

Intrusion Prevention System (IPS) managed by what policy

Answer 363

Threat Prevention policy

Question 364

What command do you use to import or export IPS profiles

Answer 364

ips_export_import

Question 365

Geo-Protection

Answer 365

1. Enforces or monitors traffic based on the source or destination country.
2. A valid IPS contract and an IPS Software Blade license is required.
3. The IP-To-Country database is downloaded to the gateway from a Check Point data center.
   Geo-Protection logs are aggregated by default.

Question 366

Antivirus

Answer 366

1. Protects the network from malware attacks/ worms virus, backdoors
2. Uses threat intelligence from ThreatCloud.
   Scans incoming files for malicious signatures.
3. Updates ThreatCloud with any newly detected malware.
4. Blocks access to websites with known connection to malware.

Question 367

Anti-Bot

Answer 367

Check Point’s Anti-Bot Software Blade identifies bot-infected machines using the ThreatSpect engine to analyze network traffic. The engine:
Performs a reputation check.
Reviews network signatures.
Searches for suspicious activity.

Question 368

Sandboxing

Answer 368

1. Used to catch zero-day attacks and APTs.

2. Files are hosted and executed in a secured environment and then observed for suspicious routines.

Question 369

Two types of sanboxing

Answer 369

OS-Level

CPU-Level

Question 370

OS-Level Sandboxing

Answer 370

Emulates a standard operating system in an isolated environment to execute and screen files.

Question 371

How to avoid OS-Level Sandboxing

Answer 371

Delaying launch of a payload.
Searching for virtual machine indicators.
Checking for human interaction activities that are difficult to replicate virtually.
OS fingerprinting.

Question 372

CPU-Level Sandboxing

Answer 372

Addresses the limitations of traditional sandboxing.

by Monitoring exploits executed in CPU instruction codes.

Question 373

CPU Level Sandboxing Stages

Answer 373

1. Finding Vulnerability
2. Using an Exploit Method
3. Running a Shellcode
4. Running the Malware

Question 374

SandBlast Zero-Day

Answer 374

Check Point’s solution for zero-day attacks

Question 375

SandBlast Components

Answer 375

Threat Emulation
Threat Extraction
Threat Cloud
Mail Transfer Agent

Question 376

SandBlast Threat Emulation

Answer 376

Performs both CPU-Level and OS-Level inspection of files.

Question 377

SandBlast Threat Extraction

Answer 377

Threat Extraction provides users with a sanitized, reconstructed document using only safe elements.

Threat Extraction is typically used for incoming emails only; however, it can be used for outgoing emails as well. It supports widely used document file types, such as PDF and MS Word documents.

Question 378

Threat Cloud

Answer 378

1.Consolidates information from sources, such as:
Signature and reputation data from different Check Point systems.
2. External intelligence sources.
3. Data and research from Check Point’s Vulnerability Research and Incident Response teams.
(Keeps sandblast up to date)

Question 379

Mail Transfer Agent

Answer 379

Ensures that full emulation occurs without disruption.
Prevents email server timeout during emulation.
Manages the emulation of SMTP traffic.

Question 380

SandBlast Appliances Deploy in what 2 modes

Answer 380

Inline or Prevent

Detect Only

Question 381

SandBlast Cloud Deployment Options are:

Answer 381

Detect Mode-In Detect mode, incoming emails go straight to the inbox without interference
Prevent Mode- In Prevent mode, incoming emails are directed to a temporary quarantine folder within Office 365
Hybrid Deployment- on-premise Exchange server and Cloud Office 365 can use the following options for a hybrid deployment:

Question 382

SandBlast Agent

Answer 382

Extends SandBlast Protection to end-users.

Question 383

How does SandBlast Threat Emulation and Threat Extraction prevent threats like zero-day attacks and APT?

Answer 383

To prevent these threats, Threat Emulation performs CPU-level inspection of incoming files to look for signs of exploit methods. It runs the inspection in a sandbox environment, away from the organization’s network. If files exhibit malicious routines, Threat Emulation deletes them promptly.
While Threat Emulation performs the inspection, Threat Extraction provides a clean, sanitized version of the file. This is to avoid any disruption to the company’s daily operations.

Question 384

How does IPS complement the Firewall Software Blade when it comes to preventing threats?

Answer 384

While Firewall blocks network traffic based on source, destination, and port information, IPS analyzes its contents. This is to prevent threats such as drive by download, which are known to hide malicious codes behind hijacked, legitimate websites.