CCSE Flashcards
What is the port used for SmartConsole to connect to the Security Management Server:
CPMI port 18191/TCP
Which is the correct order of a log flow processed by SmartEvents components
Firewall > Log Server > Correlation Unit > SmartEvent Server Database > SmartEvent Client
In SmartEvent, what are the different types of automatic reactions that the administrator can configure?
Mail, Block Source, Block Event Activity, External Script, SNMP Trap
Which components allow you to reset a VPN tunnel?
SmartView monitor only
When synchronizing clusters, which of the following statements is FALSE?
A. The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized.
B. Only cluster members running on the same OS platform can be synchronized.
C. In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization.
D. Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails.
Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails.
Which of the following is a new R80.10 Gateway feature that had not been available in R77.X and older?
The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control
over the rule base flow and which security functionalities take precedence.
In R80.10, how do you manage your Mobile Access Policy?
From SmartDashboard
You find one of your cluster gateways showing “Down” when you run the “cphaprob stat” command. You then run the “clusterXL_admin up” on the down member
but unfortunately the member continues to show down. What command do you run to determine the case?
cphaprob -a list
SandBlast offers flexibility in implementation based on their individual business needs. What is an option for deployment of Check Point SandBlast Zero-Day
Protection?
Threat Agent Solution
Which of the following is NOT a valid way to view interface’s IP address settings in Gaia?
Using the command sthtool in Expert Mode
Check Point recommends configuring Disk Space Management parameters to delete old log entities when available disk space is less than or equal to?
15%
What API command below creates a new host with the name “New Host” and IP address of “192.168.0.10”?
add host name “New Host” ip-address “192.168.0.10”
What are types of Check Point APIs available currently as part of R80.10 code?
Management API, Threat Prevention API, Identity Awareness Web Services API and OPSEC SDK API
Which of the following is NOT an internal/native Check Point command?
A. fwaccel on
B. fw ct1 debug
C. tcpdump
D. cphaprob
tcpdump
What is the SandBlast Agent designed to do?
If malware enters an end user’s system, the SandBlast Agent prevents the malware form spreading with the network
The SmartEvent R80 Web application for real-time event monitoring is called:
SmartView Monitor
What Shell is required in Gaia to use WinSCP?
Bash
Which one of the following is true about Threat Emulation?
Takes minutes to complete (less than 3 minutes)
What are the minimum open server hardware requirements for a Security Management Server/Standalone in R80.10?
4 CPU cores, 8GB of RAM and 500GB of disk space
The “MAC magic” value must be modified under the following condition:
A firewall cluster is configured to use Broadcast for CCP traffic
The Correlation Unit performs all but which of the following actions:
Assigns a severity level to the event
The following command is used to verify the CPUSE version:
HostName:0>show installer status build
Which statement is true regarding redundancy?
Both Cluster XL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.
Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_ report.pdf file was
delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing
some graphs, tables and links. Which component of SandBlast protection is her company using on a Gateway?
SandBlast Threat Extraction
Which command collects diagnostic data for analyzing customer setup remotely?
cpinfo
When deploying multiple clustered firewalls on the same subnet, what does the firewall administrator need to configure to prevent CCP broadcasts being sent to
the wrong cluster?
Set the cluster global ID using the command “cphaconf cluster_id set “
Which of these options is an implicit MEP option?
Primary-backup
John detected high load on sync interface. Which is most recommended solution?
For short connections like http service - delay sync for 2 seconds
What is the SOLR database for?
Used for full text search and enables powerful matching capabilities
What is a feature that enables VPN connections to successfully maintain a private and secure VPN session without employing Stateful Inspection?
Wire Mode
On R80.10 the IPS Blade is managed by:
Threat Prevention policy
Which packet info is ignored with Session Rate Acceleration?
source port
What is the purpose of Priority Delta in VRRP?
When an Interface fail, Effective Priority = Priority - Priority Delta
What is the purpose of a SmartEvent Correlation Unit?
The Correlation unit role is to evaluate logs from the log server component to identify patterns/threats and convert them to events.
The CDT utility supports which of the following?
All upgrades
The Central Deployment Tool (CDT)
The Firewall kernel is replicated multiple times, therefore:
The Firewall can run the same policy on all cores
Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an Active-Active cluster.
Asymmetric routing
Which is not a blade option when configuring SmartEvent?
A. Correlation Unit
B. SmartEvent Unit
C. SmartEvent Server
D. Log Server
SmartEvent Unit
What command would show the API server status?
api status
You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. How can you enable them?
fw cti multik set_mode 9
You have existing dbedit scripts from R77. Can you use them with R80.10?
dbedit scripts are being replaced by mgmt._cli in R80.10
SecureXL improves non-encrypted firewall traffic throughput and encrypted VPN traffic throughput.
This statement is true because SecureXL does improve this traffic
What are the three components for Check Point Capsule?
Capsule Workspace, Capsule Docs, Capsule Cloud
Using mgmt_cli, what is the correct syntax to import a host object called Server_1 from the CLI?
mgmt_ cli add host name “Server_ 1” ip-address “10.15.123.10” - format json
When defining QoS global properties, which option below is not valid?
A. Weight
B. Authenticated timeout
C. Schedule
D. Rate
Schedule
Check Point APIs allow system engineers and developers to make changes to their organization’s security policy with CLI tools and Web Services for all of the following except?
A. Create new dashboards to manage 3rd party task
B. Create products that use and enhance 3rd party solutions.
C. Execute automated scripts to perform common tasks.
D. Create products that use and enhance the Check Point Solution.
Create new dashboards to manage 3rd party task
What happen when IPS profile is set in Detect-Only Mode for troubleshooting?
It will not block malicious traffic
When simulating a problem on CLusterXL cluster with cphaprob -d STOP -s problem -t 0 register, to initiate a failover on an active cluster member, what
command allows you remove the problematic state?
cphaprob -d STOP unregister
You are investigating issues with two gateway cluster members that are not able to establish the first initial cluster synchronization. What service is used by the
FWD daemon to do a Full Synchronization?
TCP port 256
Which command shows the current connections distributed by CoreXL FW instances?
fw ctl multik stat
What is the most ideal Synchronization Status for Security Management Server High Availability deployment?
Synchronized
What GUI client would you use to view an IPS packet capture?
SmartView Tracker
What is the valid range for VRID value in VRRP configuration?
1 - 255
Which one of these features is NOT associated with the Check Point URL Filtering and Application Control Blade?
A. Detects and blocks malware by correlating multiple detection engines before users are affected.
B. Configure rules to limit the available network bandwidth for specified users or groups.
C. Use UserCheck to help users understand that certain websites are against the company’s security policy.
D. Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels.
Detects and blocks malware by correlating multiple detection engines before users are affected.
Which command will reset the kernel debug options to default settings?
fw ctl debug 0
You need to change the number of firewall instances used by CoreXL. How can you achieve this goal?
cpconfig; reboot required
As a valid Mobile Access Method, what feature provides Capsule Connect/VPN?
Full layer3 VPN -IPSec VPN that gives users network access to all mobile applications
What does the command vpn crl__zap do?
Erases all CRL’s from the gateway cache
Firewall policies must be configured to accept VRRP packets on the GAiA platform if it runs Firewall software. The Multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for VRRP is:
224.0.0.18
Full synchronization between cluster members is handled by Firewall Kernel. Which port is used for this?
TCP port 256
GAiA greatly increases operational efficiency by offering an advanced and intuitive software update agent, commonly referred to as the:
Check Point Upgrade Service Engine.
Which one of these is NOT a firewall chain?
A. RTM packet in (rtm)
B. VPN node add (vpnad)
C. IP Options restore (in) (ipopt_res)
D. Fw SCV inbound (scv)
VPN node add (vpnad)
Which is a suitable command to check whether Drop Templates are activated or not?
fwaccel stat
Which directory below contains log files?
/opt/CPsuite-R80/fw1/log
What is the responsibility of SOLR process on R80.10 management server?
It generates indexes of data written to the database
VPN Tunnel Sharing can be configured with any of the options below, EXCEPT One:
A. Gateway-based
B. Subnet-based
C. IP range based
D. Host-based
IP range based
You want to store the GAiA configuration in a file for later reference. What command should you use?
save configuration
What can you do to see the current number of kernel instances in a system with CoreXL enabled?
Execute command cpconfig
When Dynamic Dispatcher is enabled, connections are assigned dynamically with the exception of
VolP & VPN Encrypted Traffic
Why would you not see a CoreXL configuration option in cpconfig?
The gateway only has one processor
In SPLAT the command to set the timeout was idle. In order to achieve this and increase the timeout for Gaia, what command do you use?
set inactivity-timeout
What makes Anti-Bot unique compared to other Threat Prevention mechanisms, such as URL Filtering, Anti-Virus, IPS, and Threat Emulation?
Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection to a Command & Control Center
SmartEvent does NOT use which of the following procedures to identify events?
A. Matching a log against each event definition
B. Create an event candidate
C. Matching a log against local exclusions
D. Matching a log against global exclusions
Matching a log against local exclusions
In Gaia, if one is unsure about a possible command, what command lists all possible commands.
show commands
In which case is a Sticky Decision Function relevant?
Load Sharing - Multicast
The Security Gateway is installed on GAiA R80. The default port for the Web User Interface is _______.
TCP 443
When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?
SmartEvent
Fill in the blank: The tool ___________ generates a R80 Security Gateway configuration report.
cpinfo
Fill in the blank: The R80 utility fw monitor is used to troubleshoot __________.
Traffic issues
You are working with multiple Security Gateways enforcing an extensive number of rules. To simplify security administration, which action would you choose?
Create a separate Security Policy package for each remote Security Gateway.
Tom has been tasked to install Check Point R80 in a distributed deployment. Before Tom installs the systems this way, how many machines will be need if he
does NOT include a SmartConsole machine in his calculations?
Two machines
Fill in the blank: The command _______________ provides the most complete restoration of a R80 configuration.
upgrade_import
Which of the following statements is TRUE about R80 management plug-ins?
A management plug-in interacts with a Security Management Server to provide new features and support for new products.
Fill in the blank: The R80 feature ________ permits blocking specific IP addresses for a specified time period.
Suspicious Activity Monitoring
In R80 spoofing is defined as a method of:
Making packets appear as if they come from an authorized IP address.
Which features are only supported with R80.10 Gateways but not R77.x?
The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control
over the rule base flow and which security functionalities take precedence.
For best practices, what is the recommended time for automatic unlocking of locked admin accounts?
30 minutes at least
What scenario indicates that SecureXL is enabled?
fwaccel commands can be used in clish
What is the command to show SecureXL status?
fwaccel stat
Which web services protocol is used to communicate to the Check Point R80 identity Awareness Web APi?
REST
Which file gives you a list of all security servers in use, including port number?
$FWDIR/conf/fwauthd.conf
What CLI command will reset the IPS pattern matcher statistics?
ips pmstats reset
GAiA Software update packages can be imported and installed offline in situation where:
Security Gateway with GAiA does NOT have access to Internet.
The Event List within the Events tab contains:
events generated by a query.
Query
Statistics
List
Preview
What is mandatory for ClusterXL to work properly?
The Magic MAC number must be unique per cluster node.
Which one of the following processes below would not start if there was a licensing issue.
CPD
Aaron is a Cyber Security Engineer working for Global Law Firm with large scale deployment of Check Point Enterprise Appliances using GAiA/R80.10.
Company’s Network Security Developer Team is having issue testing new API with newly deployed R80.10 Security Management Server and blames Check
Point Security Management Server as root cause. The ticket has been created and issue is at Aaron’s desk for an investigation. What do you recommend as the
best suggestion for Aaron to make sure API testing works as expected?
Aaron should check API Server status from expert CLI by “api status” and if it’s stopped he should start using command “api start” on Security Management
Server.
What utility would you use to configure route-based VPNs?
vpn shell
Where do you create and modify the Mobile Access policy in R80?
SmartDashboard
Customer’s R80 management server needs to be upgraded to R80.10. What is the best upgrade method when the management server is not connected to the Internet?
CPUSE offline upgrade
CPD is a core Check Point process that does all of the following EXCEPT:
A. AMON status pull from the Gateway
B. Management High Availability (HA) sync
C. SIC (Secure Internal Communication) functions
D. Policy installation
Management High Availability (HA) sync
What processes does CPM control?
web_services, dle_server and object_Store
Please choose correct command syntax to add an “emailserver1” host with IP address 10.50.23.90 using GAiA management CLI?
mgmt. add host name emailserver1 ip-address 10.50.23.90
Where you can see and search records of action done by R80 SmartConsole administrators?
In the Logs & Monitor view, select “Open Audit Log View”
What are the different command sources that allow you to communicate with the API server?
SmartConsole GUI Console, mgmt_cli Tool, Gaia CLI, Web Services
Both ClusterXL and VRRP are fully supported by Gaia R80.10 and available to all Check Point appliances. Which of the following command is NOT related to
redundancy and functions?
A. cphaprob stat
B. cphaprob -a if
C. cphaprob -l list
D. cphaprob all show stat
cphaprob all show stat
What are the steps to configure the HTTPS Inspection Policy?
Go to Manage&Settings>Blades>HTTPS Inspection>Policy
To find records in the logs that shows log records from the Application & URL Filtering Software Blade where traffic was blocked, what would be the query
syntax?
blade: “application control” AND action:block
Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new multicore CPU to replace the existing single core
CPU. After installation, is the administrator required to perform any additional tasks?
Go to clish-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig |Reboot Security Gateway
Identify the API that is not supported by Check Point currently.
A. R80 Management API-
B. Identify Awareness Web Services API
C. Open REST API
D. OPSEC SDK
Open REST API
Which command can you use to enable or disable multi-queue per interface?
cpmq set
Which of the following is NOT a type of Check Point API available in R80.10?
A. Ientity Awareness Web Services
B. OPSEC SDK
C. Mobile Access
D. Management
Mobile Access
What is the limitation of employing Sticky Decision Function?
Acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF
When configuring Third-Party devices to read the logs using the LEA (Log Export API) the default Log Server uses port:
18184
Mobile Access supports all of the following methods of Link Translation EXCEPT:
A. Hostname Translation (HT)
B. Path Translation (PT)
C. URL Translation (UT)
D. Identity Translation (IT)
Identity Translation (IT)
What is true of the API server on R80.10?
By default, the API server is active on management servers with 4 GB of RAM (or more) and on stand-alone servers with 8 GB of RAM (more)
How many images are included with Check Point TE appliance in Recommended Mode?
2 (OS) images
Which deployment methods can an administrator choose when deploying the Sandblast agent?
Use both SCCM and GPO for the deployment agent and End Point Management to push the Agent.
Which Check Point software blades could be enforced under Threat Prevention profile using Check Point R80.10 SmartConsole application?
IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction
What’s true about Troubleshooting option in the IPS profile properties?
Temporarily set all protections to track (log) in SmartView Tracker
What is the mechanism behind Threat Extraction?
Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast.
Which command will allow you to see the interface status?
cphaprob -a if
What is the least ideal Synchronization Status for Security Management Server High Availability deployment?
Lagging
If the Active Security Management Server fails or if it becomes necessary to change the Active to Standby, the following steps must be taken to prevent data
loss. Providing the Active Security Management Server is responsive, which of these steps should NOT be performed:
Rename the hostname of the Standby member to match exactly the hostname of the Active member.
During inspection of your Threat Prevention logs you find four different computers having one event each with a Critical Severity. Which of those hosts should
you try to remediate first?
Host having a Critical event found by Threat Emulation
What is correct statement about Security Gateway and Security Management Server failover in Check Point R80.X in terms of Check Point Redundancy driven
solutions?
Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure.
You want to verify if your management server is ready to upgrade to R80.10. What tool could you use in this process?
pre_upgrade_verifier
After successfully exporting a policy package, how would you import that package into another SMS database in R80.10?
upgrade_import
Choose the ClusterXL process that is defined by default as a critical device?
fwd
Security Checkup Summary can be easily conducted within:
Views
Which of the SecureXL templates are enabled by default on Security Gateway?
Accept
As an administrator, you may be required to add the company logo to reports. To do this, you would save the logo as a PNG file with the name ‘cover-company-
logo.png’ and then copy that image file to which directory on the SmartEvent server?
$RTDIR/smartview/conf
Which NAT rules are prioritized first?
Manual/Pre-Automatic NAT
What CLI command compiles and installs a Security Policy on the target’s Security Gateways?
fwm load
What is the command to see cluster status in cli expert mode?
cphaprob stat
What are the methods of SandBlast Threat Emulation deployment?
Cloud, Appliance and Hybrid
Which command is used to display status information for various components?
show sysenv all
Which is NOT an example of a Check Point API?
A. Gateway API
B. Management API
C. OPSEC SDK
D. Threat Prevention API
Gateway API
NAT rules are prioritized in which order?
- Automatic Static NAT
- Automatic Hide NAT
- Manual/Pre-Automatic NAT
- Post-Automatic/Manual NAT rules
3, 1, 2, 4
Events can be categorized and assigned to System Administrators to track their path through the workflow. Which of the following is NOT an option?
A. Under Investigation
B. Pending Investigation
C. False Positive
D. Open
Open
How is the processing order for overall inspection and routing of packets?
Firewall, NAT, Routing
When Configuring Endpoint Compliance Settings for Applications and Gateways within Mobile Access, which of the three approaches will allow you to configure -individual policies for each application?
A. Basic Approach
B. Strong Approach
C. Advanced Approach
D. Medium Approach
Advanced Approach
What is true about VRRP implementations?
You cannot have a standalone deployment
When using Monitored circuit VRRP, what is a priority delta?
When an interface fails the priority delta is subtracted from the priority
Which one of the following is true about Threat Extraction?
almost instantaneous
Daisy need to review how the Security Gateway Cluster, Jonas, behaves when a cluster member comes back on line. Where would she review the behavior of
cluster member recovery in the Dashboard?
Open SmartDashboard, select and open the Cluster Object Jonas, Select Topology - Advanced Options and review the High Availability recovery options.
What is considered Hybrid Emulation Mode?
Load sharing of emulation between an on premise appliance and the cloud
To accelerate the rate of connection establishment, SecureXL groups all connection that match a particular service and whose sole differentiating element is the
source port. The type of grouping enables even the very first packets of a TCP handshake to be accelerated. The first packets of the first connection on the same service will be forwarded to the Firewall kernel which will then create a template of the connection. Which of these IS NOT a SecureXL template?
A. Accept Template
B. Deny template
C. Drop Template
D. NAT Template
Deny template
What is the difference between an event and a log?
A log entry becomes an event when it matches any rule defined in Event Policy
Jack is using SmartEvent and does not see the identities of the users on the events. As an administrator with full access, what does he need to do to fix his issue?
Open SmartEvent, go to the Policy Tab, select General Settings from the left column > User Identities and check the box Show Identities
What command can you use to have cpinfo display all installed hotfixes?
cpinfo -y all
Check Point Management (cpm) is the main management process in that it provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web service using ______.
TCP Port 18190
What is true about the IPS-Blade?
in R80, IPS is managed by the Threat Prevention Policy
Which statement is correct about the Sticky Decision Function?
It is not supported with either the Performance pack or a hardware based accelerator card
Which of the following is NOT an attribute of packet acceleration?
A. Source address
B. Protocol
C. Destination port
D. Application Awareness
Application Awareness
You have successfully backed up your Check Point configurations without the OS information. What command would you use to restore this backup?
migrate import
You need to change the MAC-address on eth2 interface of the gateway. What command and what mode will you use to achieve this goal?
set interface eth2 mac-addr 11:11:11:11:11:11; CLISH
What command verifies that the API server is responding?
api status
Session unique identifiers are passed to the web api using which http header option?
Proxy-Authorization
What does the command vpn crl_zap do?
Erases all CRL’s from the gateway cache
What are the main stages of a policy installation?
Verification & Compilation, Transfer and Installation
What are the available options for downloading Check Point hotfixes in Gaia WebUI (CPUSE)?
Manually, Scheduled, Automatic
What is the main difference between Threat Extraction and Threat Emulation?
Threat Extraction always delivers a file and takes less than a second to complete
The concept of layers was introduced in R80. What is the biggest benefit of layers?
Policy Layers and Sub-Policies enable flexible control over the security policy.
What Factors preclude Secure XL Templating?
Source Port Ranges/Encrypted Connections
Automation and Orchestration differ in that:
Automation relates to codifying tasks, whereas orchestration relates to codifying processes.
You have a Gateway is running with 2 cores. You plan to add a second gateway to build a cluster and used a device with 4 cores. How many cores can be used
in a Cluster for Firewall-kernel on the new device?
2
If an administrator wants to add manual NAT for addresses not owned by the Check Point firewall, what else is necessary to be completed for it to function
properly?
Add the proxy ARP configuration in a file called $FWDIR/conf/local.arp
Which of the following commands shows the status of processes?
cpwd_admin list
The Regulatory Compliance pane shows compliance statistics for selected regulatory standards, based on the Security Best Practice scan. Which of the
following does NOT show in this pane?
A. The total number of Regulatory Requirements that are monitored
B. The Average compliance score for each regulation shown
C. The average number of Regulatory Requirements that are monitored
D. The Number of Regulatory Requirements for each Regulation
The average number of Regulatory Requirements that are monitored
In Threat Prevention, you can create new or clone profiles but you CANNOT change the out-of-the-box profiles of:
Basic, Optimized, Strict
Advanced Security Checkups can be easily conducted within:
Reports
The Firewall Administrator is required to create 100 new host objects with different IP addresses. What API command can he use in the script to achieve the
add host name ip-address
Which Check Point ClusterXL mode is used to synchronize the physical interface IP and MAC addresses on all clustered interfaces?
Multicast Mode Load Sharing
Return oriented programming (ROP) exploits are detected by which security blade?
Check Point Anti-Virus / Threat Emulation
What is the protocol and port used for Health Check and State Synchronization in ClusterXL?
CCP and 8116
If the first packet of an UDP session is rejected by a security policy, what does the firewall send to the client?
ICMP unreachable
What has to be taken into consideration when configuring Management HA?
The Database revisions will not be synchronized between the management servers.
You plan to automate creating new objects using new R80 Management API. You decide to use GAIA CLI for this task. What is the first step to run management
API commands on GAIA’s shell?
mgmt. login
Which is NOT a SmartEvent component?
A. SmartEvent Server
B. Correlation Unit
C. Log Consolidator
D. Log Server
Log Consolidator
To ensure that VMAC mode is enabled, which CLI command you should run on all cluster members?
fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1
Which method below is NOT one of the ways to communicate using the Management API’s?
A. Typing API commands using the “mgmt._cli” command
B. Typing API commands from a dialog box inside the SmartConsole GUI application
C. Typing API commands using Gaia’s secure shell (clash)19+
D. Sending API commands over an http connection using web-services
Sending API commands over an http connection using web-services
Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new multicore CPU to replace the existing single core
CPU. After installation, is the administrator required to perform any additional tasks?
Go to clash-Run cpconfig|Configure CoreXL to make use of the additional Cores|Exit cpconfig|Reboot Security Gateway
When an encrypted packet is decrypted, where does this happen?
Inbound chain
What are the main stages of a policy installation?
Verification & Compilation, Transfer and Installation
Jack has finished building his new SMS server, Red, on new hardware. He used SCP to move over the Red-old.tgz export of his old SMS server. What is the
command he will use to import this into the new server?
. Expert@Red# ./migrate import Red-old.tgz
What are the methods of SandBlast Threat Emulation deployment?
Cloud, Appliance and Hybrid
What is the difference between an event and a log?
A log entry becomes an event when it matches any rule defined in Event Policy
SandBlast agent extends 0 day prevention to what part of the network?
Web Browsers and user devices
In a Client to Server scenario, which represents that the packet has already been checked against the tables and the Rule Base?
Big I
When using Monitored circuit VRRP, what is a priority delta?
When an interface fails the priority delta is subtracted from the priority
Which of the following is NOT an option to calculate the traffic direction?
A. Incoming
B. Internal
C. External
D. Outgoing
External
During inspection of your Threat Prevention logs you find four different computers having one event each with a Critical Severity. Which of those hosts should
you try to remediate first?
Host having a Critical event found by Anti-Bot
What command lists all interfaces using Multi-Queue?
cpmq get
From SecureXL perspective, what are the tree paths of traffic flow:
Firewall Path; Accelerated Path; Medium Path
Joey and Vanessa are firewall administrators in their company. Joey wants to run Management API server on his Security Management server. He is logging in
to a Smart Console and goes to the Manage & Settings > Blade. In Management API section, he proceeds to Advanced Settings. He likes to set up the
Management API server to automatic run at startup. He is surprised, because this functionality is already selected by default. What is the reason, that
functionality is already enabled?
Joey is an administrator of Distributed Security Management with at least 4GB of RAM.
The system administrator of a company is trying to find out why acceleration is not working for the traffic. The traffic is allowed according to the rule base and
checked for viruses. But it is not accelerated. What is the most likely reason that the traffic is not accelerated?
The traffic is originating from the gateway itself.
Security Checkup Summary can be easily conducted within:
Reports
Select the right answer to export IPS profiles to copy to another management server?
SmartDashboard - IPS tab - Profiles - select profile + right click and select “export profile”
SandBlast has several functional components that work together to ensure that attacks are prevented in real-time. Which the following is NOT part of the
SandBlast component?
A. Threat Emulation
B. Mobile Access
C. Mail Transfer Agent
D. Threat Cloud
Mail Transfer Agent
You want to gather data and analyze threats to your mobile device. It has to be a lightweight app. Which application would you use?
Check Point Protect
After making modifications to the $CVPNDIR/conf/cvpnd.C file, how would you restart the daemon?
cvpnrestart
In the Check Point Firewall Kernel Module, each Kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Stateful Mode configuration, chain modules marked with ___________ will not apply.
2
Joey is preparing a plan for Security management upgrade. He wants to upgrade management to R80.x. What is the lowest supported version of the Security
Management he can upgrade from?
R77.X with direct upgrade
CPM process stores objects, policies, users, administrators, licenses and management data in a database. This database is:
Postgres SQL
In what way in Secure Network Distributor (SND) a relevant feature of the Security Gateway?
SND is used to distribute packets among Firewall instances
There are 4 ways to use the Management API for creating host object with R80 Management API. Which one is NOT correct?
A. Using Web Services
B. Using Mgmt_cli tool
C. Using CLISH
D. Using SmartConsole GUI console
Using CLISH
By default, the R80 web API uses which content-type in its response?
JSON
What information is NOT collected from a Security Gateway in a Cpinfo?
Firewall logs
What is the command to check the status of the SmartEvent Correlation Unit?
cpstat cpsead
R80.10 management server can manage gateways with which versions installed?
Versions R75.20 and higher
Which statement is most correct regarding about “CorrectXL Dynamic Dispatcher”
The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores.
Fred is troubleshooting a NAT issue and wants to check to see if the inbound connection from his internal network is being translated across the interface in the firewall correctly. He decides to use the fw monitor to capture the traffic from the source 192.168.3.5 or the destination of 10.1.1.25 on his Security Gateway,
Green that has an IP of 192.168.4.5. What command captures this traffic in a file that he can download and review with WireShark?
Expert@Green# fw monitor -e “accept src=192.168.4.5 or dst=10.1.1.25;” -o monitor.out
Which process is available on any management product and on products that require direct GUI access, such as SmartEvent and provides GUI client
communications, database manipulation, policy compilation and Management HA synchronization?
fwm
UserCheck objects in the Application Control and URL Filtering rules allow the gateway to communicate with the users. Which action is not supported in
UserCheck objects?
A. Ask
B. Drop
C. Inform
D. Reject
Reject
SmartConsole R80 requires the following ports to be open for SmartEvent R80 management:
19009, 443
Which command gives us a perspective of the number of kernel tables?
fw tab -s
Which command would you use to determine the current Cluster Global ID?
Expert -> cphaconf cluster_id get
Automatic affinity means that is SecureXL is running, the affinity for each interface is automatically reset every.
60 sec
Check Point security components are divided into the following components:
GUI Client, Security Management, Security Gateway
What’s true about Troubleshooting option in the IPS profile properties?
Temporarily set all protections to track (log) in SmartView Tracker
When installing a dedicated R80 SmartEvent server, what is the recommended size of the root partition?
At least 20 GB
How many confidence levels are there for IPS?
five
Which file is not in the $FWDIR directory collected by the CPInfo utility from the server?
cpd.elg
An administrator would like to troubleshoot why templating is not working for some traffic. How can he determine at which rule templating id disabled?
He can use the fwaccel stat command on the gateway
How can SmartView Web application be accessed.
https://management IP address/smartview/
The WebUI offers several methods for downloading hotfixes via CPUSE except:
A. Automatic
B. Force override
C. Manually
D. Scheduled
Force override
How would you deploy TE250X Check Point appliance just for email traffic and in-line mode without a Check Point Security Gateway?
You can utilize only Check Point Cloud Services for this scenario
With SecureXL enabled, accelerated packets will pass through the following:
Network Interface Card and the Acceleration Device
Which command shows the connection table in human readable format?
fw tab -t connections -f
What is the default size of NAT table fwx_alloc?
25000
What is the least amount of CPU cores required to enable CoreXL?
2
Which TCP-port does CPM process listen to?
19009
In order to optimize performance of a Security Gateway you plan to use SecureXL technology. Your company uses different types of applications. Identify
application traffic that will NOT be accelerated
A. Corporate relational database TCP traffic
B. Custom application multicast traffic
C. Transactions to the external application server using UDP
D. TCP connections to the corporate Web-server
Custom application multicast traffic
Using Threat Emulation technologies, what is the best way to block .exe and .bat file types?
tecli advanced attributes set prohibited_file_types exe,bat
The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via which 2 processes?
cpm via cpd
To help SmartEvent determine whether events originated internally or externally you must define using the initial settings under General Settings in the Policy
Tab. How many options are available to calculate the traffic direction?
- Incoming; Outgoing; Internal; Other
Jack needs to configure CoreXL on his Red Security Gateway. What are the correct steps to enable CoreXL?
SSH to Red Security Gateway, run cpconfig> select Configure Check Point CoreXL > enable CoreXL > exit cpconfig> reboot the Security Gateway
In a ClusterXL high-availability environment, what MAC address will answer for Virtual IP in the default configuration?
MAC address of Active Member
What tool exports the Management Configuration into a single file?
migrate export
Which of the following process pulls applications monitoring status?
cpd
SandBlast appliances can be deployed in the following modes:
inline/prevent or detect
What utility would you use to configure route-based VPNs?
vpn shell
What SmartEvent component creates events?
Correlation Unit
In order to get info about assignment (FW, SND) of all CPUs in your SGW, what is the most accurate CLI command?
fw ctl affinity -l -a -r -v
What is the proper CLISH syntax to configure a default route via 192.168.255.1 in Gaia?
set static-route default nexthop gateway address 192.168.255.1 priority 1 on
What is the correct command to observe the Sync traffic in a VRRP environment?
fw monitor -e “accept dst=224.0.0.18;”
To fully enable Dynamic Dispatcher on a Security Gateway:
run fw ctl multik set_mode 9 in Expert mode and then reboot
How many interfaces can you configure to use the Multi-Queue feature?
5 interfaces
A Threat Prevention profile is a set of configurations based on the following. (Choose all that apply.)
Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings
Selecting an event displays its configurable properties in the Detail pane and a description of the event in the Description pane. Which is NOT an option to adjust
or configure?
A. Severity
B. Automatic reactions
C. Policy
D. Threshold
Policy
Which statement is NOT TRUE about Delta synchronization?
A. Using UDP Multicast or Broadcast on port 8161
B. Using UDP Multicast or Broadcast on port 8116
C. Quicker than Full Sync
D. Transfers changes in the Kernel labels between cluster members
Using UDP Multicast or Broadcast on port 8161
SmartEvent has several components that function together to track security threats. What is the function of the Correlation Unit as a component of this
architecture?
Analyzes this log entry as it arrives at the log server according to the Event Policy. When a threat pattern is identified, an event is forwarded to the
SmartEvent Server.
The Check Point installation history feature in R80 provides the following:
Policy Installation Date, view install changes and install specific version
What is not a component of Check Point SandBlast?
A. Threat Emulation
B. Threat Simulation
C. Threat Extraction
D. Threat Cloud
Threat Simulation
How can you see historical data with cpview?
cpview -t
Which configuration file contains the structure of the Security Servers showing the port numbers, corresponding protocol name, and status?
$FWDIR/conf/fwauthd.conf
SmartEvent provides a convenient way to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in a event provides a list of default and customized commands. They appear only on cells that refer to IP addresses because the IP address of the active cell is used as the destination of the command when run. The default commands are:
ping, whois, nslookup, and Telnet
Check Point Management (cpm) is the main management process in that it provides the architecture for the consolidated management console. It empowers the migration from legacy Client side logic to Server side-logic. The cpm process:
Performs database tasks such as creating, deleting, and modifying objects and compiling policy.
How long may verification of one file take for Sandblast Threat Emulation?
within seconds cleaned file will be provided
For Management High Availability, which of the following is NOT a valid synchronization status?
A. Collision
B. Down
C. Lagging
D. Never been synchronized
Down
To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, run the following command in Expert mode then reboot:
fw ctl multik set_mode 9
How do you enable virtual mac (VMAC) on-the-fly on a cluster member?
fw ctl set int fwha_vmac_global_param_enabled 1
Holds configuration settings for Advanced Upgrade with Database Migration.
migrate.conf
migrate
Runs Advance Upgrade with migration.
pre_upgrade_verifier
Analyzes compatibility of the currently installed configuration with the upgrade version. It gives a report on the actions to take before and after the upgrade.
Upgrade Verification Service
- Updates released to correct an issue or provide enhancements and improvements.
- HFA is a collection of stability and quality fixes.
- The name of an hotfix identifies the version it is compatible with.
CPUSE
̶ Manually
̶ Scheduled
̶ Automatic
CDT
Automatically install CPUSE offline packages on multiple gateways and clusters members at same time
Standard mode
(Clish) and provide commands for easy configuration and routine administration
Expert mode
advanced Check Point system and underlying Linux functions
Set client environment
set clienv
save client environment
save client
Acquire configuration lock
lock database override
add and modify user accounts
add user “username” set “username”
set message banner
set message banner on msgvalue “This system is private and confidential”
enable SNMP
set snmp agent on
To enable or disable core dumps
set core-dump [enable|disable]
To create DHCP server subnets
add dhcp server
netmask
include-ip-pool start end
exclude-ip-pool start end
CPM
Management process TCP 19009
fwm
on all management products It provides GUI client communication, database manipulation, policy compilation, and Management High Availability synchronization
fwd
allows other processes, including the kernel, to forward logs
fwssd
child process of fwd
• which provide a higher level of protocol enforcement.
cpd
Check Point Daemon (cpd) is a core process on every Check Point product. It allows Secure Internal Communication (SIC) functionality
fwm
cpwd_admin utility shows the status of processes and configures cpwd
Kernel Mode
Data Link layer
Every packet that goes through the Firewall is inspected
User Mode
Firewall to function more efficiently in the Application layer.
Input/Output
allow user and kernel processes to communicate
Chain Modules
packet processing handlers,
decide which modules will inspect the packet and, based on the inspection, may then modify, pass, or drop the packets,
Inbound and outbound packets are inspected in both directions by chain modules
Connections Table Format
6-tuple
Verification & Compilation (6 stages)
Initiation Database Dump Verification Conversion Fwm rexec Code Generation and Compilation
policy installation process
three main stages
Verification & Compilation
Transfer (CPTA)
Commit
Commit stage
• The cpd process on the gateway will execute the following command to load the policy which was just transferred to the gateway:
fw fetchlocal -d $FWDIR/state/_tmp/FW1
• The policy will then be loaded into the kernel.
• If successful, the new policy will be copied to the $FWDIR/state/FW1 folder on the gateway.
• If the fetchlocal process fails, cpd will get a notification regarding the failed process and will inform the fwm process that loading the policy has failed.
NAT rules are prioritized according to the list below:
- Manual/Pre-Automatic NAT
- Automatic Static NAT
- Automatic Hide NAT
- Post-Automatic/Manual NAT rules
configuration files /opt
CPsuite-R80 — Manages Firewall modules
CPshrd-R80 — Stores cpd database, licenses
CPEdgecmp-R80 — Manages Edge devices
/lib
/conf
store definition files
Ex. $FWDIR/conf/fwauth.NDB = user definitions
Ex. $FWDIR/conf/fwauthd.conf= Security server configuration
cpconfig
command line version of the Check Point Configuration tool and configure or reconfigure a Security Gateway/Management installation
cplic print
details of Check Point licenses
four inspection points
passes through the kernel:
- i — Before the virtual machine, in the Inbound direction (pre-Inbound)
- I — After the virtual machine, in the Inbound direction (post-Inbound)
- o — Before the virtual machine, in the Outbound direction (pre-Outbound)
- O — After the virtual machine, in the Outbound direction (post-Outbound)
Three Stateful features provided with the Connections
Streaming based applications, such as Web security Sequence verification and translation Hide NAT Logging, accounting, and monitoring Client and server identification Data connections
RESTful API
GET, PUT, POST, and DELETE
packets that do not pass inspection send NACK
TCP=RST
USP=ICMP Unreachable
processing order for the overall inspection
- Firewall — Inspection on the Original Packet.
- NAT — Translate the IP and/or port number as required.
- Routing — Forward on the resulting packet.
Cluster Virtual MAC (VMAC)
allows all cluster members to use the same Virtual MAC address and minimizes possible traffic outages during a failover
State Synchronization two modes
Full Synchronization
Delta Synchronization
fw ctl pstat
monitor synchronization
restrictions synchronizing cluster members
same platform
same software version
number of cores
Cluster Connectivity Upgrade
synchronizes existing connections to maintain connectivity and eliminate downtime during cluster upgrades.
How many members can clusterXL support
8
How add new member
- Run cpconfig
- Change the IP address of the new cluster member to reflect the correct topology.
Ensure that all Check Point products are installed on the new cluster member. All Check Point software components must be identical on each member of the cluster.
In the Cluster Members page of the cluster object, create a new cluster member
ensure that SIC is initialized and the topology is correctly defined.
Ensure that the proper interfaces on the new cluster member are configured as cluster interfaces if the cluster mode is Load Sharing or New High Availability.
Install the Security Policy on the cluster. The new member is now part of the cluster.
The Sticky Decision Function
avoids Asymmetric Routing, but disables acceleration technologies.
Secondary and Standby Security Management Servers
This transition from Standby to Active must be initiated manually.
Synchronizing Management HA Active and Standby Servers
Automatic or Manual
For Management HA to function properly, the following data is backed up and synchronized:
Network Security Management Databases (such as the Network Objects, policy settings, and the Security Policy itself)
Configuration and Internal Certificate Authority (ICA) data (such as Objects and Users databases, certificate information, and the CRL, which is available to be fetched by the Check Point Security Gateways)
Endpoint Security databases, if applicable
Synchronization Status management HA
Never been synchronized
Synchronized
Lagging
Advanced
OPSEC Certified HA and Load Sharing products
Decide which cluster member will deal with each connection.
Perform health checks
Perform failover
Virtual Routing Redundancy Protocol (VRRP)
VRRP is a network management protocol that is used to increase the availability of default gateway servicing hosts on the same subnet.
VRRP Types
Simple Monitored Circuit VRRP
Advanced VRRP
Advanced VRRP can be configured via WebUI or CLI
set vrrp interface VALUE
show vrrp interface VALUE
SecureXL
Check Point security acceleration technology that accelerates multiple, intensive security operations, including operations carried out by Check Point’s
SecureXL traffic flow
Firewall Path (Slow) — Packets and connections that are inspected by the Firewall. These packets and connections are not processed by SecureXL. This path is also referred to as the Slow Path.
Accelerated Path — Packets and connections that are offloaded from the Firewall to SecureXL. These packets and connections are quickly processed.
Medium Path — Packets that cannot use the accelerated path because they require deeper inspection. Although it is not necessary for the Firewall to inspect these packets, they can be offloaded by another feature. For example, packets that are examined by IPS cannot use the accelerated path and can be offloaded to the IPS Passive Streaming Library (PSL), which provides stream reassembly for TCP connections. As a result, SecureXL processes these packets quicker than packets on the slow path.
Packet Acceleration requires
Source address Destination address Source port Destination port Protocol
Secure XL session acceleration
To accelerate the rate of new connections, connections that do not match a specified 5-attributes are still processed by SecureXL by leveraging templates
SecureXL connection templates
Accept Templates
Drop Templates
NAT Templates
VPN Link Selection
allows multiple external interfaces to be configured for tunneling the VPN packets.
Dynamic VPN Routing
allow the VPN domain to be determined dynamically instead of configuring a static VPN domain.
Wire Mode Connections
allows trusted traffic to pass through without Stateful Inspection.
CoreXL deafult number of cores
The default number of kernel instances is derived from the total number of cores in the system.
Secure Network Distributor (SND)
Processing incoming traffic from the network interfaces.
Accelerating authorized packets (if SecureXL is running).
Distributing non accelerated packets among kernel instances
Dynamic Dispatcher
Helps to improve load distribution and mitigates connectivity issues during traffic peaks
fw ctl multik stat
distribution of connections across all CoreXL Firewall instances
Firewall Priority Queues
Prioritizes traffic when the CPU cores are 100% utilized and packets need to be dropped.
Priorities packets based on the connection type
How does CoreXL improve network performance
CoreXL acts as a load balancer and improves Security Gateway performance in situations where much of the traffic cannot be accelerated by SecureXL or when the gateway has many IPS features enabled, which disables SecureXL functionality
When should you consider using Multi-Queue
- The CPU load for SND is high (idle is < 20%).
- The CPU load for CoreXL Firewall instances is low (idle is > 50%).
- There are no CPU cores left to be assigned to the SND by changing interface affinity.
SmartEvent clients manage the SmartEvent server and provide an overview of security information for an organization’s environment.
SmartConsole — installed as an external application
SmartEvent GUI — requires client installation
SmartView Web application
SmartEvent Deployment
standalone=on the managment server
distributed=Seperate boxes
SmartEvent uses the following procedures to identify events:
Matching a log against global exclusions
Matching a log against each event definition
Creating an event candidate
Updating an event
SmartEvent Event Definition
contains a filter which is comprised of multiple criteria that must be found in any matching log
SmartEvent Event Candidate
- Event Candidate allow SmartEvent to track logs until an event threshold is crossed and an event is generated.
- Each event definition may have multiple event candidates.
What happens when a candidate becomes an event
Correlation Unit forwards the event to the Event Database.
SmartEvent Event Queries
A view is an interactive dashboard made up of widgets
Remediating Security Events
Threshold Severity Automatic reactions Exceptions Working hours
VPN Installation Options
- Client-based — In this solution, the client application is installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer or device. The client supplies access to most types of corporate resources according to the access privileges of the user.
- Clientless — In this solution, users connect through a web browser and use HTTPS connections instead of connecting through a managed device. Clientless solutions usually supply access to web-based corporate resources.
- On Demand Client — This remote access solution blends the first two options. A user connects with a web browser and installs a client when necessary. The client supplies access privileges to most types of corporate resources according to the access privileges of the user.
IPSEC VPN how and what?
In a Layer 3 VPN solution, a resident VPN client is needed, which creates the Layer 3 virtual interface that any application can use. Better for managed devices
SSL VPN how and what
only require a browser on the client side and allow mobile devices with a dedicated application to access corporate resources without establishing a VPN tunnel. Better for unmanaged devices
Mobile Access Portal
clientless SSL VPN solution,requires a Mobile Access Software Blade license on the Security Gateway. used for web-based corporate resources
SSL Network Extender (SNX)
thin SSL VPN on-demand client
a browser plug-in has 2 modes:
1.Network — Users can access all native IP-based and web-based applications in the internal network. Admin needs to define apps
2. Application — Users can access most native IP-based and web-based application types in the internal network. Admin needs to define apps
Three main Clients Mobile Access
Check Point Mobile for Windows: IPSec, requires IPSec and mobile access software blade license
Check Point Mobile for iPhone and iPad: SSL required mobile access blade license
Check Point Mobile for Android: SSL required mobile access blade license
Two additional client options
Check Point Capsule Workspace: Provides access separate applications
SecuRemote: limited fucntion IPSec VPN, requires IPSec blade license
Check Point Capsule
Secure container with IAM control; helps control company data on personal devices
Capsule Workspace
Capsule Docs
Capsule Cloud
Capsule Connect
Provide access to any application and uses IPSec vs SSL for capsule, but no data isolation
Capsule Docs
Capsule Connect
Classify — Define a set of permissions, which may include markings such as headers, footers, and watermarks.
Share — Decide with whom to share the document.
Encrypt — Apply encryption (AES256 + RSA2048) to the document so that it is protected and accessed only by the authorized users and groups.
Offers cloud deployment
Capsule Cloud
Capsule Cloud utilizes Check Point Software Blade solutions as a cloud-based service. Capsule Cloud enforces the organization’s in-network Security Policy to both on- and off-premise devices. It helps the enterprise to protect employees using laptops and mobile device when they are outside the secured office environment.
Capsule Cloud
Set up policies for URL Filtering, Threat Prevention, and HTTPS Inspection
View user traffic and audit logs
Manage users and offices
Download Capsule Cloud applications and utilities
Change client and device settings
Access Capsule Cloud utilities
Determine location of roaming clients (via the Location Awareness feature)
Check Point Mobile Access Software Blade
allows mobile and remote workers to easily and securely connect to the corporate network from any location. data is decrypted, filtered, and inspected in real-time by Check Point’s gateway security services. Can enforce security posture of the device
Mobile Access User Authentication types
Certificate (Internal or External Certificate Authority) RADIUS server SecurID Username and password (internal, LDAP) Dynamic ID One-Time Password (OTP)
Mobile Access Security
Server Side Security:
Mobile Access uses IPS Web Intelligence to protect the network from web-related threats and attacks
Client Side:
can scan endpoint devices to verify their security compliance and make sure that their protections are up-to-date.
Mobile Access Policy (Firewall)
The Mobile Access Policy defines how remote users can securely access internal company applications and resources using mobile devices. Mobile Access Policy rules are defined and unified in the Access Control policy. This includes all rules related to the Mobile Access Portal, Capsule Workspace, and on-demand clients.
Mobile Access in the Access Control Policy
- The Mobile Access Software Blade must be enabled.
- Security Gateways with Mobile Access enabled, are automatically added to the Remote Access VPN Community.
- Mobile Access applications must be defined.
Other application objects cannot be used for Mobile Access. - Create access roles to give access to resources through specified remote access clients.
Mobile Access policy best practices
- Place Mobile Access rules that authorize applications above rules that contain a related service.
- Create an inline layer for Mobile Access rules.
When creating rules, do not use a Security Gateway as the destination.
What is the difference between an SSL VPN and an IPSec VPN?
- In the SSL VPN solution, users can connect securely to business web-based applications through a web portal, which can be accessed using a web browser. This solution does not require users to install a VPN agent or client and can be configured to enforce two-factor authentication.
- IPSec, Layer 3 VPN requires remote workers to install a VPN client before gaining access to corporate resources. Once a user installs the client, the Layer 3 VPN provides a secured connection to both web-based and native business applications.
How do Capsule Docs and Capsule Workspace work together?
As business documents are edited and viewed on personal devices using Capsule Workspace, Capsule Docs protects business data and documents no matter where it is transmitted.
Intrusion Prevention System (IPS)
Protects users from malware on legitimate websites, controls network usage of selected applications, and more.
Intrusion Prevention System (IPS) managed by what policy
Threat Prevention policy
What command do you use to import or export IPS profiles
ips_export_import
Geo-Protection
- Enforces or monitors traffic based on the source or destination country.
- A valid IPS contract and an IPS Software Blade license is required.
- The IP-To-Country database is downloaded to the gateway from a Check Point data center.
Geo-Protection logs are aggregated by default.
Antivirus
- Protects the network from malware attacks/ worms virus, backdoors
- Uses threat intelligence from ThreatCloud.
Scans incoming files for malicious signatures. - Updates ThreatCloud with any newly detected malware.
- Blocks access to websites with known connection to malware.
Anti-Bot
Check Point’s Anti-Bot Software Blade identifies bot-infected machines using the ThreatSpect engine to analyze network traffic. The engine:
Performs a reputation check.
Reviews network signatures.
Searches for suspicious activity.
Sandboxing
- Used to catch zero-day attacks and APTs.
2. Files are hosted and executed in a secured environment and then observed for suspicious routines.
Two types of sanboxing
OS-Level
CPU-Level
OS-Level Sandboxing
Emulates a standard operating system in an isolated environment to execute and screen files.
How to avoid OS-Level Sandboxing
Delaying launch of a payload.
Searching for virtual machine indicators.
Checking for human interaction activities that are difficult to replicate virtually.
OS fingerprinting.
CPU-Level Sandboxing
Addresses the limitations of traditional sandboxing.
by Monitoring exploits executed in CPU instruction codes.
CPU Level Sandboxing Stages
- Finding Vulnerability
- Using an Exploit Method
- Running a Shellcode
- Running the Malware
SandBlast Zero-Day
Check Point’s solution for zero-day attacks
SandBlast Components
Threat Emulation
Threat Extraction
Threat Cloud
Mail Transfer Agent
SandBlast Threat Emulation
Performs both CPU-Level and OS-Level inspection of files.
SandBlast Threat Extraction
Threat Extraction provides users with a sanitized, reconstructed document using only safe elements.
Threat Extraction is typically used for incoming emails only; however, it can be used for outgoing emails as well. It supports widely used document file types, such as PDF and MS Word documents.
Threat Cloud
1.Consolidates information from sources, such as:
Signature and reputation data from different Check Point systems.
2. External intelligence sources.
3. Data and research from Check Point’s Vulnerability Research and Incident Response teams.
(Keeps sandblast up to date)
Mail Transfer Agent
Ensures that full emulation occurs without disruption.
Prevents email server timeout during emulation.
Manages the emulation of SMTP traffic.
SandBlast Appliances Deploy in what 2 modes
Inline or Prevent
Detect Only
SandBlast Cloud Deployment Options are:
Detect Mode-In Detect mode, incoming emails go straight to the inbox without interference
Prevent Mode- In Prevent mode, incoming emails are directed to a temporary quarantine folder within Office 365
Hybrid Deployment- on-premise Exchange server and Cloud Office 365 can use the following options for a hybrid deployment:
SandBlast Agent
Extends SandBlast Protection to end-users.
How does SandBlast Threat Emulation and Threat Extraction prevent threats like zero-day attacks and APT?
To prevent these threats, Threat Emulation performs CPU-level inspection of incoming files to look for signs of exploit methods. It runs the inspection in a sandbox environment, away from the organization’s network. If files exhibit malicious routines, Threat Emulation deletes them promptly.
While Threat Emulation performs the inspection, Threat Extraction provides a clean, sanitized version of the file. This is to avoid any disruption to the company’s daily operations.
How does IPS complement the Firewall Software Blade when it comes to preventing threats?
While Firewall blocks network traffic based on source, destination, and port information, IPS analyzes its contents. This is to prevent threats such as drive by download, which are known to hide malicious codes behind hijacked, legitimate websites.
