Professional Documents
Culture Documents
A. VPN key
B. VPN community
C. VPN trust entities
D. VPN domain
Correct Answer: A
Explanation/Reference:
VPN key (to not be confused with pre-shared key that is used for authentication).
VPN trust entities, such as a Check Point Internal Certificate Authority (ICA). The ICA is part of the Check
Point suite used for creating SIC trusted connection between Security Gateways, authenticating administrators
and third party servers. The ICA provides certificates for internal Security Gateways and remote access clients
which negotiate the VPN link.
VPN Domain - A group of computers and networks connected to a VPN tunnel by one VPN gateway that
handles encryption and protects the VPN Domain members.
VPN Community - A named collection of VPN domains, each protected by a VPN gateway.
http://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
QUESTION 2
Two administrators Dave and Jon both manage R80 Management as administrators for ABC Corp. Jon logged
into the R80 Management and then shortly after Dave logged in to the same server. They are both in the
Security Policies view. From the screenshots below, why does Dave not have the rule no.6 in his SmartConsole
view even though Jon has it his in his SmartConsole view?
A. Jon is currently editing rule no.6 but has Published part of his changes.
B. Dave is currently editing rule no.6 and has marked this rule for deletion.
C. Dave is currently editing rule no.6 and has deleted it from his Rule Base.
D. Jon is currently editing rule no.6 but has not yet Published his changes.
Correct Answer: D
Explanation/Reference:
When an administrator logs in to the Security Management Server through SmartConsole, a new editing
session starts. The changes that the administrator makes during the session are only available to that
administrator. Other administrators see a lock icon on object and rules that are being edited. To make changes
available to all administrators, and to unlock the objects and rules that are being edited, the administrator must
publish the session.
http://dl3.checkpoint.com/paid/74/74d596decb6071a4ee642fbdaae7238f/
CP_R80_SecurityManagement_AdminGuide.pdf?
QUESTION 3
Vanessa is firewall administrator in her company; her company is using Check Point firewalls on central and
remote locations, which are managed centrally by R80 Security Management Server. One central location has
an installed R77.30 Gateway on Open server. Remote location is using Check Point UTM-1 570 series
appliance with R71. Which encryption is used in Secure Internal Communication (SIC) between central
management and firewall on each location?
A. On central firewall AES128 encryption is used for SIC, on Remote firewall 3DES encryption is used for SIC.
B. On both firewalls, the same encryption is used for SIC. This is AES-GCM-256.
C. The Firewall Administrator can choose which encryption suite will be used by SIC.
D. On central firewall AES256 encryption is used for SIC, on Remote firewall AES128 encryption is used for
SIC.
Correct Answer: A
Explanation/Reference:
Gateways above R71 use AES128 for SIC. If one of the gateways is R71 or below, the gateways use 3DES.
http://dl3.checkpoint.com/paid/74/74d596decb6071a4ee642fbdaae7238f/
CP_R80_SecurityManagement_AdminGuide.pdf?
QUESTION 4
# Review the following screenshot and select the BEST answer.
A. Data Center Layer is an inline layer in the Access Control Policy.
B. By default all layers are shared with all policies.
C. If a connection is dropped in Network Layer, it will not be matched against the rules in Data Center Layer.
D. If a connection is accepted in Network-layer, it will not be matched against the rules in Data Center Layer.
Correct Answer: C
Explanation/Reference:
QUESTION 5
Which of the following is NOT a SecureXL traffic flow?
A. Medium Path
B. Accelerated Path
C. Fast Path
D. Slow Path
Correct Answer: C
Explanation/Reference:
SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise
security. When SecureXL is enabled on a Security Gateway, some CPU intensive operations are processed by
virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more
efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:
Slow path - Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
Accelerated path - Packets and connections that are offloaded to SecureXL and are not processed by the
Firewall.
Medium path - Packets that require deeper inspection cannot use the accelerated path. It is not necessary for
the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example,
packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL
(Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92711.htm
QUESTION 6
Which of the following Automatically Generated Rules NAT rules have the lowest implementation priority?
Correct Answer: BC
Explanation/Reference:
SmartDashboard organizes the automatic NAT rules in this order:
1. Static NAT rules for Firewall, or node (computer or server) objects
2. Hide NAT rules for Firewall, or node objects
3. Static NAT rules for network or address range objects
4. Hide NAT rules for network or address range objects
https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/6724.htm
QUESTION 7
# Fill in the blanks: VPN gateways authenticate using and .
A. Passwords; tokens
B. Certificates; pre-shared secrets
C. Certificates; passwords
D. Tokens; pre-shared secrets
Correct Answer: B
Explanation/Reference:
VPN gateways authenticate using Digital Certificates and Pre-shared secrets.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/85469.htm
QUESTION 8
# In R80 spoofing is defined as a method of:
A. Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
B. Hiding your firewall from unauthorized users.
C. Detecting people using false or wrong authentication logins
D. Making packets appear as if they come from an authorized IP address.
Correct Answer: D
Explanation/Reference:
IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack connections to your
network. Attackers use IP spoofing to send malware and bots to your protected network, to execute DoS
attacks, or to gain unauthorized access.
http://dl3.checkpoint.com/paid/74/74d596decb6071a4ee642fbdaae7238f/
CP_R80_SecurityManagement_AdminGuide.pdf?
QUESTION 9
Fill in the blank: The is used to obtain identification and security information about network users.
A. User Directory
B. User server
C. UserCheck
D. User index
Correct Answer: A
Explanation/Reference:
https://www.checkpoint.com/downloads/product-related/datasheets/DS_UserDirectorySWB.pdf
QUESTION 10
# Which Check Point feature enables application scanning and the detection?
A. Application Dictionary
B. AppWiki
C. Application Library
D. CPApp
Correct Answer: B
Explanation/Reference:
AppWiki Application Classification Library - AppWiki enables application scanning and detection of more than
5,000 distinct applications and over 300,000 Web 2.0 widgets including instant messaging, social networking,
video streaming, VoIP, games and more.
https://www.checkpoint.com/products/application-control-software-blade/
QUESTION 11
# DLP and Geo Policy are examples of what type of Policy?
A. Standard Policies
B. Shared Policies
C. Inspection Policies
D. Unified Policies
Correct Answer: B
Explanation/Reference:
The Shared policies are installed with the Access Control Policy.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 12
In which deployment is the security management server and Security Gateway installed on the same
appliance?
A. Bridge Mode
B. Remote
C. Standalone
D. Distributed
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/
CP_R76_Installation_and_Upgrade_GuidewebAdmin/89230.htm#o98246
QUESTION 13
# Fill in the blank: A VPN deployment is used to provide remote users with secure access to
internal corporate resources by authenticating the user through an internet browser.
A. Clientless remote access
B. Clientless direct access
C. Client-based remote access
D. Direct access
Correct Answer: A
Explanation/Reference:
Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually
supply access to web-based corporate resources.
https://sc1.checkpoint.com/documents/R80/CP_R80BC_Firewall/html_frameset.htm?topic=documents/R80/
CP_R80BC_Firewall/92704
QUESTION 14
# Which of the following statements is TRUE about R80 management plug-ins?
Correct Answer: C
Explanation/Reference:
QUESTION 15
# Fill in the blank: Gaia can be configured using the or .
Correct Answer: C
Explanation/Reference:
Configuring Gaia for the First Time
In This Section:
Running the First Time Configuration Wizard in WebUI
Running the First Time Configuration Wizard in CLI
After you install Gaia for the first time, use the First Time Configuration Wizard to configure the system and the
Check Point products on it.
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_AdminWebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_Gaia_AdminWebAdminGuide/112568
QUESTION 16
Where can you trigger a failover of the cluster members?
1. Log into Security Gateway CLI and run command clusterXL_admin down.
2. In SmartView Monitor right-click the Security Gateway member and select Cluster member down.
3. Log into Security Gateway CLI and run command cphaprob down.
A. 1, 2, and 3
B. 2 and 3
C. 1 and 2
D. 1 and 3
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7298.htm
QUESTION 17
Which utility allows you to configure the DHCP service on GAIA from the command line?
A. ifconfig
B. dhcp_cfg
C. sysconfig
D. cpconfig
Correct Answer: C
Explanation/Reference:
Sysconfig Configuration Options
https://sc1.checkpoint.com/documents/R76/CP_R76_Splat_AdminGuide/51548.htm
========
NOTE:Question must be wrong because no answer is possible for GAIA system, this must be SPLAT version.
DHCP CLI configuration for GAIA
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/73181.htm#o80096
========
R80.10 Gaia Admin Guide:
Configuring a DHCP Server – CLI (dhcp)
DHCP Server commands allow you to configure the Gaia device as DHCP server for network hosts.
QUESTION 18
Which VPN routing option uses VPN routing for every connection a satellite gateway handles?
Correct Answer: D
Explanation/Reference:
On the VPN Routing page, enable the VPN routing for satellites section, by selecting one of these options:
To center and to other Satellites through center; this allows connectivity between Gateways; for example, if the
spoke Gateways are DAIP Gateways, and the hub is a Gateway with a static IP address To center, or through
the center to other satellites, to Internet and other VPN targets; this allows connectivity between the Gateways,
as well as the ability to inspect all communication passing through the hub to the Internet.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk31021
QUESTION 19
# Which product correlates logs and detects security threats, providing a centralized display of potential attack
patterns from all network devices?
A. SmartView Monitor
B. SmartEvent
C. SmartUpdate
D. SmartDashboard
Correct Answer: B
Explanation/Reference:
SmartEvent correlates logs from all Check Point enforcement points, including end-points, to identify suspicious
activity from the clutter. Rapid data analysis and custom event logs immediately alert administrators to
anomalous behavior such as someone attempting to use the same credential in multiple geographies
simultaneously.
https://www.checkpoint.com/products/smartevent/
QUESTION 20
# What will be the effect of running the following command on the Security Management Server?
A. Remove the installed Security Policy.
B. Remove the local ACL lists.
C. No effect.
D. Reset SIC on all gateways.
Correct Answer: A
Explanation/Reference:
This command uninstall actual security policy (already installed)
https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/6751.htm
QUESTION 21
An administrator is creating an IPsec site-to-site VPN between his corporate office and branch office. Both
offices are protected by Check Point Security Gateway managed by the same Security Management Server.
While configuring the VPN community to specify the pre-shared secret, the administrator found that the check
box to enable pre-shared secret is shared and cannot be enabled. Why does it not allow him to specify the
preshared secret?
Correct Answer: C
Explanation/Reference:
QUESTION 22
You are the senior Firewall administrator for ABC Corp., and have recently returned from a training course on
Check Point's new advanced R80 management platform. You are presenting an in-house overview of the new
features of Check Point R80 Management to the other administrators in ABC Corp.
How will you describe the new “Publish” button in R80 Management Console?
A. The Publish button takes any changes an administrator has made in their management session, publishes
a copy to the Check Point of R80, and then saves it to the R80 database.
B. The Publish button takes any changes an administrator has made in their management session and
publishes a copy to the Check Point Cloud of R80 and but does not save it to the R80
C. The Publish button makes any changes an administrator has made in their management session visible to
all other administrator sessions and saves it to the Database.
D. The Publish button makes any changes an administrator has made in their management session visible to
the new Unified Policy session and saves it to the Database.
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 23
Which of the following ClusterXL modes uses a non-unicast MAC address for the cluster IP address.
A. High Availability
B. Load Sharing Multicast
C. Load Sharing Pivot
D. Master/Backup
Correct Answer: B
Explanation/Reference:
ClusterXL uses the Multicast mechanism to associate the virtual cluster IP addresses with all cluster members.
By binding these IP addresses to a Multicast MAC address, it ensures that all packets sent to the cluster, acting
as a gateway, will reach all members in the cluster.
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7292.htm
QUESTION 24
Fill in the blank: With the User Directory Software Blade, you can create R80 user definitions on a(an)
Server.
A. NT domain
B. SMTP
C. LDAP
D. SecurID
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 25
Which of the following is NOT a component of a Distinguished Name?
A. Organizational Unit
B. Country
C. Common name
D. User container
Correct Answer: D
Explanation/Reference:
Distinguished Name Components
CN=common name, OU=organizational unit, O=organization, L=locality, ST=state or province, C=country name
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/71950
QUESTION 26
What are the three authentication methods for SIC?
A. Passwords, Users, and standards-based SSL for the creation of security channels
B. Certificates, standards-based SSL for the creation of secure channels, and 3DES or AES128 for encryption
C. Packet Filtering, certificates, and 3DES or AES128 for encryption
D. Certificates, Passwords, and Tokens
Correct Answer: B
Explanation/Reference:
Secure Internal Communication (SIC) lets Check Point platforms and products authenticate with each other.
The SIC procedure creates a trusted status between gateways, management servers and other Check Point
components. SIC is required to install polices on gateways and to send logs between gateways and
management servers.
These security measures make sure of the safety of SIC:
Certificates for authentication
Standards-based SSL for the creation of the secure channel
3DES for encryption
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/71950
QUESTION 27
You have enabled “Full Log” as a tracking option to a security rule. However, you are still not seeing any data
type information. What is the MOST likely reason?
A. Logging has disk space issues. Change logging storage options on the logging server or Security
Management Server properties and install database.
B. Data Awareness is not enabled.
C. Identity Awareness is not enabled.
D. Logs are arriving from Pre-R80 gateways.
Correct Answer: A
Explanation/Reference:
The most likely reason for the logs data to stop is the low disk space on the logging device, which can be the
Management Server or the Gateway Server.
QUESTION 28
# What is the order of NAT priorities?
Correct Answer: A
Explanation/Reference:
The order of NAT priorities is: 1. Static NAT 2. IP Pool NAT 3. Hide NAT
Since Static NAT has all of the advantages of IP Pool NAT and more, it has a higher priority than the other NAT
methods.
https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/6724.htm#o6919
QUESTION 29
Which of the following is an identity acquisition method that allows a Security Gateway to identify Active
Directory users and computers?
A. UserCheck
B. Active Directory Query
C. Account Unit Query
D. User Directory Query
Correct Answer: B
Explanation/Reference:
AD Query extracts user and computer identity information from the Active Directory Security Event Logs. The
system generates a Security Event log entry when a user or computer accesses a network resource. For
example, this occurs when a user logs in, unlocks a screen, or accesses a network drive.
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62402.htm
QUESTION 30
# Ken wants to obtain a configuration lock from other administrator on R80 Security Management Server. He
can do this via WebUI or via CLI. Which command should he use in CLI? Choose the correct answer.
Correct Answer: D
Explanation/Reference:
The commands do the same thing: obtain the configuration lock from another administrator.
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm#o73091
QUESTION 31
# Examine the following Rule Base.
What can we infer about the recent changes made to the Rule Base?
Explanation/Reference:
On top of the print screen there is a number "8" which consists for the number of changes made and not saved.
Session Management Toolbar (top of SmartConsole)
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/117948
QUESTION 32
# ALPHA Corp has a new administrator who logs into the Gaia Portal to make some changes. He realizes that
even though he has logged in as an administrator, he is unable to make any changes because all configuration
options are greyed out as shown in the screenshot image below. What is the likely cause for this?
Explanation/Reference:
There is a lock on top left side of the screen. B is the logical answer.
QUESTION 33
Administrator Kofi has just made some changes on his Management Server and then clicks on the Publish
button in SmartConsole but then gets the error message shown in the screenshot below.
Where can the administrator check for more information on these errors?
Correct Answer: B
Explanation/Reference:
Validation Errors
The validations pane in SmartConsole shows configuration error messages. Examples of errors are object
names that are not unique, and the use of objects that are not valid in the Rule Base.
To publish, you must fix the errors.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 34
# You are working with multiple Security Gateways enforcing an extensive number of rules. To simplify security
administration, which action would you choose?
A. Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
B. Create a separate Security Policy package for each remote Security Gateway.
C. Create network objects that restrict all applicable rules to only certain networks.
D. Run separate SmartConsole instances to login and configure each Security Gateway directly.
Correct Answer: B
Explanation/Reference:
QUESTION 35
Harriet wants to protect sensitive information from intentional loss when users browse to a specific URL: https://
personal.mymail.com, which blade will she enable to achieve her goal?
A. DLP
B. SSL Inspection
C. Application Control
D. URL Filtering
Correct Answer: A
Explanation/Reference:
Check Point revolutionizes DLP by combining technology and processes to move businesses from passive
detection to active Data Loss Prevention. Innovative MultiSpect™ data classification combines user, content
and process information to make accurate decisions, while UserCheck™ technology empowers users to
remediate incidents in real time. Check Point’s self-educating network-based DLP solution frees IT/security
personnel from incident handling and educates users on proper data handling policies—protecting sensitive
corporate information from both intentional and unintentional loss.
https://www.checkpoint.com/downloads/product-related/datasheets/DLP-software-bladedatasheet.pdf
QUESTION 36
To optimize Rule Base efficiency the most hit rules should be where?
Correct Answer: C
Explanation/Reference:
It is logical that if lesser rules are checked for the matched rule to be found the lesser CPU cycles the device is
using. Checkpoint match a session from the first rule on top till the last on the bottom.
QUESTION 37
Which of the following is NOT a license activation method?
A. SmartConsole Wizard
B. Online Activation
C. License Activation Wizard
D. Offline Activation
Correct Answer: A
Explanation/Reference:
QUESTION 38
Which policy type has its own Exceptions section?
A. Thread Prevention
B. Access Control
C. Threat Emulation
D. Desktop Security
Correct Answer: A
Explanation/Reference:
The Exceptions Groups pane lets you define exception groups. When necessary, you can create exception
groups to use in the Rule Base. An exception group contains one or more defined exceptions. This option
facilitates ease-of-use so you do not have to manually define exceptions in multiple rules for commonly required
exceptions. You can choose to which rules you want to add exception groups. This means they can be added
to some rules and not to others, depending on necessity.
https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/82209.htm#o97030
QUESTION 39
# By default, which port does the WebUI listen on?
A. 80
B. 4434
C. 443
D. 8080
Correct Answer: C
Explanation/Reference:
To configure Security Management Server on Gaia:
Open a browser to the WebUI: https://<Gaia management IP address>
https://sc1.checkpoint.com/documents/R80/CP_R80_Gaia_IUG/html_frameset.htm?topic=documents/R80/
CP_R80_Gaia_IUG/132120
QUESTION 40
When doing a Stand-Alone Installation, you would install the Security Management Server with which other
Check Point architecture component?
Correct Answer: D
Explanation/Reference:
Standalone Deployment - The Security Management Server and the Security Gateway are installed on the
same computer or appliance.
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_GuidewebAdmin/86429.htm
QUESTION 41
Which options are given on features, when editing a Role on Gaia Platform?
Correct Answer: B
Explanation/Reference:
Role-based administration (RBA) lets you create administrative roles for users. With RBA, an administrator can
allow Gaia users to access specified features by including those features in a role and assigning that role to
users. Each role can include a combination of administrative (read/write) access to some features, monitoring
(read-only) access to other features, and no access to other features.
You can also specify which access mechanisms (WebUI or the CLI) are available to the user.
Note - When users log in to the WebUI, they see only those features that they have read-only or read/write
access to. If they have read-only access to a feature, they can see the settings pages, but cannot change the
settings.
Gaia includes these predefined roles:
adminRole - Gives the user read/write access to all features.
monitorRole- Gives the user read-only access to all features.
You cannot delete or change the predefined roles.
Note - Do not define a new user for external users. An external user is one that is defined on an
authentication server (such as RADIUS or TACACS) and not on the local Gaia system.
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_AdminWebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_Gaia_AdminWebAdminGuide/75930
QUESTION 42
What is the default time length that Hit Count Data is kept?
A. 3 month
B. 4 weeks
C. 12 months
D. 6 months
Correct Answer: A
Explanation/Reference:
PDF answer is D-6 month, But
3 Months for R80.x
6 Months for R7x.x
Keep Hit Count data up to - Select one of the time range options. The default is 6 months. Data is kept in the
Security Management Server database for this period and is shown in the Hits column.
http://dl3.checkpoint.com/paid/74/74d596decb6071a4ee642fbdaae7238f/
CP_R80_SecurityManagement_AdminGuide.pdf?
QUESTION 43
# Choose the Best place to find a Security Management Server backup file named backup_fw, on a Check
Point Appliance.
A. /var/log/Cpbackup/backups/backup/backup_fw.tgs
B. /var/log/Cpbackup/backups/backup/backup_fw.tar
C. /var/log/Cpbackup/backups/backups/backup_fw.tar
D. /var/log/Cpbackup/backups/backup_fw.tgz
Correct Answer: D
Explanation/Reference:
Gaia's Backup feature allows backing up the configuration of the Gaia OS and of the Security Management
server database, or restoring a previously saved configuration.
The configuration is saved to a .tgz file in the following directory:
https://supportcenter.checkpoint.com/supportcenter/portal?
action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk91400
QUESTION 44
With which command can you view the running configuration of Gaia-based system.
A. show conf-active
B. show configuration active
C. show configuration
D. show running-configuration
Correct Answer: C
Explanation/Reference:
QUESTION 45
Which of the following is TRUE regarding Gaia command line?
A. Configuration changes should be done in mgmt_cli and use CLISH for monitoring. Expert mode is used only
for OS level tasks.
B. Configuration changes should be done in expert-mode and CLISH is used for monitoring.
C. Configuration changes should be done in mgmt-cli and use expert-mode for OS-level tasks.
D. All configuration changes should be made in CLISH and expert-mode should be used for OS-level tasks.
Correct Answer: D
Explanation/Reference:
QUESTION 46
If there are two administrators logged in at the same time to the SmartConsole, and there are objects locked for
editing, what must be done to make them available to other administrators?
Correct Answer: A
Explanation/Reference:
To make changes available to all administrators, and to unlock the objects and rules that are being edited, the
administrator must publish the session.
To make your changes available to other administrators, and to save the database before installing a policy,
you must publish the session. When you publish a session, a new database version is created.
When you select Install Policy, you are prompted to publish all unpublished changes. You cannot install a policy
if the included changes are not published.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 47
Which one of the following is the preferred licensing model?
A. Local licensing because it ties the package license to the IP-address of the gateway and has no
dependency of the Security Management Server.
B. Central licensing because it ties the package license to the IP-address of the Security Management Server
and has no dependency of the gateway.
C. Local licensing because it ties the package license to the MAC-address of the gateway management
interface and has no Security Management Server dependency.
D. Central licensing because it ties the package license to the MAC-address of the Security Management
Server Mgmt-interface and has no dependency of the gateway.
Correct Answer: B
Explanation/Reference:
Central License
A Central License is a license attached to the Security Management server IP address, rather than the gateway
IP address. The benefits of a Central License are:
Only one IP address is needed for all licenses.
A license can be taken from one gateway and given to another.
The new license remains valid when changing the gateway IP address. There is no need to create and install a
new license.
https://sc1.checkpoint.com/documents/R76/
CP_R76_Installation_and_Upgrade_GuidewebAdmin/13128.htm#o13527
QUESTION 48
# Tom has been tasked to install Check Point R80 in a distributed deployment. Before Tom installs the systems
this way, how many machines will he need if he does NOT include a SmartConsole machine in his
calculations?
A. One machine, but it needs to be installed using SecurePlatform for compatibility purposes.
B. One machine
C. Two machines
D. Three machines
Correct Answer: C
Explanation/Reference:
One for Security Management Server and the other one for the Security Gateway.
QUESTION 49
Fill in the blank: A new license should be generated and installed in all of the following situations EXCEPT when
.
Correct Answer: A
Explanation/Reference:
There is no need to generate new license in this situation, just need to detach license from wrong Security
Gateway and attach it to the right one.
QUESTION 50
What is the default shell for the command line interface?
A. Expert
B. Clish
C. Admin
D. Normal
Correct Answer: B
Explanation/Reference:
The default shell of the CLI is called clish
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm
QUESTION 51
# When you upload a package or license to the appropriate repository in SmartUpdate, where is the package or
license stored
A. Security Gateway
B. Check Point user center
C. Security Management Server
D. SmartConsole installed device
Correct Answer: C
Explanation/Reference:
SmartUpdate installs two repositories on the Security Management server:
License & Contract Repository, which is stored on all platforms in the directory $FWDIR\conf\.
Package Repository, which is stored:
- on Windows machines in C:\SUroot.
- on UNIX machines in /var/suroot.
The Package Repository requires a separate license, in addition to the license for the Security Management
server. This license should stipulate the number of nodes that can be managed in the Package Repository.
https://sc1.checkpoint.com/documents/R76/
CP_R76_Installation_and_Upgrade_GuidewebAdmin/13128.htm#o13527
QUESTION 52
Fill in the blank: The tool generates a R80 Security Gateway configuration report.
A. infoCP
B. infoview
C. cpinfo
D. fw cpinfo
Correct Answer: C
Explanation/Reference:
CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of
execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading
files to Check Point servers).
The CPinfo output file allows analyzing customer setups from a remote location. Check Point support engineers
can open the CPinfo file in a demo mode, while viewing actual customer Security Policies and Objects. This
allows the in-depth analysis of customer's configuration and environment settings.
When contacting Check Point Support, collect the cpinfo files from the Security Management server and
Security Gateways involved in your case.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk92739
QUESTION 53
Which of the following commands can be used to remove site-to-site IPSEC Security Associations (SA)?
A. vpn tu
B. vpn ipsec remove -l
C. vpn debug ipsec
D. fw ipsec tu
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_CLI_WebAdmin/12467.htm#o12627
QUESTION 54
Which of the following is NOT an authentication scheme used for accounts created through SmartConsole?
A. Security questions
B. Check Point password
C. SecurID
D. RADIUS
Correct Answer: A
Explanation/Reference:
Authentication Schemes :
- Check Point Password
- Operating System Password
- RADIUS
- SecurID
- TACAS
- Undefined If a user with an undefined authentication scheme is matched to a Security Rule with some form of
authentication, access is always denied.
http://dl3.checkpoint.com/paid/71/How_to_Configure_Client_Authentication.pdf?
QUESTION 55
Which pre-defined Permission Profile should be assigned to an administrator that requires full access to audit
all configurations without modifying them?
A. Editor
B. Read Only All
C. Super User
D. Full Access
Correct Answer: B
Explanation/Reference:
To create a new permission profile:
1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
2. Click New Profile.
The New Profile window opens.
3. Enter a unique name for the profile.
4. Select a profile type:
Read/Write All - Administrators can make changes
Auditor (Read Only All) - Administrators can see information but cannot make changes
Customized - Configure custom settings
5. Click OK.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/124265
QUESTION 56
Packages and licenses are loaded from all of these sources EXCEPT
Explanation/Reference:
Packages and licenses are loaded into these repositories from several sources:
the Download Center web site (packages)
the Check Point DVD (packages)
the User Center (licenses)
by importing a file (packages and licenses)
by running the cplic command line
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_GuidewebAdmin/13128.htm
QUESTION 57
# Which of the following technologies extracts detailed information from packets and stores that information in
state tables?
A. INSPECT Engine
B. Stateful Inspection
C. Packet Filtering
D. Application Layer Firewall
Correct Answer: A
Explanation/Reference:
Current Answer is B -Stateful Inspection, But, I think it maybe A -INSPECT Engine. Same Question is Q511
QUESTION 58
On the following graphic, you will find layers of policies.
A. A packet arrives at the gateway, it is checked against the rules in the networks policy layer and then if
implicit Drop Rule drops the packet, it comes next to IPS layer and then after accepting the packet it passes
to Threat Prevention layer.
B. A packet arrives at the gateway, it is checked against the rules in the networks policy layer and then if there
is any rule which accepts the packet, it comes next to IPS layer and then after accepting the packet it
passes to Threat Prevention layer.
C. A packet arrives at the gateway, it is checked against the rules in the networks policy layer and then if there
is any rule which accepts the packet, it comes next to Threat Prevention layer and then after accepting the
packet it passes to IPS layer.
D. A packet arrives at the gateway, it is checked against the rules in IPS policy layer and then it comes next to
the Network policy layer and then after accepting the packet it passes to Threat Prevention layer.
Correct Answer: B
Explanation/Reference:
To simplify Policy management, R80 organizes the policy into Policy Layers. A layer is a set of rules, or a Rule
Base.
For example, when you upgrade to R80 from earlier versions:
Gateways that have the Firewall and the Application Control Software Blades enabled will have their Access
Control Policy split into two ordered layers: Network and Applications.
When the gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.
Gateways that have the IPS and Threat Emulation Software Blades enabled will have their Threat Prevention
policies split into two parallel layers: IPS and Threat Prevention.
All layers are evaluated in parallel.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 59
Tina is a new administrator who is currently reviewing the new Check Point R80 Management console
interface. In the Gateways view, she is reviewing the Summary screen as in the screenshot below. What as an
'Open Server'?
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_Guide-webAdmin/index.html
QUESTION 60
Choose what BEST describes the Policy Layer Traffic Inspection.
A. If a packet does not match any of the inline layers, the matching continues to the next Layer.
B. If a packet matches an inline layer, it will continue matching the next layer.
C. If a packet does not match any of the inline layers, the packet will be matched against the Implicit Clean-up
Rule.
D. If a packet does not match a Network Policy Layer, the matching continues to its inline layer.
Correct Answer: B
Explanation/Reference:
A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways
that have the Firewall and Application control blades enabled, will have their policies split into two ordered
layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades
enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80
Gateways, this basically means the same enforcement as it always was, only in a different representation in the
Security Management.
Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the
rules in the next layer.
Setting different view and edit permissions per layer for different administrator roles.
Re-using a layer in different places: The same application control layer in different policy packages ( Sharing
a layer across different policies ), or the same inline layer for different scopes.
Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will
be the set of rules that are added in each domain by the domain administrator.
R80.10 Gateways and above will have the ability to utilize layers in new ways:
Unifying all blades into a single policy (How to use the unified policy? )
Segregating a policy into more ordered layers, not necessarily by blades
Allowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to
diffrent users? )
In Inline Layers only traffic matched/accepted on the parent rule will reach and be inspected by the inside layer
rules.
In Ordered Layers when an accept rule from the first layer is matched, the gateway goes over the rules in the
next layer
For backward compatibility with pre-R80 gateway you will use ordered layers to manage the Firewall rule
base and Application control rule base, where first layer needs to be Firewall layer and second layer needs
to be Application control and URL Filtering layer.
During an upgrade from pre-R80 to R80 with gateways using policy packages that are using Firewall and
Application control policy's, the existing policy will be separated to ordered Layer with Network Layer –
Firewall policy rules as the first layer and Application Layer – Application control policy rules as the second
layer.
Here is an example of traffic matching using
QUESTION 61
What are the three conflict resolution rules in the Threat Prevention Policy Layers?
Correct Answer: A
Explanation/Reference:
PDF answer is C-Setting, add, exception.
QUESTION 62
# What does the “unknown” SIC status shown on SmartConsole mean?
A. The SMS can contact the Security Gateway but cannot establish Secure Internal Communication.
B. SIC activation key requires a reset.
C. The SIC activation key is not known by any administrator.
D. There is no connection between the Security Gateway and SMS.
Correct Answer: D
Explanation/Reference:
The most typical status is Communicating. Any other status indicates that the SIC communication is
problematic. For example, if the SIC status is Unknown then there is no connection between the Gateway and
the Security Management server. If the SIC status is Not Communicating, the Security Management server is
able to contact the gateway, but SIC communication cannot be established.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/118037
QUESTION 63
# Kofi, the administrator of the ALPHA Corp network wishes to change the default Gaia WebUI Portal port
number currently set on the default HTTPS port. Which CLISH commands are required to be able to change
this TCP port?
Correct Answer: A
Explanation/Reference:
In Clish
A. Connect to command line on Security Gateway / each Cluster member.
B. Log in to Clish.
C. Set the desired port (e.g., port 4434):
HostName> set web ssl-port <Port_Number>
D. Save the changes:
HostName> save config
E. Verify that the configuration was saved:
[Expert@HostName]# grep 'httpd:ssl_port' /config/db/initial
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk83482
QUESTION 64
Fill in the blank: Browser-based Authentication sends users to a web page to acquire identities using
.
A. User Directory
B. Captive Portal and Transparent Kerberos Authentication
C. Captive Portal
D. UserCheck
Correct Answer: B
Explanation/Reference:
To enable Identity Awareness:
1. Log in to SmartDashboard.
2. From the Network Objects tree, expand the Check Point branch.
3. Double-click the Security Gateway on which to enable Identity Awareness.
4. In the Software Blades section, select Identity Awareness on the Network Security tab.
The Identity Awareness Configuration wizard opens.
5. Select one or more options. These options set the methods for acquiring identities of managed and
unmanaged assets.
AD Query - Lets the Security Gateway seamlessly identify Active Directory users and computers.
Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users.
If Transparent Kerberos Authentication is configured, AD users may be identified transparently.
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62050.htm
QUESTION 65
Which default user has full read/write access?
A. Monitor
B. Altuser
C. Administrator
D. Superuser
Correct Answer: C
Explanation/Reference:
QUESTION 66
# Fill in the blanks: The collects logs and sends them to the .
Correct Answer: D
Explanation/Reference:
QUESTION 67
# The security Gateway is installed on GAIA R80 The default port for the WEB User Interface is .
A. TCP 18211
B. TCP 257
C. TCP 4433
D. TCP 443
Correct Answer: D
Explanation/Reference:
QUESTION 68
Fill in the blank: To build an effective Security Policy, use a and rule.
A. Cleanup; Stealth
B. Stealth; Implicit
C. Cleanup; Default
D. Implicit; Explicit
Correct Answer: A
Explanation/Reference:
QUESTION 69
Which type of Check Point license is tied to the IP address of a specific Security Gateway and cannot be
transferred to a gateway that has a different IP address?
A. Central
B. Corporate
C. Formal
D. Local
Correct Answer: D
Explanation/Reference:
QUESTION 70
Which utility shows the security gateway general system information statistics like operating system information
and resource usage, and individual software blade statistics of VPN, Identity Awareness and DLP?
A. cpconfig
B. fw ctl pstat
C. cpview
D. fw ctl multik stat
Correct Answer: C
Explanation/Reference:
CPView Utility is a text based built-in utility that can be run ('cpview' command) on Security Gateway / Security
Management Server / Multi-Domain Security Management Server. CPView Utility shows statistical data that
contain both general system information (CPU, Memory, Disk space) and information for different Software
Blades (only on Security Gateway). The data is continuously updated in easy to access views.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk101878
QUESTION 71
The following graphic shows:
A. View from SmartLog for logs initiated from source address 10.1.1.202
B. View from SmartView Tracker for logs of destination address 10.1.1.202
C. View from SmartView Tracker for logs initiated from source address 10.1.1.202
D. View from SmartView Monitor for logs initiated from source address 10.1.1.202
Correct Answer: C
Explanation/Reference:
???
Looks like R80 Logs&Monitor
QUESTION 72
In R80, Unified Policy is a combination of
A. Access control policy, QoS Policy, Desktop Security Policy and endpoint policy.
B. Access control policy, QoS Policy, Desktop Security Policy and Threat Prevention Policy.
C. Firewall policy, address Translation and application and URL filtering, QoS Policy, Desktop Security Policy
and Threat Prevention Policy.
D. Access control policy, QoS Policy, Desktop Security Policy and VPN policy.
Correct Answer: D
Explanation/Reference:
D is the best answer given the choices.
Unified Policy
In R80 the Access Control policy unifies the policies of these pre-R80 Software Blades:
Firewall and VPN
Application Control and URL Filtering
Identity Awareness
Data Awareness
Mobile Access
Security Zones
You can create Access Control policy rules that are based on:
Services
Protocols
Applications
URLs
File types
Data types
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197&anchor=o129934
QUESTION 73
Fill in the blank: The command provides the most complete restoration of a R80 configuration.
A. upgrade_import
B. cpconfig
C. fwm dbimport -p <export file>
D. cpinfo -recover
Correct Answer: A
Explanation/Reference:
Should be "migrate import". "migrate import" Restores backed up configuration for R80 version, in previous
versions the command was " upgrade_import ".
http://dl3.checkpoint.com/paid/08/08586e2852acc054809517b267402a35/
CP_R80_Gaia_InstallationAndUpgradeGuide.pdf?
QUESTION 74
The Gaia operating system supports which routing protocols?
Correct Answer: A
Explanation/Reference:
The Advanced Routing Suite CLI is available as part of the Advanced Networking Software Blade.
For organizations looking to implement scalable, fault-tolerant, secure networks, the Advanced Networking
blade enables them to run industry-standard dynamic routing protocols including BGP, OSPF, RIPv1, and
RIPv2 on security gateways. OSPF, RIPv1, and RIPv2 enable dynamic routing over a single autonomous
system—like a single department, company, or service provider—to avoid network failures. BGP provides
dynamic routing support across more complex networks involving multiple autonomous systems—such as
when a company uses two service providers or divides a network into multiple areas with different
administrators responsible for the performance of each.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecurePlatform_AdvancedRouting_WebAdmin/
html_frameset.htm
QUESTION 75
# Joey wants to configure NTP on R80 Security Management Server. He decided to do this via WebUI. What is
the correct address to access the Web UI for Gaia platform via browser?
A. https://<Device_IP_Address>
B. https://<Device_IP_Address>:443
C. https://<Device_IP_Address>:10000
D. https://<Device_IP_Address>:4434
Correct Answer: A
Explanation/Reference:
Access to Web UI Gaia administration interface, initiate a connection from a browser to the default
administration IP address:
Logging in to the WebUI
1. Enter this URL in your browser:
https://<Gaia IP address>
2. Enter your user name and password.
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_AdminWebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_Gaia_AdminWebAdminGuide/75930
QUESTION 76
Which application should you use to install a contract file?
A. SmartView Monitor
B. WebUI
C. SmartUpdate
D. SmartProvisioning
Correct Answer: C
Explanation/Reference:
Using SmartUpdate: If you already use an NGX R65 (or higher) Security Management / Provider-1 /
MultiDomain Management Server, SmartUpdate allows you to import the service contract file that you have
downloaded in Step #3.
Open SmartUpdate and from the Launch Menu select 'Licenses & Contracts' -> 'Update Contracts' ->
'From File...' and provide the path to the file you have downloaded in Step #3:
Note: If SmartUpdate is connected to the Internet, you can download the service contract file directly from the
UserCenter without going through the download and import steps.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk33089
QUESTION 77
Which feature is NOT provided by all Check Point Mobile Access solutions?
Correct Answer: A
Explanation/Reference:
Types of Solutions
All of Check Point's Remote Access solutions provide:
Enterprise-grade, secure connectivity to corporate resources.
Strong user authentication.
Granular access control.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/83586.htm
QUESTION 78
You work as a security administrator for a large company. CSO of your company has attended a security
conference where he has learnt how hackers constantly modify their strategies and techniques to evade
detection and reach corporate resources. He wants to make sure that his company has the right protections in
place. Check Point has been selected for the security vendor. Which Check Point products protects BEST
against malware and zero-day attacks while ensuring quick delivery of safe content to your users?
Correct Answer: D
Explanation/Reference:
SandBlast Zero-Day Protection
Hackers constantly modify their strategies and techniques to evade detection and reach corporate resources.
Zero-day exploit protection from Check Point provides a deeper level of inspection so you can prevent more
malware and zero-day attacks, while ensuring quick delivery of safe content to your users.
https://www.checkpoint.com/products-solutions/zero-day-protection/
QUESTION 79
# Fill in the blank: Each cluster has interfaces.
A. Five
B. Two
C. Three
D. Four
Correct Answer: C
Explanation/Reference:
Each cluster member has three interfaces: one external interface, one internal interface, and one for
synchronization. Cluster member interfaces facing in each direction are connected via a switch, router, or VLAN
switch.
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7292.htm
QUESTION 80
# What are the three essential components of the Check Point Security Management Architecture?
Correct Answer: A
Explanation/Reference:
Basic deployments:
Standalone deployment - Security Gateway and the Security Management server are installed on the same
machine.
Distributed deployment - Security Gateway and the Security Management server are installed on different
machines.
Assume an environment with gateways on different sites. Each Security Gateway connects to the Internet on
one side, and to a LAN on the other.
You can create a Virtual Private Network (VPN) between the two Security Gateways, to secure all
communication between them.
The Security Management server is installed in the LAN, and is protected by a Security Gateway. The Security
Management server manages the Security Gateways and lets remote users connect securely to the corporate
network. SmartDashboard can be installed on the Security Management server or another computer.
There can be other OPSEC-partner modules (for example, an Anti-Virus Server) to complete the network
security with the Security Management server and its Security Gateways.
https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityManagement_WebAdminGuide/
html_frameset.htm?topic=documents/R77/CP_R77_SecurityManagement_WebAdminGuide/118037
QUESTION 81
# What are the two types of address translation rules?
Correct Answer: D
Explanation/Reference:
NAT Rule Base - The NAT Rule Base has two sections that specify how the IP addresses are translated:
Original Packet
Translated Packet
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm
QUESTION 82
You are unable to login to SmartDashboard. You log into the management server and run #cpwd_admin list
with the following output:
What reason could possibly BEST explain why you are unable to connect to SmartDashboard?
A. CDP is down
B. SVR is down
C. FWM is down
D. CPSM is down
Correct Answer: C
Explanation/Reference:
The correct answer would be FWM (is the process making available communication between SmartConsole
applications and Security Management Server.). STATE is T (Terminate = Down)
Symptoms
SmartDashboard fails to connect to the Security Management server.
1. Verify if the FWM process is running. To do this, run the command:
[Expert@HostName:0]# ps -aux | grep fwm
2. If the FWM process is not running, then try force-starting the process with the following command:
[Expert@HostName:0]# cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk97638
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk12120
QUESTION 83
What does ExternalZone represent in the presented rule?
A. The Internet.
B. Interfaces that administrator has defined to be part of External Security Zone.
C. External interfaces on all security gateways.
D. External interfaces of specific gateways.
Correct Answer: B
Explanation/Reference:
Configuring Interfaces
Configure the Security Gateway 80 interfaces in the Interfaces tab in the Security Gateway window.
To configure the interfaces:
1. From the Devices window, double-click the Security Gateway 80.
The Security Gateway window opens.
2. Select the Interfaces tab.
3. Select Use the following settings. The interface settings open.
4. Select the interface and click Edit.
The Edit window opens.
5. From the IP Assignment section, configure the IP address of the interface:
1. Select Static IP.
2. Enter the IP address and subnet mask for the interface.
6. In Security Zone, select Wireless, DMS, External, or Internal. Security zone is a type of zone, created by a
bridge to easily create segments, while maintaining IP addresses and router configurations. Security zones let
you choose if to enable or not the firewall between segments.
https://sc1.checkpoint.com/documents/R76/CP_R76_SmartProvisioning_WebAdmin/16741.htm
QUESTION 84
Fill in the blank: The R80 utility fw monitor is used to troubleshoot
A. User data base corruption
B. LDAP conflicts
C. Traffic issues
D. Phase two key negotiation
Correct Answer: C
Explanation/Reference:
Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW
Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These
captured packets can be inspected later using the WireShark.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583
QUESTION 85
What are the two high availability modes?
Correct Answer: D
Explanation/Reference:
ClusterXL has four working modes. This section briefly describes each mode and its relative advantages and
disadvantages.
Load Sharing Multicast Mode
Load Sharing Unicast Mode
New High Availability Mode
High Availability Legacy Mode
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7292.htm#o7363
QUESTION 86
Fill in the blank: The R80 feature permits blocking specific IP addresses for a specified time period.
Correct Answer: C
Explanation/Reference:
Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges
upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).
The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity
rules are Firewall rules that enable the system administrator to instantly block suspicious connections that are
not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date),
can be applied immediately without the need to perform an Install Policy operation
https://sc1.checkpoint.com/documents/R76/CP_R76_SmartViewMonitor_AdminGuide/17670.htm
QUESTION 87
#? Which Threat Prevention Software Blade provides comprehensive against malicious and unwanted network
traffic, focusing on application and server vulnerabilities?
A. Anti-Virus
B. IPS
C. Anti-Spam
D. Anti-bot
Correct Answer: B
Explanation/Reference:
The IPS Software Blade provides a complete Intrusion Prevention System security solution, providing
comprehensive network protection against malicious and unwanted network traffic, including:
Malware attacks
Dos and DDoS attacks
Application and server vulnerabilities
Insider threats
Unwanted application traffic, including IM and P2P
https://www.checkpoint.com/products/ips-software-blade/
QUESTION 88
What is the purpose of Captive Portal?
Correct Answer: C
Explanation/Reference:
Captive Portal – a simple method that authenticates users through a web interface before granting them access
to Intranet resources. When users try to access a protected resource, they get a web page that must be filled
out to continue.
https://www.checkpoint.com/products/identity-awareness-software-blade/
QUESTION 89
While enabling the Identity Awareness blade the Identity Awareness wizard does not automatically detect the
windows domain. Why does it not detect the windows domain?
Explanation/Reference:
To enable Identity Awareness:
1. Log in to SmartDashboard.
2. From the Network Objects tree, expand the Check Point branch.
3. Double-click the Security Gateway on which to enable Identity Awareness.
4. In the Software Blades section, select Identity Awareness on the Network Security tab.
The Identity Awareness Configuration wizard opens.
5. Select one or more options. These options set the methods for acquiring identities of managed and
unmanaged assets.
AD Query - Lets the Security Gateway seamlessly identify Active Directory users and computers.
Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users.
If Transparent Kerberos Authentication is configured, AD users may be identified transparently.
Terminal Servers - Identify users in a Terminal Server environment (originating from one IP address).
See Choosing Identity Sources.
Note - When you enable Browser-Based Authentication on a Security Gateway that is on an IP Series
appliance, make sure to set the Voyager management application port to a port other than 443 or 80.
6. Click Next.
The Integration With Active Directory window opens.
When SmartDashboard is part of the domain, SmartDashboard suggests this domain automatically. If you
select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the
organization's Active Directory.
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62050.htm
QUESTION 90
# View the rule below. What does the lock-symbol in the left column mean?
Correct Answer: B
Explanation/Reference:
Administrator Collaboration
More than one administrator can connect to the Security Management Server at the same time. Every
administrator has their own username, and works in a session that is independent of the other administrators.
When an administrator logs in to the Security Management Server through SmartConsole, a new editing
session starts. The changes that the administrator makes during the session are only available to that
administrator. Other administrators see a lock icon on object and rules that are being edited.
To make changes available to all administrators, and to unlock the objects and rules that are being edited, the
administrator must publish the session.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/124265
QUESTION 91
When attempting to start a VPN tunnel, in the logs the error 'no proposal chosen' is seen numerous times. No
other VPN-related log entries are present. Which phase of the VPN negotiations has failed?
A. IKE Phase 1
B. IPSEC Phase 2
C. IPSEC Phase 1
D. IKE Phase 2
Correct Answer: A
Explanation/Reference:
QUESTION 92
Which command is used to add users to or from existing roles?
Correct Answer: A
Explanation/Reference:
http://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/73101.htm
QUESTION 93
You are the administrator for Alpha Corp. You have logged into your R80 Management server. You are making
some changes in the Rule Base and notice that rule No.6 has a pencil icon next to it.
A. The rule No.6 has been marked for deletion in your Management session.
B. The rule No.6 has been marked for deletion in another Management session.
C. The rule No.6 has been marked for editing in your Management session.
D. The rule No.6 has been marked for editing in another Management session.
Correct Answer: C
Explanation/Reference:
QUESTION 94
Which type of the Check Point license ties the package license to the IP address of the Security Management
Server?
A. Local
B. Central
C. Corporate
D. Formal
Correct Answer: B
Explanation/Reference:
QUESTION 95
What is NOT an advantage of Packet Filtering?
Correct Answer: A
Explanation/Reference:
Packet Filter Advantages and Disadvantages
https://www.checkpoint.com/smb/help/utm1/8.2/7078.htm
QUESTION 96
In the Check Point three-tiered architecture, which of the following is NOT a function of the Security
Management Server (SMS)?
Correct Answer: A
Explanation/Reference:
QUESTION 97
# Web Control Layer has been set up using the settings in the following dialogue:
Correct Answer: D
Explanation/Reference:
Policy Layers and Sub-Policies
R80 introduces the concept of layers and sub-policies, allowing you to segment your policy according to your
network segments or business units/functions. In addition, you can also assign granular privileges by layer or
sub-policy to distribute workload and tasks to the most qualified administrators With layers, the rule base is
organized into a set of security rules. These set of rules or layers, are inspected in the order in which they are
defined, allowing control over the rule base flow and the security functionalities that take precedence. If an
“accept” action is performed across a layer, the inspection will continue to the next layer. For example, a
compliance layer can be created to overlay across a crosssection of rules.
Sub-policies are sets of rules that are created for a specific network segment, branch office or business unit, so
if a rule is matched, inspection will continue through this subset of rules before it moves on to the next rule.
Sub-policies and layers can be managed by specific administrators, according to their permissions profiles.
This facilitates task delegation and workload distribution.
https://community.checkpoint.com/docs/DOC-1065
QUESTION 98
Which of the following are types of VPN communicaties?
Correct Answer: D
Explanation/Reference:
QUESTION 99
Fill in the blank: RADIUS protocol uses to communicate with the gateway.
A. UDP
B. TDP
C. CCP
D. HTTP
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76SP/CP_R76SP_Security_System_WebAdminGuide/105209.htm
QUESTION 100
# When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer,
sequentially from top to bottom, and enforces the first rule that matches a packet. Which of the following
statements about the order of rule enforcement is true?
A. If the Action is Accept, the gateway allows the packet to pass through the gateway.
B. If the Action is Drop, the gateway continues to check rules in the next Policy Layer down.
C. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.
D. If the Action is Drop, the gateway applies the Implicit Clean-up Rule for that Policy Layer.
Correct Answer: C
Explanation/Reference:
QUESTION 101
Office mode means that:
A. SecureID client assigns a routable MAC address. After the user authenticates for a tunnel, the VPN
gateway assigns a routable IP address to the remote client.
B. Users authenticate with an Internet browser and use secure HTTPS connection.
C. Local ISP (Internet service Provider) assigns a non-routable IP address to the remote user.
D. Allows a security gateway to assign a remote client an IP address. After the user authenticates for a tunnel,
the VPN gateway assigns a routable IP address to the remote client.
Correct Answer: D
Explanation/Reference:
Office Mode enables a Security Gateway to assign internal IP addresses to SecureClient users. This IP
address will not be exposed to the public network, but is encapsulated inside the VPN tunnel between the client
and the Gateway. The IP to be used externally should be assigned to the client in the usual way by the Internet
Service provider used for the Internet connection. This mode allows a Security Administrator to control which
addresses are used by remote clients inside the local network and makes them part of the local network.
The mechanism is based on an IKE protocol extension through which the Security Gateway can send an
internal IP address to the client.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk30545
QUESTION 102
The Administrator wishes to update IPS protections from SmartConsole by clicking on the option “Update Now”
under the Updates tab in Threat Tools. Which device requires internet access for the update to work?
Correct Answer: B
Explanation/Reference:
Updating IPS Manually
You can immediately update IPS with real-time information on attacks and all the latest protections from the IPS
website. You can only manually update IPS if a proxy is defined in Internet Explorer settings.
To obtain updates of all the latest protections from the IPS website:
1. Configure the settings for the proxy server in Internet Explorer.
1. In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN Settings.
The LAN Settings window opens.
2. Select Use a proxy server for your LAN.
3. Configure the IP address and port number for the proxy server.
4.Click OK.
The settings for the Internet Explorer proxy server are configured.
2. In the IPS tab, select Download Updates and click Update Now.
If you chose to automatically mark new protections for Follow Up, you have the option to open the Follow Up
page directly to see the new protections.
https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12850.htm
QUESTION 103
Jack works for a managed service provider and he has been tasked to create 17 new policies for several new
customers. He does not have much time. What is the BEST way to do this with R80 security management?
A. Create a text-file with mgmt_cli script that creates all objects and policies. Open the file in SmartConsole
Command Line to run it.
B. Create a text-file with Gaia CLI -commands in order to create all objects and policies. Run the file in CLISH
with command load configuration.
C. Create a text-file with DBEDIT script that creates all objects and policies. Run the file in the command line of
the management server using command dbedit -f.
D. Use Object Explorer in SmartConsole to create the objects and Manage Policies from the menu to create
the policies.
Correct Answer: A
Explanation/Reference:
Did you know: mgmt_cli can accept csv files as inputs using the --batch option.
The first row should contain the argument names and the rows below it should hold the values for these
parameters.
So an equivalent solution to the powershell script could look like this:
data.csv:
https://community.checkpoint.com/thread/1342
https://sc1.checkpoint.com/documents/R80/APIs/#gui-cli/add-access-rule
QUESTION 104
When Identity Awareness is enabled, which identity source(s) is(are) used for Application Control?
A. RADIUS
B. Remote Access and RADIUS
C. AD Query
D. AD Query and Browser-based Authentication
Correct Answer: D
Explanation/Reference:
Identity Awareness gets identities from these acquisition sources:
AD Query
Browser-Based Authentication
Endpoint Identity Agent
Terminal Servers Identity Agent
Remote Access
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62007.htm
QUESTION 105
Which of the following is NOT a back up method?
A. Save backup
B. System backup
C. snapshot
D. Migrate
Correct Answer: A
Explanation/Reference:
The built-in Gaia backup procedures:
Snapshot Management
System Backup (and System Restore)
Save/Show Configuration (and Load Configuration)
Check Point provides three different procedures for backing up (and restoring) the operating system and
networking parameters on your appliances.
Snapshot (Revert)
Backup (Restore)
upgrade_export (Migrate)
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk108902
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk54100
QUESTION 106
Which of the following is NOT an advantage to using multiple LDAP servers?
A. You achieve a faster access time by placing LDAP servers containing the database at remote sites
B. Information on a user is hidden, yet distributed across several servers
C. You achieve compartmentalization by allowing a large number of users to be distributed across several
servers
D. You gain High Availability by replicating the same information on several servers
Correct Answer: B
Explanation/Reference:
QUESTION 107
# Which Check Point software blade prevents malicious files from entering a network using virus signatures
and anomaly-based protections from ThreatCloud?
A. Firewall
B. Application Control
C. Anti-spam and Email Security
D. Antivirus
Correct Answer: D
Explanation/Reference:
The enhanced Check Point Antivirus Software Blade uses real-time virus signatures and anomaly-based
protections from ThreatCloud™, the first collaborative network to fight cybercrime, to detect and block malware
at the gateway before users are affected.
https://www.checkpoint.com/products/antivirus-software-blade/
QUESTION 108
What is the default method for destination NAT?
A. Destination side
B. Source side
C. Server side
D. Client side
Correct Answer: D
Explanation/Reference:
Client Side NAT - destination is NAT`d by the inbound kernel
QUESTION 109
Choose what BEST describes a Session.
Correct Answer: B
Explanation/Reference:
Administrator Collaboration
More than one administrator can connect to the Security Management Server at the same time. Every
administrator has their own username, and works in a session that is independent of the other administrators.
When an administrator logs in to the Security Management Server through SmartConsole, a new editing
session starts. The changes that the administrator makes during the session are only available to that
administrator. Other administrators see a lock icon on object and rules that are being edited.
To make changes available to all administrators, and to unlock the objects and rules that are being edited, the
administrator must publish the session.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/117948
QUESTION 110
Which of the following is NOT a VPN routing option available in a star community?
Correct Answer: AD
Explanation/Reference:
Just A - To sat through center only.
SmartConsole
For simple hubs and spokes (or if there is only one Hub), the easiest way is to configure a VPN star community
in R80 SmartConsole:
1. On the Star Community window, in the:
A. Center Gateways section, select the Security Gateway that functions as the "Hub".
B. Satellite Gateways section, select Security Gateways as the "spokes", or satellites.
2. On the VPN Routing page, Enable VPN routing for satellites section, select one of these options:
A. To center and to other Satellites through center - This allows connectivity between the Security
Gateways, for example if the spoke Security Gateways are DAIP Security Gateways, and the Hub is a
Security Gateway with a static IP address.
B. To center, or through the center to other satellites, to internet and other VPN targets - This allows
connectivity between the Security Gateways as well as the ability to inspect all communication passing
through the Hub to the Internet.
3. Create an appropriate Access Control Policy rule.
4. NAT the satellite Security Gateways on the Hub if the Hub is used to route connections from Satellites to the
Internet.
The two Dynamic Objects (DAIP Security Gateways) can securely route communication through the Security
Gateway with the static IP address.
https://sc1.checkpoint.com/documents/R80/CP_R80BC_VPN/html_frameset.htm
QUESTION 111
What is the default shell of Gaia CLI?
A. Monitor
B. CLI.sh
C. Read-only
D. Bash
Correct Answer: B
Explanation/Reference:
This chapter gives an introduction to the Gaia command line interface (CLI).
The default shell of the CLI is called clish.
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm
QUESTION 112
Which of the following licenses are considered temporary?
Correct Answer: B
Explanation/Reference:
Should be Trial or Evaluation, even Plug-and-play (all are synonyms ). Answer B is the best choice.
QUESTION 113
Where can administrator edit a list of trusted SmartConsole clients in R80?
A. cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server.
B. Only using SmartConsole:
Manage and Settings > Permissions and Administrators > Advanced > Trusted Clients.
C. In cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server,in
SmartConsole:
Manage and Settings>Permissions and Administrators>Advanced>Trusted Clients.
D. WebUI client logged to Security Management Server, SmartDashboard:
Manage and Settings>Permissions and Administrators>Advanced>Trusted Clients, via cpconfig on a
Security Gateway.
Correct Answer: C
Explanation/Reference:
D is in Security Gateway, So , D is wrong
QUESTION 114
Fill in the blanks: In the Network policy layer, the default action for the Implied last rule is all traffic.
However, in the Application Control policy layer, the default action is all traffic.
A. Accept; redirect
B. Accept; drop
C. Redirect; drop
D. Drop; accept
Correct Answer: D
Explanation/Reference:
Explanation/Reference:
QUESTION 115
Vanessa is a Firewall administrator. She wants to test a backup of her company’s production Firewall cluster
Dallas_GW. She has a lab environment that is identical to her production environment. She decided to restore
production backup via SmartConsole in lab environment. Which details she need to fill in System Restore
window before she can click OK button and test the backup?
Correct Answer: C
Explanation/Reference:
QUESTION 116
# On the following picture an administrator configures Identity Awareness:
Correct Answer: B
Explanation/Reference:
To enable Identity Awareness:
1. Log in to R80 SmartConsole.
2. From the Gateways & Servers view, double-click the Security Gateway on which to enable Identity
Awareness.
3. On the Network Security tab, select Identity Awareness.
The Identity Awareness Configuration wizard opens.
4. Select one or more options. These options set the methods for acquiring identities of managed and
unmanaged assets.
AD Query - Lets the Security Gateway seamlessly identify Active Directory users and computers.
Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users.
If Transparent Kerberos Authentication is configured, AD users may be identified transparently.
Terminal Servers - Identify users in a Terminal Server environment (originating from one IP address).
https://sc1.checkpoint.com/documents/R80/CP_R80BC_IdentityAwareness/html_frameset.htm?
topic=documents/R80/CP_R80BC_IdentityAwareness/62050
QUESTION 117
# What does it mean if Bob gets this result on an object search? Refer to the image below.
Correct Answer: B
Explanation/Reference:
QUESTION 118
# Why would an administrator see the message below?
A. A new Policy Package created on both the Management and Gateway will be deleted and must be backed
up first before proceeding.
B. A new Policy Package created on the Management is going to be installed to the existing Gateway.
C. A new Policy Package created on the Gateway is going to be installed on the existing Management.
D. A new Policy Package created on the Gateway and transferred to the Management will be overwritten by
the Policy Package currently on the Gateway but can be restored from a periodic backup on the Gateway.
Correct Answer: B
Explanation/Reference:
QUESTION 119
Fill in the blank: The software blade enables Application Security policies to allow, block, or limit
website access based on user, group, and machine identities.
A. Application Control
B. Data Awareness
C. URL Filtering
D. Threat Emulation
Correct Answer: A
Explanation/Reference:
QUESTION 120
# At what point is the Internal Certificate Authority (ICA) created?
Correct Answer: B
Explanation/Reference:
Introduction to the ICA
The ICA is a Certificate Authority which is an integral part of the Check Point product suite. It is fully compliant
with X.509 standards for both certificates and CRLs. See the relevant X.509 and PKI documentation, as well as
RFC 2459 standards for more information. You can read more about Check Point and PKI in the R76 VPN
Administration Guide.
The ICA is located on the Security Management server. It is created during the installation process, when the
Security Management server is configured.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/13118
QUESTION 121
In which VPN community is a satellite VPN gateway not allowed to create a VPN tunnel with another satellite
VPN gateway?
A. Pentagon
B. Combined
C. Meshed
D. Star
Correct Answer: D
Explanation/Reference:
VPN communities are based on Star and Mesh topologies.
In a Mesh community, there are VPN connections between each Security Gateway.
In a Star community, satellites have a VPN connection with the center Security Gateway, but not to each other.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92709.htm
QUESTION 122
#? Fill in the blank: information is included in the “Full Log” tracking option, but is not included in the
“Log” tracking option?
A. file attributes
B. application
C. destination port
D. data type
Correct Answer: D
Explanation/Reference:
Tracking Options
Network Log - Generates a log with only basic Firewall information: Source, Destination, Source Port,
Destination Port, and Protocol.
Log - Equivalent to the Network Log option, but also includes the application name (for example, Dropbox),
and application information (for example, the URL of the Website). This is the default Tracking option.
Full Log - Equivalent to the log option, but also records data for each URL request made.
- If suppression is not selected, it generates a complete log (as defined in pre-R80 management).
- If suppression is selected, it generates an extended log (as defined in pre-R80 management).
None - Do not generate a log.
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?
topic=documents/R80/CP_R80_LoggingAndMonitoring/131914
QUESTION 123
In the R80 SmartConsole, on which tab are Permissions and Administrators defined?
A. Security Policies
B. Logs and Monitor
C. Manage and Settings
D. Gateway and Servers
Correct Answer: C
Explanation/Reference:
QUESTION 124
# Which type of Endpoint Identity Agent includes packet tagging and computer authentication?
A. Full
B. Light
C. Custom
D. Complete
Correct Answer: A
Explanation/Reference:
Question is different, just ask you full/light/custom knowledge point
Endpoint Identity Agents – dedicated client agents installed on users’ computers that acquire and report
identities to the Security Gateway.
QUESTION 125
Fill in the blanks: The Application Layer Firewalls inspect traffic through the layer(s) of the TCP/IP
model and up to and including the layer.
A. Lower; Application
B. First two; Internet
C. First two; Transport
D. Upper; Application
Correct Answer: A
Explanation/Reference:
QUESTION 126
# There are two R77.30 Security Gateways in the Firewall Cluster. They are named FW_A and FW_B. The
cluster is configured to work as HA (High availability) with default cluster configuration. FW_A is configured to
have higher priority than FW_B. FW_A was active and processing the traffic in the morning. FW_B was
standby. Around 11:00 am, its interfaces went down and this caused a failover. FW_B became active. After an
hour, FW_A’s interface issues were resolved and it became operational. When it re-joins the cluster, will it
become active automatically?
A. No, since “maintain current active cluster member” option on the cluster object properties is enabled by
default
B. No, since “maintain current active cluster member” option is enabled by default on the Global Properties
C. Yes, since “Switch to higher priority cluster member” option on the cluster object properties is enabled by
default
D. Yes, since “Switch to higher priority cluster member” option is enabled by default on the Global Properties
Correct Answer: A
Explanation/Reference:
What Happens When a Security Gateway Recovers?
In a Load Sharing configuration, when the failed Security Gateway in a cluster recovers, all connections are
redistributed among all active members. High Availability and Load Sharing in ClusterXL ClusterXL
Administration Guide R77 Versions | 31 In a High Availability configuration, when the failed Security Gateway in
a cluster recovers, the recovery method depends on the configured cluster setting. The options are:
• Maintain Current Active Security Gateway means that if one member passes on control to a lower priority
member, control will be returned to the higher priority member only if the lower priority member fails. This mode
is recommended if all members are equally capable of processing traffic, in order to minimize the number of
failover events.
• Switch to Higher Priority Security Gateway means that if the lower priority member has control and the higher
priority member is restored, then control will be returned to the higher priority member. This mode is
recommended if one member is better equipped for handling connections, so it will be the default Security
Gateway.
http://dl3.checkpoint.com/paid/7e/7ef174cf00762ceaf228384ea20ea64a/CP_R77_ClusterXL_AdminGuide.pdf?
QUESTION 127
After the initial installation the First Time Configuration Wizard should be run.
A. First Time Configuration Wizard can be run from the Unified SmartConsole.
B. First Time Configuration Wizard can be run from the command line or from the WebUI.
C. First time Configuration Wizard can only be run from the WebUI.
D. Connection to the internet is required before running the First Time Configuration wizard.
Correct Answer: B
Explanation/Reference:
Check Point Security Gateway and Check Point Security Management require running the First Time
Configuration Wizard in order to be configured correctly. The First Time Configuration Wizard is available in
Gaia Portal and also through CLI.
To invoke the First Time Configuration Wizard through CLI, run the config_system command from the Expert
shell.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk111119
QUESTION 128
In order to modify Security Policies the administrator can use which of the following tools?
A. Command line of the Security Management Server or mgmt_cli.exe on any Windows computer.
B. SmartConsole and WebUI on the Security Management Server.
C. mgmt_cli or WebUI on Security Gateway and SmartConsole on the Security Management Server.
D. SmartConsole or mgmt_cli on any computer where SmartConsole is installed.
Correct Answer: D
Explanation/Reference:
QUESTION 129
# Which of the following is NOT an element of VPN Simplified Mode and VPN Communities?
Correct Answer: A
Explanation/Reference:
Simplified and Traditional Modes
By default, VPN configuration works with Simplified mode. Simplified mode uses VPN Communities for Site to
Site VPN configuration, as described throughout this guide.
Traditional mode is a different, legacy way to configure Site to Site VPN where one of the actions available in
the Security Policy Rule Base is Encrypt. When encrypt is selected, all traffic between the Security Gateways
is encrypted. For details about Traditional Mode, see the R77 versions VPN Administration Guide.
In a policy package, all layers must use the same VPN mode.
http://dl3.checkpoint.com/paid/05/05e695b2012b4fd1d2bdfeccecd29290/CP_R80BC_VPN_AdminGuide.pdf?
QUESTION 130
Fill in the blanks: A Check Point software license consists of a and .
Correct Answer: B
Explanation/Reference:
Check Point's licensing is designed to be scalable and modular. To this end, Check Point offers both
predefined packages as well as the ability to custom build a solution tailored to the needs of the Network
Administrator. This is accomplished by the use of the following license components:
Software Blades
Container
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk11054
QUESTION 131
# Fill in the blank: Once a license is activated, a should be installed.
Correct Answer: C
Explanation/Reference:
Service Contract File
Following the activation of the license, a Service Contract File should be installed. This file contains
important information about all subscriptions purchased for a specific device and is installed via SmartUpdate.
A detailed of the Service Contract File can be found in sk33089.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk11054
QUESTION 132
# Which policy type is used to enforce bandwidth and traffic control rules?
A. Threat Emulation
B. Access Control
C. QoS
D. Threat Prevention
Correct Answer: C
Explanation/Reference:
QoS is a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your
needs for a bandwidth management solution. QoS is a unique, software-only based application that manages
traffic end-to-end across networks, by distributing enforcement throughout network hardware and software.
https://sc1.checkpoint.com/documents/R76/CP_R76_QoS_AdminGuide/index.html
QUESTION 133
Bob and Joe both have Administrator Roles on their Gaia Platform. Bob logs in on the WebUI and then Joe
logs in through CLI. Choose what BEST describes the following scenario, where Bob and Joe are both logged
in:
Correct Answer: C
Explanation/Reference:
QUESTION 134
# Fill in the blank: When LDAP is integrated with Check Point Security Management, it is then referred to as
A. UserCheck
B. User Directory
C. User Administration
D. User Center
Correct Answer: B
Explanation/Reference:
Check Point User Directory integrates LDAP, and other external user management technologies, with the
Check Point solution. If you have a large user count, we recommend that you use an external user
management database such as LDAP for enhanced Security Management Server performance.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/118981
QUESTION 135
Which Check Point software blade provides protection from zero-day and undiscovered threats?
A. Firewall
B. Threat Emulation
C. Application Control
D. Threat Extraction
Correct Answer: B
Explanation/Reference:
QUESTION 136
# Which of the completed statements is NOT true? The WebUI can be used to manage user accounts and:
Correct Answer: D
Explanation/Reference:
Users
Use the WebUI and CLI to manage user accounts. You can:
Add users to your Gaia system.
Edit the home directory of the user.
Edit the default shell for a user.
Give a password to a user.
Give privileges to users.
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/73101.htm
QUESTION 137
Look at the following screenshot and select the BEST answer.
A. Clients external to the Security Gateway can download archive files from FTP_Ext server using FTP.
B. Internal clients can upload and download any-files to FTP_Ext-server using FTP.
C. Internal clients can upload and download archive-files to FTP_Ext server using FTP.
D. Clients external to the Security Gateway can upload any files to the FTP_Ext-server using FTP.
Correct Answer: A
Explanation/Reference:
QUESTION 138
Fill in the blanks: A security Policy is created in , stored in the , and Distributed to the
various .
Correct Answer: C
Explanation/Reference:
QUESTION 139
# Look at the screenshot below. What CLISH command provides this output?
Correct Answer: D
Explanation/Reference:
http://dl3.checkpoint.com/paid/0c/0caa9c0daa67e0c1f2af3dd06790bc81/CP_R77_Gaia_AdminGuide.pdf?
QUESTION 140
Which authentication scheme requires a user to possess a token?
A. TACACS
B. SecurID
C. Check Point password
D. RADIUS
Correct Answer: B
Explanation/Reference:
SecurID requires users to both possess a token authenticator and to supply a PIN or password
https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/6721.htm
QUESTION 141
If there is an Accept Implied Policy set to “First”, what is the reason Jorge cannot see any logs?
Correct Answer: A
Explanation/Reference:
Implied Rules are configured only on Global Properties.
QUESTION 142
The most important part of a site-to-site VPN deployment is the .
A. Internet
B. Remote users
C. Encrypted VPN tunnel
D. VPN gateways
Correct Answer: C
Explanation/Reference:
The basis of Site to Site VPN is the encrypted VPN tunnel. Two Security Gateways negotiate a link and create a
VPN tunnel and each tunnel can contain more than one VPN connection. One Security Gateway can maintain
more than one VPN tunnel at the same time.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92709.htm
QUESTION 143
R80 Security Management Server can be installed on which of the following operating systems?
A. Gaia only
B. Gaia, SPLAT, Windows Server only
C. Gaia, SPLAT, Windows Server and IPSO only
D. Gaia and SPLAT only
Correct Answer: A
Explanation/Reference:
R80 can be installed only on GAIA OS.
Supported Check Point Installations All R80 servers are supported on the Gaia Operating System:
• Security Management Server
• Multi-Domain Security Management Server
• Log Server
• Multi-Domain Log Server
• SmartEvent Server
http://dl3.checkpoint.com/paid/1f/1f7e21da67aa992954aa12a0a84e53a8/CP_R80_ReleaseNotes.pdf?
QUESTION 144
What port is used for delivering logs from the gateway to the management server?
A. Port 258
B. Port 18209
C. Port 257
D. Port 981
Correct Answer: C
Explanation/Reference:
257 TCP port services are: FW1_log FW1_log and FWD_LOG_PORT
QUESTION 145
The organization's security manager wishes to back up just the Gaia operating system parameters. Which
command can be used to back up only Gaia operating system parameters like interface details, Static routes
and Proxy ARP entries?
A. show configuration
B. backup
C. migrate export
D. upgrade export
Correct Answer: B
Explanation/Reference:
The built-in Gaia backup procedures:
Snapshot Management
System Backup (and System Restore)
Save/Show Configuration (and Load Configuration)
System Backup (and System Restore)
System Backup can be used to backup current system configuration. A backup creates a compressed file that
contains the Check Point configuration including the networking and operating system parameters, such as
routing and interface configuration etc., but unlike a snapshot, it does not include the operating system,
product binaries, and hotfixes.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk108902
QUESTION 146
Choose what BEST describes users on Gaia Platform.
Correct Answer: B
Explanation/Reference:
These users are created by default and cannot be deleted:
admin — Has full read/write capabilities for all Gaia features, from the WebUI and the CLI. This user has a
User ID of 0, and therefore has all of the privileges of a root user.
monitor — Has read-only capabilities for all features in the WebUI and the CLI, and can change its own
password. You must give a password for this user before the account can be used.
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/73101.htm
QUESTION 147
You are going to upgrade from R77 to R80. Before the upgrade, you want to back up the system so that, if
there are any problems, you can easily restore to the old version with all configuration and management files
intact. What is the BEST backup method in this scenario?
A. backup
B. Database Revision
C. snapshot
D. migrate export
Correct Answer: C
Explanation/Reference:
The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point
products, configuration, and operating system.
Starting in R77.10, exporting an image from one machine and importing that image on another machine of the
same type is supported.
The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will not be saved.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk108902
QUESTION 148
The IT Management team is interested in the new features of the Check Point R80.x Management and wants to
upgrade but they are concerned that the existing R77.30 Gaia Gateways cannot be managed by R80.x
because it is so different. As the administrator responsible for the Firewalls, how can you answer or confirm
these concerns?
A. R80.x Management contains compatibility packages for managing earlier versions of Check Point Gateways
prior to R80. Consult the R80 Release Notes for more information.
B. R80.x Management requires the separate installation of compatibility hotfix packages for managing the
earlier versions of Check Point Gateways prior to R80. Consult the R80 Release Notes for more
information.
C. R80.x Management was designed as a completely different Management system and so can only monitor
Check Point Gateways prior to R80.
D. R80.x Management cannot manage earlier versions of Check Point Gateways prior to R80. Only R80 and
above Gateways can be managed. Consult the R80 Release Notes for more information.
Correct Answer: A
Explanation/Reference:
http://dl3.checkpoint.com/paid/1f/1f7e21da67aa992954aa12a0a84e53a8/CP_R80_ReleaseNotes.pdf?
QUESTION 149
Provide very wide coverage for all products and protocols, with noticeable performance impact.
How could you tune the profile in order to lower the CPU load still maintaining security at good level?
Correct Answer: B
Explanation/Reference:
QUESTION 150
Fill in the blank: A is used by a VPN gateway to send traffic as if it were a physical interface.
Correct Answer: A
Explanation/Reference:
Route Based VPN
VPN traffic is routed according to the routing settings (static or dynamic) of the Security Gateway operating
system. The Security Gateway uses a VTI (VPN Tunnel Interface) to send the VPN traffic as if it were a
physical interface. The VTIs of Security Gateways in a VPN community connect and can support dynamic
routing protocols.
http://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
QUESTION 151
Fill in the blank: The feature allows administrators to share a policy with other policy packages.
A. Global Policies
B. Shared policies
C. Concurrent policy packages
D. Concurrent policies
Correct Answer: B
Explanation/Reference:
The Shared Policies section in the Security Policies shows the policies that are not in a Policy package. They
are shared between all Policy packages.
QUESTION 152
# You want to define a selected administrator's permission to edit a layer. However, when you click the + sign in
the “Select additional profile that will be able edit this layer” you do not see anything. What is the most likely
cause of this problem?
A. “Edit layers by Software Blades” is unselected in the Permission Profile
B. There are no permission profiles available and you need to create one first.
C. All permission profiles are in use.
D. “Edit layers by selected profiles in a layer editor” is unselected in the Permission profile.
Correct Answer: B
Explanation/Reference:
QUESTION 153
Which of the following is NOT an alert option?
A. SNMP
B. High alert
C. Mail
D. User defined alert
Correct Answer: B
Explanation/Reference:
In Action, select:
none - No alert.
log - Sends a log entry to the database.
alert - Opens a pop-up window to your desktop.
mail - Sends a mail alert to your Inbox.
snmptrap - Sends an SNMP alert.
useralert - Runs a script. Make sure a user-defined action is available. Go to SmartDashboard > Global
Properties > Log and Alert > Alert Commands.
https://sc1.checkpoint.com/documents/R77/CP_R77_SmartViewMonitor_AdminGuide/101104.htm
QUESTION 154
# Fill in the blanks: A High Availability deployment is referred to as a cluster and a Load Sharing
deployment is referred to as a cluster.
A. Standby/standby; active/active
B. Active/active; standby/standby
C. Active/active; active/standby
D. Active/standby; active/active
Correct Answer: D
Explanation/Reference:
In a High Availability cluster, only one member is active (Active/Standby operation).
ClusterXL Load Sharing distributes traffic within a cluster so that the total throughput of multiple members is
increased. In Load Sharing configurations, all functioning members in the cluster are active, and handle
network traffic (Active/Active operation).
https://sc1.checkpoint.com/documents/R77/CP_R77_ClusterXL_WebAdminGuide/7292.htm
QUESTION 155
# AdminA and AdminB are both logged in on SmartConsole. What does it mean if AdminB sees a locked icon
on a rule?
A. Rule is locked by AdminA, because the save bottom has not been press.
B. Rule is locked by AdminA, because an object on that rule is been edited.
C. Rule is locked by AdminA, and will make it available if session is published.
D. Rule is locked by AdminA, and if the session is saved, rule will be available
Correct Answer: C
Explanation/Reference:
QUESTION 156
Which of the following is TRUE about the Check Point Host object?
A. Check Point Host has no routing ability even if it has more than one interface installed.
B. When you upgrade to R80 from R77.30 or earlier versions, Check Point Host objects are converted to
gateway objects.
C. Check Point Host is capable of having an IP forwarding mechanism.
D. Check Point Host can act as a firewall.
Correct Answer: A
Explanation/Reference:
A Check Point host is a host with only one interface, on which Check Point software has been installed, and
which is managed by the Security Management server. It is not a routing mechanism and is not capable of IP
forwarding.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/13139
QUESTION 157
# Which of the following is NOT a set of Regulatory Requirements related to Information Security?
A. ISO 37001
B. Sarbanes Oxley (SOX)
C. HIPAA
D. PCI
Correct Answer: A
Explanation/Reference:
ISO 37001 - Anti-bribery management systems
http://www.iso.org/iso/home/standards/management-standards/iso37001.htm
QUESTION 158
Which command is used to obtain the configuration lock in Gaia?
Correct Answer: A
Explanation/Reference:
Obtaining a Configuration Lock
lock database override or unlock database
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm#o73091
QUESTION 159
Joey is using the computer with IP address 192.168.20.13. He wants to access web page
“www.CheckPoint.com”, which is hosted on Web server with IP address 203.0.113.111. How many rules on
Check Point Firewall are required for this connection?
A. Two rules – first one for the HTTP traffic and second one for DNS traffic.
B. Only one rule, because Check Point firewall is a Packet Filtering firewall
C. Two rules – one for outgoing request and second one for incoming replay.
D. Only one rule, because Check Point firewall is using Stateful Inspection technology.
Correct Answer: D
Explanation/Reference:
QUESTION 160
# Fill in the blank: Licenses can be added to the License and Contract repository .
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_Guide-webAdmin/13128.htm
QUESTION 161
Fill in the blank: A(n) rule is created by an administrator and is located before the first and before last
rules in the Rule Base.
A. Firewall drop
B. Explicit
C. Implicit accept
D. Implicit drop
E. Implied
Correct Answer: E
Explanation/Reference:
This is the order that rules are enforced:
1. First Implied Rule: You cannot edit or delete this rule and no explicit rules can be placed before it.
2. Explicit Rules: These are rules that you create.
3. Before Last Implied Rules: These implied rules are applied before the last explicit rule.
4. Last Explicit Rule: We recommend that you use the Cleanup rule as the last explicit rule.
5. Last Implied Rules: Implied rules that are configured as Last in Global Properties.
6. Implied Drop Rule: Drops all packets without logging.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92703.htm
QUESTION 162
Fill in the blank: The IPS policy for pre-R80 gateways is installed during the .
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80BC_ThreatPrevention/html_frameset.htm?
topic=documents/R80/CP_R80BC_ThreatPrevention/136486
Note - Only the IPS settings from the Threat Prevention Profile apply to the IPS Policy.
QUESTION 163
# Fill in the blank: RADIUS Accounting gets data from requests generated by the accounting client
A. Destination
B. Identity
C. Payload
D. Location
Correct Answer: B
Explanation/Reference:
How RADIUS Accounting Works with Identity Awareness
RADIUS Accounting gets identity data from RADIUS Accounting Requests generated by the RADIUS
accounting client.
https://sc1.checkpoint.com/documents/R77/CP_R77_IdentityAwareness_WebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_IdentityAwareness_WebAdminGuide/62050
QUESTION 164
Fill in the blank: The R80 SmartConsole, SmartEvent GUI client, and consolidate billions of logs and
shows them as prioritized security events.
A. SmartMonitor
B. SmartView Web Application
C. SmartReporter
D. SmartTracker
Correct Answer: B
Explanation/Reference:
Event Analysis with SmartEvent
The SmartEvent Software Blade is a unified security event management and analysis solution that delivers real-
time, graphical threat management information. SmartConsole, SmartView Web Application, and the
SmartEvent GUI client consolidate billions of logs and show them as prioritized security events so you can
immediately respond to security incidents, and do the necessary actions to prevent more attacks. You can
customize the views to monitor the events that are most important to you. You can move from a high level view
to detailed forensic analysis in a few clicks. With the free-text search and suggestions, you can quickly run data
analysis and identify critical security events.
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?
topic=documents/R80/CP_R80_LoggingAndMonitoring/131915
QUESTION 165
Which Check Point software blade provides visibility of users, groups and machines while also providing
access control through identity-based policies?
A. Firewall
B. Identity Awareness
C. Application Control
D. URL Filtering
Correct Answer: B
Explanation/Reference:
Check Point Identity Awareness Software Blade provides granular visibility of users, groups and machines,
providing unmatched application and access control through the creation of accurate, identity-based policies.
Centralized management and monitoring allows for policies to be managed from a single, unified console.
https://www.checkpoint.com/products/identity-awareness-software-blade/
QUESTION 166
How many users can have read/write access in Gaia at one time?
A. Infinite
B. One
C. Three
D. Two
Correct Answer: B
Explanation/Reference:
QUESTION 167
Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with GAIA,
but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has never been
able to SCP files to it. What would be the most likely reason she cannot do so?
A. She needs to edit /etc/SSHd/SSHd_config and add the Standard Mode account.
B. She needs to run sysconfig and restart the SSH process.
C. She needs to edit /etc/scpusers and add the Standard Mode account.
D. She needs to run cpconfig to enable the ability to SCP files.
Correct Answer: C
Explanation/Reference:
QUESTION 168
John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to
designated IP addresses to minimize malware infection and unauthorized access risks. Thus, gateway policy
permits access only from Join's desktop which is assigned an IP address 10.0.0.19 via DHCP.
John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT
department gave the laptop a static IP address, but the limits him to operating it only from his desk. The current
Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop. He wants to move
around the organization and continue to have access to the HR Web Server.
To make this scenario work, the IT administrator:
1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources.
2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server
from any machine and from any location.
John plugged in his laptop to the network on a different network segment and he is not able to connect. How
does he solve this problem?
Correct Answer: B
Explanation/Reference:
refer: https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62007.htm
PDF answer is C-lock and unlock the compute.
QUESTION 169
Which feature in R77 permits blocking specific IP addresses for a specified time period?
Correct Answer: A
Explanation/Reference:
QUESTION 170
MyCorp has the following NAT rules. You need to disable the NAT function when Alpha-internal networks try to
reach the Google DNS (8.8.8.8) server. What can you do in this case?
Correct Answer: D
Explanation/Reference:
QUESTION 171
What is the potential downside or drawback to choosing the Standalone deployment option instead of the
Distributed deployment option?
Correct Answer: A
Explanation/Reference:
QUESTION 172
Which of the following statements accurately describes the command snapshot?
A. snapshot creates a full OS-level backup, including network-interface data, Check Point production
information, and configuration settings of a GAIA Security Gateway.
B. snapshot creates a Security Management Server full system-level backup on any OS.
C. snapshot stores only the system-configuration settings on the Gateway.
D. A Gateway snapshot includes configuration settings and Check Point product information from the remote
Security Management Server
Correct Answer: A
Explanation/Reference:
QUESTION 173
The Captive Portal tool:
Correct Answer: A
Explanation/Reference:
QUESTION 174
Where do we need to reset the SIC on a gateway object?
A. SmartDashboard > Edit Gateway Object > General Properties > Communication
B. SmartUpdate > Edit Security Management Server Object > SIC
C. SmartUpdate > Edit Gateway Object > Communication
D. SmartDashboard > Edit Security Management Server Object > SIC
Correct Answer: A
Explanation/Reference:
QUESTION 175
Anti-Spoofing is typically set up on which object type?
A. Security Gateway
B. Host
C. Security Management object
D. Network
Correct Answer: A
Explanation/Reference:
QUESTION 176
What happens if the identity of a user is known?
A. If the user credentials do not match an Access Role, the system displays the Captive Portal.
B. If the user credentials do not match an Access Role, the system displays a sandbox.
C. If the user credentials do not match an Access Role, the traffic is automatically dropped.
D. If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped based on
the defined action.
Correct Answer: D
Explanation/Reference:
QUESTION 177
Message digests use which of the following?
Correct Answer: D
Explanation/Reference:
QUESTION 178
When using LDAP as an authentication method for Identity Awareness, the query:
Correct Answer: D
Explanation/Reference:
QUESTION 179
You are conducting a security audit. While reviewing configuration files and logs, you notice logs accepting
POP3 traffic, but you do not see a rule allowing POP3 traffic in the Rule Base. Which of the following is the
most likely cause?
Correct Answer: C
Explanation/Reference:
POP3 dont have in Global Properties and dont have in implied rule.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk119497
QUESTION 180
What action can be performed from SmartUpdate R77?
A. upgrade_export
B. fw stat -1
C. cpinfo
D. remote_uninstall_verifier
Correct Answer: C
Explanation/Reference:
QUESTION 181
Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner
site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE
phase 2. Why is this a problematic setup?
A. The two algorithms do not have the same key length and so don't work together. You will get the error … No
proposal chosen…
B. All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for
higher performance for setting up the tunnel.
C. Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase
2 only costs performance and does not add security due to a shorter key in phase 1.
D. All is fine and can be used as is.
Correct Answer: C
Explanation/Reference:
QUESTION 182
Choose the SmartLog property that is TRUE.
Correct Answer: D
Explanation/Reference:
QUESTION 183
Which directory holds the SmartLog index files by default?
A. $SMARTLOGDIR/data
B. $SMARTLOG/dir
C. $FWDIR/smartlog
D. $FWDIR/log
Correct Answer: A
Explanation/Reference:
This question related to R7x.
R7x:
$SMARTLOGDIR/data
R8x:
$RTDIR/log_indexes
QUESTION 184
To install a brand new Check Point Cluster, the MegaCorp IT department bought 1 Smart-1 and 2 Security
Gateway Appliances to run a cluster. Which type of cluster is it?
A. Full HA Cluster
B. High Availability
C. Standalone
D. Distributed
Correct Answer: B
Explanation/Reference:
QUESTION 185
Can a Check Point gateway translate both source IP address and destination IP address in a given packet?
A. Yes.
B. No.
C. Yes, but only when using Automatic NAT.
D. Yes, but only when using Manual NAT.
Correct Answer: A
Explanation/Reference:
QUESTION 186
Which of the following is NOT defined by an Access Role object?
A. Source Network
B. Source Machine
C. Source User
D. Source Server
Correct Answer: D
Explanation/Reference:
QUESTION 187
You installed Security Management Server on a computer using GAIA in the MegaCorp home office. You use
IP address 10.1.1.1. You also installed the Security Gateway on a second GAIA computer, which you plan to
ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC certificates to
the Gateway before shipping it?
1. Run cpconfig on the Gateway, select Secure Internal Communication, enter the activation key, and
reconfirm.
2. Initialize Internal Certificate Authority (ICA) on the Security Management Server.
3. Configure the Gateway object with the host name and IP addresses for the remote site.
4. Click the Communication button in the Gateway object's General screen, enter the activation key, and click
Initialize and OK.
5. Install the Security Policy.
A. 2, 3, 4, 1, 5
B. 2, 1, 3, 4, 5
C. 1, 3, 2, 4, 5
D. 2, 3, 4, 5, 1
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/125443
QUESTION 188
You want to reset SIC between smberlin and sgosaka.
In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig,
choose Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was
successfully initialized and jumps back to the menu. When trying to establish a connection, instead of a working
connection, you receive this error message:
A. The Gateway was not rebooted, which is necessary to change the SIC key.
B. You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose Basic
Setup > Initialize).
C. The check Point services on the Gateway were not restarted because you are still in the cpconfig utility.
D. The activation key contains letters that are on different keys on localized keyboards. Therefore, the
activation can not be typed in a matching fashion.
Correct Answer: C
Explanation/Reference:
QUESTION 189
Which of these components does NOT require a Security Gateway R77 license?
Correct Answer: C
Explanation/Reference:
QUESTION 190
What statement is true regarding Visitor Mode?
A. VPN authentication and encrypted traffic are tunneled through port TCP 443.
B. Only ESP traffic is tunneled through port TCP 443.
C. Only Main mode and Quick mode traffic are tunneled on TCP port 443.
D. All VPN traffic is tunneled through UDP port 4500.
Correct Answer: A
Explanation/Reference:
Office Mode
Office Mode is a Check Point remote access VPN solution feature. It enables a Security Gateway to assign a
remote client an IP address. This IP address is used only internally for secure encapsulated communication
with the home network, and therefore is not visible in the public network. The assignment takes place once the
user connects and authenticates. The assignment lease is renewed as long as the user is connected. The
address may be taken either from a general IP address pool, or from an IP address pool specified per user
group, using a configuration file.
Visitor Mode
Visitor Mode is a Check Point remote access VPN solution feature. It enables tunneling of all client-to-Security
Gateway communication through a regular TCP connection on port 443. Visitor mode is designed as a solution
for firewalls and Proxy servers that are configured to block IPsec connectivity.
QUESTION 191
Mesh and Star are two types of VPN topologies. Which statement below is TRUE about these types of
communities?
A. A star community requires Check Point gateways, as it is a Check Point proprietary technology.
B. In a star community, satellite gateways cannot communicate with each other.
C. In a mesh community, member gateways cannot communicate directly with each other.
D. In a mesh community, all members can create a tunnel with any other member.
Correct Answer: D
Explanation/Reference:
QUESTION 192
What CLI utility allows an administrator to capture traffic along the firewall inspection chain?
Correct Answer: D
Explanation/Reference:
QUESTION 193
Your bank's distributed R77 installation has Security Gateways up for renewal. Which SmartConsole application
will tell you which Security Gateways have licenses that will expire within the next 30 days?
A. SmartView Tracker
B. SmartPortal
C. SmartUpdate
D. SmartDashboard
Correct Answer: C
Explanation/Reference:
QUESTION 194
NAT can NOT be configured on which of the following objects?
Correct Answer: A
Explanation/Reference:
QUESTION 195
The fw monitor utility is used to troubleshoot which of the following problems?
Correct Answer: B
Explanation/Reference:
QUESTION 196
You are the Security Administrator for MegaCorp. In order to see how efficient your firewall Rule Base is, you
would like to see how many often the particular rules match. Where can you see it? Give the BEST answer.
Correct Answer: C
Explanation/Reference:
QUESTION 197
Study the Rule base and Client Authentication Action properties screen.
After being authenticated by the Security Gateways, a user starts a HTTP connection to a Web site. What
happens when the user tries to FTP to another site using the command line? The:
Correct Answer: C
Explanation/Reference:
QUESTION 198
What are the three tabs available in SmartView Tracker?
Explanation/Reference:
QUESTION 199
In SmartView Tracker, which rule shows when a packet is dropped due to anti-spoofing?
A. Rule 0
B. Blank field under Rule Number
C. Rule 1
D. Cleanup Rule
Correct Answer: A
Explanation/Reference:
QUESTION 200
Which SmartConsole component can Administrators use to track changes to the Rule Base?
A. WebUI
B. SmartView Tracker
C. SmartView Monitor
D. SmartReporter
Correct Answer: B
Explanation/Reference:
QUESTION 201
Which set of objects have an Authentication tab?
A. Templates, Users
B. Users, Networks
C. Users, User Group
D. Networks, Hosts
Correct Answer: A
Explanation/Reference:
QUESTION 202
Which rule is responsible for the user authentication failure?
A. Rule 4
B. Rule 6
C. Rule 3
D. Rule 5
Correct Answer: C
Explanation/Reference:
?? But, Chose C-Rule 3
QUESTION 203
Which tool CANNOT be launched from SmartUpdate R77?
A. IP Appliance Voyager
B. snapshot
C. GAIA WebUI
D. cpinfo
Correct Answer: B
Explanation/Reference:
QUESTION 204
Which of the following is a hash algorithm?
A. 3DES
B. IDEA
C. DES
D. MD5
Correct Answer: D
Explanation/Reference:
QUESTION 205
Katie has been asked to do a backup on the Blue Security Gateway. Which command would accomplish this in
the Gaia CLI?
Correct Answer: D
Explanation/Reference:
QUESTION 206
You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner.
Which of the following activities sh you do first?
Correct Answer: B
Explanation/Reference:
QUESTION 207
What must a Security Administrator do to comply with a management requirement to log all traffic accepted
through the perimeter Security Gateway?
A. In Global Properties > Reporting Tools check the box "Enable tracking all rules" (including rules marked as
None in the Track column).
Send these logs to a secondary log server for a complete logging history.
Use your normal log server for standard logging for troubleshooting.
B. Install the View Implicit Rules package using SmartUpdate.
C. Define two log servers on the R77 Gateway object. Lof Implied Rules on the first log server. Enable Log
Rule Base on the second log server. Use SmartReporter to merge the two log server records into the same
database for HIPPA log audits.
D. Check the Log Implied Rules Globally box on the R77 Gateway object.
Correct Answer: A
Explanation/Reference:
QUESTION 208
# What is the appropriate default Gaia Portal address?
A. HTTP://[IPADDRESS]
B. HTTPS://[IPADDRESS]:8080
C. HTTPS://[IPADDRESS]:4434
D. HTTPS://[IPADDRESS]
Correct Answer: D
Explanation/Reference:
QUESTION 209
Your boss wants you to closely monitor an employee suspected of transferring company secrets to the
competition. The IT department discovered the suspect installed a WinSCP client in order to use encrypted
communication. Which of the following methods is BEST to accomplish this task?
A. Use SmartView Tracker to follow his actions by filtering log entries that feature the WinSCP destination port.
Then, export the corresponding entries to a separate log file for documentation.
B. Use SmartDashboard to add a rule in the firewall Rule Base that matches his IP address, and those of
potential targets and suspicious protocols. Apply the alert action or customized messaging.
C. Watch his IP in SmartView Monitor by setting an alert action to any packet that matches your Rule Base and
his IP address for inbound and outbound traffic.
D. Send the suspect an email with a keylogging Trojan attached, to get direct information about his
wrongdoings.
Correct Answer: A
Explanation/Reference:
QUESTION 210
Match the following commands to their correct function. Each command has one function only listed.
Correct Answer: A
Explanation/Reference:
QUESTION 211
Which of the following is NOT an option for internal network definition of Anti-spoofing?
Correct Answer: B
Explanation/Reference:
QUESTION 212
MegaCorp's security infrastructure separates Security Gateways geographically. You must request a central
license for one remote Security Gateway.How do you apply the license?
A. Using the remote Gateway's IP address, and attaching the license to the remote Gateway via SmartUpdate.
B. Using your Security Management Server's IP address, and attaching the license to the remote Gateway via
SmartUpdate.
C. Using the remote Gateway's IP address, and applying the license locally with command cplic put.
D. Using each of the Gateway's IP addresses, and applying the licenses on the Security Management Server
with the command cprlic put.
Correct Answer: B
Explanation/Reference:
QUESTION 213
A digital signature:
Correct Answer: A
Explanation/Reference:
QUESTION 214
According to Check Point Best Practice, when adding a 3rd party gateway to a Check Point security solution
what object SHOULD be added? A(n):
A. Interoperable Device
B. Network Node
C. Externally managed gateway
D. Gateway
Correct Answer: A
Explanation/Reference:
QUESTION 215
You find a suspicious connection from a problematic host. You decide that you want to block everything from
that whole network, not just the problematic host. You want to block this for an hour while you investigate
further, but you do not want to add any rules to the Rule Base. How do you achieve this?
A. Use dbedit to script the addition of a rule directly into the Rule Bases_5_0.fws configuration file.
B. Select Block intruder from the Tools menu in SmartView Tracker.
C. Create a Suspicious Activity Rule in Smart Monitor.
D. Add a temporary rule using SmartDashboard and select hide rule.
Correct Answer: C
Explanation/Reference:
QUESTION 216
When launching SmartDashboard, what information is required to log into R77?
Explanation/Reference:
QUESTION 217
A Cleanup rule:
Correct Answer: A
Explanation/Reference:
QUESTION 218
You manage a global network extending from your base in Chicago to Tokyo, Calcutta and Dallas.
Management wants a report detailing the current software level of each Enterprise class Security Gateway. You
plan to take the opportunity to create a proposal outline, listing the most cost-effective way to upgrade your
Gateways. Which two SmartConsole applications will you use to create this report and outline?
Correct Answer: D
Explanation/Reference:
QUESTION 219
Which of the below is the MOST correct process to reset SIC from SmartDashboard?
Correct Answer: B
Explanation/Reference:
QUESTION 220
Which of the following authentication methods can be configured in the Identity Awareness setup wizard?
Correct Answer: C
Explanation/Reference:
QUESTION 221
An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through
your R77 Security Gateway to a partner site. A rule for GRE traffic is configured for ACCEPT/LOG. Although
the keep-alive packets are being sent every minute, a search through the SmartView Tracker logs for GRE
traffic only shows one entry for the whole day (early in the morning after a Policy install).
Your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets on the
1minute interval. If GRE encapsulation is turned off on the router, SmartView Tracker shows a log entry for the
UDP keep-alive packet every minute.
Which of the following is the BEST for this behavior?
A. The setting Log does not capture this level of detail for GRE. Set the rule tracking action to Audit since
certain types of traffic can only be tracked this way.
B. The log unification process is using a LUUID (Log Unification Unique Identification) that has become
corrupt. Because it is encrypted, the R77 Security Gateway cannot distinguish between GRE sessions.This
is a known issue with GRE. Use IPSEC instead of the non-standard GRE protocol for encapsulation.
C. The Log Server log unification process unifies all log entries from the Security Gateway on a specific
connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout,
thus each keep-alive packet is considered part of the original logged connection at the beginning of the day.
D. The Log Server is failing to log GRE traffic properly because it is VPN traffic. Disable all VPN configuration
to the partner site to enable proper logging.
Correct Answer: C
Explanation/Reference:
QUESTION 222
Choose the correct statement regarding Implicit Rules.
A. To edit the Implicit rules you go to: Launch Button > Policy > Global Properties > Firewall.
B. Implied rules are fixed rules that you cannot change.
C. You can directly edit the Implicit rules by double-clicking on a specific Implicit rule.
D. You can edit the Implicit rules but only if requested by Check Point support personnel.
Correct Answer: A
Explanation/Reference:
For R77
QUESTION 223
You find that Users are not prompted for authentication when they access their Web servers, even though you
have created an HTTP rule via User Authentication. Choose the BEST reason why.
Correct Answer: B
Explanation/Reference:
QUESTION 224
You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for this
configuration. You then delete two existing users and add a new user group. You modify one rule and add two
new rules to the Rule Base. You save the Security Policy and create database version 2. After a while, you
decide to roll back to version 1 to use the Rule Base, but you want to keep your user database. How can you do
this?
A. Run fwm dbexport -1 filename. Restore the database. Then, run fwm dbimport -1 filename to
import the users.
B. Run fwm_dbexport to export the user database. Select restore the entire database in the Database
Revision screen. Then, run fwm_dbimport.
C. Restore the entire database, except the user database, and then create the new user and user group.
D. Restore the entire database, except the user database.
Correct Answer: D
Explanation/Reference:
QUESTION 225
Which of the following are available SmartConsole clients which can be installed from the R77 Windows CD?
Read all answers and select the most complete and valid list.
Correct Answer: C
Explanation/Reference:
R77
QUESTION 226
You have configured SNX on the Security Gateway. The client connects to the Security Gateway and the user
enters the authentication credentials. What must happen after authentication that allows the client to connect to
the Security Gateway's VPN domain?
A. SNX modifies the routing table to forward VPN traffic to the Security Gateway.
B. An office mode address must be obtained by the client.
C. The SNX client application must be installed on the client.
D. Active-X must be allowed on the client.
Correct Answer: A
Explanation/Reference:
QUESTION 227
All R77 Security Servers can perform authentication with the exception of one. Which of the Security Servers
can NOT perform authentication?
A. FTP
B. SMTP
C. HTTP
D. RLOGIN
Correct Answer: B
Explanation/Reference:
QUESTION 228
Your users are defined in a Windows 2008 R2 Active Directory server. You must add LDAP users to a Client
Authentication rule. Which kind of user group do you need in the Client Authentication rule in R77?
A. External-user group
B. LDAP group
C. A group with a genetic user
D. All Users
Correct Answer: B
Explanation/Reference:
QUESTION 229
What is Consolidation Policy?
A. The collective name of the Security Policy, Address Translation, and IPS Policies.
B. The specific Policy written in SmartDashboard to configure which log data is stored in the SmartReporter
database.
C. The collective name of the logs generated by SmartReporter.
D. A global Policy used to share a common enforcement policy for multiple Security Gateways.
Correct Answer: B
Explanation/Reference:
The SmartReporter Solution
Check Point SmartReporter delivers a user-friendly solution for monitoring and auditing traffic. You can
generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all
events logged by Check Point Security Gateway, SecureClient and IPS.
SmartReporter implements a Consolidation Policy, which goes over your original, "raw" log file. It compresses
similar logs into events and writes the compressed list of events into a relational database (the SmartReporter
Database).
QUESTION 230
Where do you verify that UserDirectory is enabled?
A. Verify that Security Gateway > General Properties > Authentication > Use UserDirectory (LDAP) for Security
Gateways is checked
B. Verify that Global Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is
checked.
C. Verify that Security Gateway > General Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for
Security Gateways is checked.
D. Verify that Global Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is
checked.
Correct Answer: D
Explanation/Reference:
QUESTION 231
Which of the following actions do NOT take place in IKE Phase 1?
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/
R77/CP_R77_VPN_AdminGuide/13847
QUESTION 232
Which R77 GUI would you use to see number of packets accepted since the last policy install?
A. SmartView Monitor
B. SmartView Tracker
C. SmartDashboard
D. SmartView Status
Correct Answer: A
Explanation/Reference:
QUESTION 233
Which of the following firewall modes DOES NOT allow for Identity Awareness to be deployed?
A. Bridge
B. Load Sharing
C. High Availability
D. Fail Open
Correct Answer: A
Explanation/Reference:
QUESTION 234
What is the Manual Client Authentication TELNET port?
A. 23
B. 264
C. 900
D. 259
Correct Answer: D
Explanation/Reference:
Client Authentication
Client Authentication can authenticate any service. It enables access from a specific IP address for an unlimited
number of connections. The client user performs the authentication process, but it is the client machine that is
granted access. Client Authentication is less secure than user authentication because it permits access for
multiple users and connections from authorized IP addresses or hosts. Authorization is performed on a per
machine basis for services that do not have an initial login procedure. The advantages of Client Authentication
are that it can be used for an unlimited number of connections, for any service, and is valid for any length of
time.
Note - When configuring user objects, you can set the locations that users can access, however, this can cause
problems with security rules that require some form of authentication. See also Resolving Access Conflicts
Client Authentication works with all sign on methods. The following table shows how different sign on methods
provide choice when selecting an authentication method for authenticated and other services. For sign on
methods other than Manual Client Authentication, the gateway is transparent to the users and they authenticate
directly to the destination host.
Client Authentication Sign On Methods
Standard Sign on: Enables users to access all services permitted by the rule without authenticating for each
service.
Specific Sign on: Enables users to access only the services that they specify when they authenticate, even if
the rule allows more than one service. If the user wants to use another service, they must re-authenticate for
that specific service.
At the end of an authentication session, the user can sign off. When a user signs off, they are disconnected
from all services and the remote host.
https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6721.htm
QUESTION 235
Jennifer McHanry is CEO of ACME. She recently bought her own personal iPad. She wants use her iPad to
access the internal Finance Web server. Because the iPad is not a member of the Active Directory domain, she
cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and
then get the same access as on her office computer. Her access to resources is based on rules in the R77
Firewall Rule Base.
To make this scenario work, the IT administrator must:
1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources.
2) In the Portal Settings window in the User Access section, make sure that Name and password login is
selected.
3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select
accept as the Action.
4) Install policy.
Ms McHanry tries to access the resource but is unable. What should she do?
A. Have the security administrator select the Action field of the Firewall Rule “Redirect HTTP connections to an
authentication (captive) portal”.
B. Have the security administrator reboot the firewall.
C. Have the security administrator select Any for the Machines tab in the appropriate Access Role.
D. Install the Identity Awareness agent on her iPad.
Correct Answer: A
Explanation/Reference:
QUESTION 236
How many packets does the IKE exchange use for Phase 1 Main Mode?
A. 12
B. 1
C. 3
D. 6
Correct Answer: D
Explanation/Reference:
1. Send and get info from another = 2
2. Send and get public key =2
3. Send and get cert =2
=> 6 packets
IKE Phase 1
IKE Phase 1 works in one of two modes, main mode or aggressive mode now of course both of these modes
operate differently and we will cover both of these modes.
Main Mode:
IKE Phase 1 operating in main mode works with both parties exchanging a total of 6 packets, that’s right 6
packets is all it takes to complete phase 1.
The first packet is sent from the initiator of the IPSec tunnel to its remote endpoint, this packet contains the
ISAKMP policy
The second packet is sent from the remote endpoint back to the initiator, this packet will be the exact same
information matching the ISAKMP policy sent by the initiator.
The third packet is sent from the initiator to the remote endpoint, this packet contains the Key Exchange
payload and the Nonce payload, the purpose of this packet is generate the information for the DH secret key
This fourth packet as you would expect comes from the remote endpoint back to initiator and contains the
remote endpoints Key Exchange and Nonce payload.
The fifth packet is from the initiator back to the remote endpoint with identity and hash payloads, the identity
payload has the device’s IP Address in, and the hash payload is a combination of keys (including a PSK, if PSK
authentication is used)
The sixth packet from the remote endpoint to the initiator contains the corresponding hash payloads to verify
the exchange.
Aggressive Mode:
IKE Phase 1 operating in aggressive mode only exchanges 3 packets compared to the 6 packets used in main
mode. One downside in aggressive is the fact it not as secure as main mode.
The first packet from the initiator contains enough information for the remote endpoint to generate its DH
secret, so this one packet is equivalent to the first four packets in main mode.
The second packet from the remote endpoint back to the initiator contains its DH secret
The third packet from the initiator includes identity and hash payloads. After the remote endpoint receives this
packet it simply calculates its hash payload and verifies it matches, if it matches then phase one is established.
IKE Phase 2
IKE Phase 2 occurs after phase 1 and is also known as quick mode and this process is only 3 packets.
Perfect Forward Secrecy PFS, if PFS is configured on both endpoints the will generate a new DH key for phase
2/quick mode.
Contained in this first packet from the initiator to the remote device are some of the hashes/keys negotiated
from phase 1, along with some IPSec parameters IE: Encapsulation (ESP or AH), HMAC, DH-group, and the
mode (tunnel or transport)
The second packet contains the remote endpoint’s response with matching IPSec parameters.
The last packet is sent to the remote device to verify the other device is still there and is an active peer.
That last packet concludes the forming an IPSec tunnel and the phase 1/2 process.
https://ccie-or-null.net/2012/03/26/ike-main-mode-aggressive-mode-phase-2/
QUESTION 237
# What is also referred to as Dynamic NAT?
A. Automatic NAT
B. Static NAT
C. Manual NAT
D. Hide NAT
Correct Answer: D
Explanation/Reference:
similar question.
QUESTION 238
A client has created a new Gateway object that will be managed at a remote location. When the client attempts
to install the Security Policy to the new Gateway object, the object does not appear in the Install On check box.
What should you look for?
Correct Answer: B
Explanation/Reference:
QUESTION 239
Which of the following is NOT a valid option when configuring access for Captive Portal?
Correct Answer: A
Explanation/Reference:
QUESTION 240
As you review this Security Policy, what changes could you make to accommodate Rule 4?
A. Remove the service HTTP from the column Service in Rule 4.
B. Modify the column VPN in Rule 2 to limit access to specific traffic.
C. Nothing at all
D. Modify the columns Source or Destination in Rule 4
Correct Answer: B
Explanation/Reference:
QUESTION 241
What happens when you run the command: fw sam -J src [Source IP Address]?
A. Connections from the specified source are blocked without the need to change the Security Policy.
B. Connections to the specified target are blocked without the need to change the Security Policy.
C. Connections to and from the specified target are blocked without the need to change the Security Policy.
D. Connections to and from the specified target are blocked with the need to change the Security Policy.
Correct Answer: A
Explanation/Reference:
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information
received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts
mechanism.
Notes:
VSX Gateway does not support Suspicious Activity Monitoring (SAM) Rules. See sk79700.
You must run this command in Expert mode on the Management server.
https://sc1.checkpoint.com/documents/R80.20_M1/WebAdminGuides/EN/
CP_R80.20_M1_CLI_ReferenceGuide/html_frameset.htm?topic=documents/R80.20_M1/WebAdminGuides/
EN/CP_R80.20_M1_CLI_ReferenceGuide/204500
=====================
-J Inhibits new connections with the specified parameters, and closes all existing connections with the
specified parameters.
Notes:
* Matching connections are dropped.
* Each inhibited connection is logged according to the log type.
https://sc1.checkpoint.com/documents/R80.20_M1/WebAdminGuides/EN/
CP_R80.20_M1_CLI_ReferenceGuide/html_frameset.htm?topic=documents/R80.20_M1/WebAdminGuides/
EN/CP_R80.20_M1_CLI_ReferenceGuide/204500
QUESTION 242
# VPN gateways must authenticate to each other prior to exchanging information. What are the two types of
credentials used for authentication?
A. 3DES and MD5
B. Certificates and IPsec
C. Certificates and pre-shared secret
D. IPsec and VPN Domains
Correct Answer: C
Explanation/Reference:
QUESTION 243
According to Check Point Best Practice, when adding a non-managed Check Point Gateway to a Check Point
security solution what object SHOULD be added? A(n):
A. Gateway
B. Interoperable Device
C. Externally managed gateway
D. Network Node
Correct Answer: C
Explanation/Reference:
QUESTION 244
You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be
defined via SmartDashboard?
Correct Answer: A
Explanation/Reference:
QUESTION 245
Where does the security administrator activate Identity Awareness within SmartDashboard?
Correct Answer: A
Explanation/Reference:
QUESTION 246
While in SmartView Tracker, Brady has noticed some very odd network traffic that he thinks could be an
intrusion. He decides to block the traffic for 60 minutes, but cannot remember all the steps. What is the correct
order of steps needed to set up the block?
1) Select Active Mode tab in SmartView Tracker.
2) Select Tools > Block Intruder.
3) Select Log Viewing tab in SmartView Tracker.
4) Set Blocking Timeout value to 60 minutes.
5) Highlight connection that should be blocked.
A. 1, 2, 5, 4
B. 3, 2, 5, 4
C. 1, 5, 2, 4
D. 3, 5, 2, 4
Correct Answer: C
Explanation/Reference:
Explanation/Reference:
QUESTION 247
You are about to test some rule and object changes suggested in an R77 news group. Which backup solution
should you use to ensure the easiest restoration of your Security Policy to its previous configuration after testing
the changes?
Correct Answer: C
Explanation/Reference:
QUESTION 248
You are using SmartView Tracker to troubleshoot NAT entries. Which column do you check to view the NAT'd
source port if you are using Source NAT?
A. XlateDst
B. XlateSPort
C. XlateDPort
D. XlateSrc
Correct Answer: B
Explanation/Reference:
QUESTION 249
What happens if the identity of a user is known?
A. If the user credentials do not match an Access Role, the traffic is automatically dropped.
B. If the user credentials do not match an Access Role, the system displays a sandbox.
C. If the user credentials do not match an Access Role, the gateway moves onto the next rule.
D. If the user credentials do not match an Access Role, the system displays the Captive Portal.
Correct Answer: C
Explanation/Reference:
QUESTION 250
Your company enforces a strict change control policy. Which of the following would be MOST effective for
quickly dropping an attacker's specific active connection?
A. Change the Rule Base and install the Policy to all Security Gateways
B. Block Intruder feature of SmartView Tracker
C. Intrusion Detection System (IDS) Policy install
D. SAM – Suspicious Activity Rules feature of SmartView Monitor
Correct Answer: D
Explanation/Reference:
if R80, B-Block intrude is not a good answer anymore. the best one would be D SAM
QUESTION 251
What port is used for communication to the User Center with SmartUpdate?
A. CPMI 200
B. TCP 8080
C. HTTP 80
D. HTTPS 443
Correct Answer: D
Explanation/Reference:
QUESTION 252
How do you configure an alert in SmartView Monitor?
Correct Answer: B
Explanation/Reference:
QUESTION 253
Where would an administrator enable Implied Rules logging?
Correct Answer: C
Explanation/Reference:
PDF is B, BUT I Dont think so, It should be C.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk110218
QUESTION 254
Which of these attributes would be critical for a site-to-site VPN?
Correct Answer: D
Explanation/Reference:
QUESTION 255
You have just installed your Gateway and want to analyze the packet size distribution of your traffic with
SmartView Monitor.
Unfortunately, you get the message:
“There are no machines that contain Firewall Blade and SmartView Monitor”.
What should you do to analyze the packet size distribution of your traffic? Give the BEST answer.
A. Purchase the SmartView Monitor license for your Security Management Server.
B. Enable Monitoring on your Security Management Server.
C. Purchase the SmartView Monitor license for your Security Gateway.
D. Enable Monitoring on your Security Gateway.
Correct Answer: D
Explanation/Reference:
QUESTION 256
You believe Phase 2 negotiations are failing while you are attempting to configure a site-to-site VPN with one of
your firm's business partners. Which SmartConsole application should you use to confirm your suspicious?
A. SmartDashboard
B. SmartUpdate
C. SmartView Status
D. SmartView Tracker
Correct Answer: D
Explanation/Reference:
QUESTION 257
Which of the following uses the same key to decrypt as it does to encrypt?
A. Asymmetric encryption
B. Dynamic encryption
C. Certificate-based encryption
D. Symmetric encryption
Correct Answer: D
Explanation/Reference:
QUESTION 258
How do you configure the Security Policy to provide uses access to the Captive Portal through an external
(Internet) interface?
A. Change the gateway settings to allow Captive Portal access via an external interface.
B. No action is necessary. This access is available by default.
C. Change the Identity Awareness settings under Global Properties to allow Captive Policy access on all
interfaces.
D. Change the Identity Awareness settings under Global Properties to allow Captive Policy access for an
external interface.
Correct Answer: A
Explanation/Reference:
A is not the exact, but the best answer.
To be exact it is configured in the Gateway setings -> Identity Awareness->Browser-Based Auth->Access
Settings->Accessibility
C is wrong , Because Identity Awareness under Global Properties is not such option...
Global settings> Browser based authentication : Settings > Portal settings : Access settings > Portal access
settings : Accessibility> Accessibility
Has 3 options
1. Through all interfaces
2. Through internal interface (default)
3. According to firewall policy
QUESTION 259
The technical-support department has a requirement to access an intranet server. When configuring a User
Authentication rule to achieve this, which of the following should you remember?
A. You can only use the rule for Telnet, FTP, SMPT, and rlogin services.
B. The Security Gateway first checks if there is any rule that does not require authentication for this type of
connection before invoking the Authentication Security Server.
C. Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
D. You can limit the authentication attempts in the User Properties' Authentication tab.
Correct Answer: B
Explanation/Reference:
QUESTION 260
As a Security Administrator, you must refresh the Client Authentication authorized time-out every time a new
user connection is authorized. How do you do this? Enable the Refreshable Timeout setting:
Correct Answer: C
Explanation/Reference:
QUESTION 261
When using GAIA, it might be necessary to temporarily change the MAC address of the interface eth 0 to
00:0C:29:12:34:56. After restarting the network the old MAC address should be active. How do you configure
this change?
A. Edit the file /etc/sysconfig/netconf.C and put the new MAC address in the field
# IP link set eth0 down
# IP link set eth0 addr 00:0C:29:12:34:56
# IP link set eth0 up
B. As expert user, issue these commands:
(conf
:(conns
:(conn
:hwaddr (“00:0C:29:12:34:56”)
C. As expert user, issue the command:
# IP link set eth0 addr 00:0C:29:12:34:56
D. Open the WebUI, select Network > Connections > eth0. Place the new MAC address in the field Physical
Address, and press Apply to save the settings.
Correct Answer: C
Explanation/Reference:
QUESTION 262
John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to
designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway
policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19.
John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT
department gave the laptop a static IP address, but that limits him to operating it only from his desk. The
current Rule Base contains a rule that lets John Adams access the HR Web Server from his desktop with a
static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web
Server.
To make this scenario work, the IT administrator:
1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the
policy.
2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server
from any machine and from any location.
3) Changes from static IP address to DHCP for the client PC.
What should John request when he cannot access the web server from his laptop?
Correct Answer: C
Explanation/Reference:
This Question looks very like Q168, but it is different.
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62007.htm
OR
answer is D
When necessary, you can configure specific groups to download the Identity Agent. For example, if you have a
group of mobile users that roam and it is necessary for them to stay connected as they move between
networks.
https://dl3.checkpoint.com/paid/66/66be37008976888cde9759559fa83221/
CP_R80.30_GA_IdentityAwareness_AdminGuide.pdf?
QUESTION 263
Review the rules. Assume domain UDP is enabled in the implied rules.
What happens when a user from the internal network tries to browse to the internet using HTTP? The user:
Correct Answer: D
Explanation/Reference:
Rule 2 applies to internal users, rule 1 only applies to people in Customers group, so internal users will not be
prompted for authentication.
QUESTION 264
Which component functions as the Internal Certificate Authority for R77?
A. Security Gateway
B. Management Server
C. Policy Server
D. SmartLSM
Correct Answer: B
Explanation/Reference:
QUESTION 265
Check Point APIs allow system engineers and developers to make changes to their organization’s security
policy with CLI tools and Web Services for all of the following except:
Correct Answer: A
Explanation/Reference:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-management/7842/1/
CP_R80_CheckPoint_API_ReferenceGuide.pdf
QUESTION 266
In what way are SSL VPN and IPSec VPN different?
A. SSL VPN is using HTTPS in addition to IKE, whereas IPSec VPN is clientless
B. SSL VPN adds an extra VPN header to the packet, IPSec VPN does not
C. IPSec VPN does not support two factor authentication, SSL VPN does support this
D. IPSec VPN uses an additional virtual adapter, SSL VPN uses the client network adapter only
Correct Answer: D
Explanation/Reference:
QUESTION 267
Which command can you use to enable or disable multi-queue per interface?
A. cpmq set
B. Cpmqueue set
C. Cpmq config
D. Set cpmq enable
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/93689.htm
QUESTION 268
Which limitation of CoreXL is overcome by using (mitigated by) Multi-Queue?
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/93689.htm
QUESTION 269
To fully enable Dynamic Dispatcher on a Security Gateway:
Correct Answer: A
Explanation/Reference:
To fully enable the CoreXL Dynamic Dispatcher on Security Gateway:
Note: In cluster environment, this procedure must be performed on all members of the cluster. Since a reboot is
required, it is recommended to follow the Gaia Installation and Upgrade Guide - either "Minimal Effort"
procedure, or "Zero Downtime" procedure.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261#Configuration%20R80.10
QUESTION 270
What are types of Check Point APIs available currently as part of R80.10 code?
A. Security Gateway API, Management API, Threat Prevention API and Identity Awareness Web Services API
B. Management API, Threat Prevention API, Identity Awareness Web Services API and OPSEC SDK API
C. OSE API, OPSEC SDK API, Threat Prevention API and Policy Editor API
D. CPMI API, Management API, Threat Prevention API and Identity Awareness Web Services API
Correct Answer: B
Explanation/Reference:
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-management/7842/1/
CP_R80_CheckPoint_API_ReferenceGuide.pdf
QUESTION 271
What is the purpose of Priority Delta in VRRP?
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/87911.htm
QUESTION 272
The Firewall kernel is replicated multiple times, therefore:
A. The Firewall kernel only touches the packet if the connection is accelerated
B. The Firewall can run different policies per core
C. The Firewall kernel is replicated only with new connections and deletes itself once the connection times out
D. The Firewall can run the same policy on all cores
Correct Answer: D
Explanation/Reference:
On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated
copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance
is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in the
Security Gateway process traffic through the same interfaces and apply the same security policy.
https://sc1.checkpoint.com/documents/R77/CP_R77_PerformanceTuning_WebAdmin/6731.htm
QUESTION 273
There are 4 ways to use the Management API for creating host object with R80 Management API. Which one is
NOT correct?
Correct Answer: C
Explanation/Reference:
R80 Management API
R80 Security Management Servers support hundreds of API calls to let you perform many tasks that are usually
done with the SmartConsole. These are the procedures you can use to make API calls:
SmartConsole CLI - From SmartConsole, you can open a CLI window end enter API commands
mgmt_cli Tool - Runs in Expert mode and lets you enter commands from a Windows or Linux
computer. Note - You must enter the username and password with the mgmt_cli tool procedure
Gaia CLI - Log in to the Gaia operating system with an administrator account on the Security
Management Server and enter API commands
Web Services - Send HTTPS Post requests to the Security Management Server
https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-management/7842/1/
CP_R80_CheckPoint_API_ReferenceGuide.pdf
QUESTION 274
Which the following type of authentication on Mobile Access can NOT be used as the first authentication
method?
A. Dynamic ID
B. RADIUS
C. Username and Password
D. Certificate
Correct Answer: A
Explanation/Reference:
User Authentication to the Mobile Access Portal
To enter the Mobile Access portal and get access to its applications, users defined in SmartDashboard must
authenticate to the Security Gateway. Authentication ensures that a user is who he or she claims to be. Users
authenticate using one of these Authentication schemes:
Check Point Password - Users are challenged to enter a password and user name that are stored in the
internal Security Gateway database.
Personal Certificates - Digital Certificates are issued by the Internal Certificate Authority or by a third party
OPSEC certified Certificate Authority.
RADIUS Server - Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme.
The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS
server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for
communications with the gateway. RADIUS Servers and RADIUS Server Group objects are defined in
SmartDashboard.
For more about configuring a Security Gateway to use a RADIUS server, see the R77 Security Gateway
Technical Administration Guide.
SecurID - SecurID is a proprietary authentication method of RSA Security. An external SecurID server
manages access by changing passwords every few seconds. Each user carries a SecurID token, a piece of
hardware that is synchronized with the central server and displays the current password. The Security Gateway
forwards authentication requests by remote users to the ACE/Server.
For more about configuring a Security Gateway to use SecurID, see the R77 Security Gateway Technical
Administration Guide.
A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access
gateway will not be allowed to access resources through the gateway.
Optionally, two-factor authentication with DynamicID One Time Password can also be required as a
secondary authentication method. When this is configured, users who successfully complete the first-phase
authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The
OTP is sent to their mobile communications device (such as a mobile phone) through SMS or directly to their
email account.
https://sc1.checkpoint.com/documents/R77/CP_R77_Mobile_Access_WebAdmin/41587.htm
QUESTION 275
Which command can you use to verify the number of active concurrent connections?
A. fw conn all
B. fw ctl pst pstat
C. show all connections
D. show connections
Correct Answer: B
Explanation/Reference:
The number of concurrent connections shown in CPView Utility is less than shown in the output of 'fw ctl pstat'
or in the output of 'fw tab -t connections -s' command.
The number of concurrent connections shown in CPView Utility differs depending on whether SecureXL is
enabled or disabled.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk103496
QUESTION 276
Which remote Access Solution is clientless?
A. Checkpoint Mobile
B. Endpoint Security Suite
C. SecuRemote
D. Mobile Access Portal
Correct Answer: D
Explanation/Reference:
Mobile Access Clients
Capsule Workspace - An app that creates a secure container on the mobile device to give users access to
internal websites, file shares, and Exchange servers.
Capsule Connect - A full L3 tunnel app that gives users network access to all mobile applications.
Check Point Mobile for Windows - A Windows IPsec VPN client that supplies secure IPsec VPN connectivity
and authentication.
=========
Client-Based vs. Clientless
Check Point remote access solutions use IPsec and SSL encryption protocols to create secure connections. All
Check Point clients can work through NAT devices, hotspots, and proxies in situations with complex topologies,
such as airports or hotels. These are the types of installations for remote access solutions:
Client-based - Client application installed on endpoint computers and devices. Clients are usually installed on a
managed device, such as a company-owned computer. The client supplies access to most types of corporate
resources according to the access privileges of the user.
Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually
supply access to web-based corporate resources.
On demand client - Users connect through a web browser and a client is installed when necessary. The client
supplies access to most types of corporate resources according to the access privileges of the user.
https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/92708.htm
QUESTION 277
What component of R80 Management is used for indexing?
A. DBSync
B. API Server
C. fwm
D. SOLR
Correct Answer: D
Explanation/Reference:
https://www.checkpoint.com/downloads/product-related/r80.10-mgmt-architecture-overview.pdf
Solr 是企业搜索平台,提供安全控制台中最先进的搜索功能。当用户在安全控制台中搜索数据时,Solr将处理
该请求并从PostgreSQL表格中获取数据。为了获得更好的搜索性能, Solr在缓存中存储了部分数据。
Solr 使用 8983 端口
Solr 部署在$FWDIR/solr
QUESTION 278
Which NAT rules are prioritized first?
Correct Answer: B
Explanation/Reference:
QUESTION 279
What is the difference between an event and a log?
Correct Answer: B
Explanation/Reference:
QUESTION 280
The system administrator of a company is trying to find out why acceleration is not working for the traffic. The
traffic is allowed according to the rule base and checked for viruses. But it is not accelerated. What is the most
likely reason that the traffic is not accelerated?
Correct Answer: D
Explanation/Reference:
QUESTION 281
During the Check Point Stateful Inspection Process, for packets that do not pass Firewall Kernel Inspection and
are rejected by the rule definition, packets are:
Correct Answer: C
Explanation/Reference:
PDF answer is D.
Reject action: The Firewall sends an RST packet to the originating end of the connection and the connection is
closed. This means C.
For packets that do not inspection and are rejected by rule definition a negative acknowledgment (NACK) is
sent (i.e RST packet on TCP and ICMP unreachable on UDP).
So the answer is C, without any doubt.
QUESTION 282
Which one of the following is true about Threat Extraction?
Correct Answer: B
Explanation/Reference:
QUESTION 283
Which is the correct order of a log flow processed by SmartEvent components:
A. Firewall > Correlation Unit > Log Server > SmartEvent Server Database > SmartEvent Client
B. Firewall > SmartEvent Server Database > Correlation Unit > Log Server > SmartEvent Client
C. Firewall > Log Server > SmartEvent Server Database > Correlation Unit > SmartEvent Client
D. Firewall > Log Server > Correlation Unit > SmartEvent Server Database > SmartEvent Client
Correct Answer: D
Explanation/Reference:
QUESTION 284
Which of these statements describes the Check Point ThreatCloud?
Correct Answer: D
Explanation/Reference:
https://www.checkpoint.com/support-services/threatcloud-managed-security-service/
QUESTION 285
Packet acceleration (SecureXL) identifies connections by several attributes. Which of the attributes is NOT
used for identifying connection?
A. Source Address
B. Destination Address
C. TCP Acknowledgment Number
D. Source Port
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/92711.htm
QUESTION 286
When defining QoS global properties, which option below is not valid?
A. Weight
B. Authenticated timeout
C. Schedule
D. Rate
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_QoS_AdminGuide/14871.htm
QUESTION 287
The WebUI offers three methods for downloading Hotfixes via CPUSE. One of them is Automatic method. How
many times per day will CPUSE agent check for hotfixes and automatically download them?
Correct Answer: D
Explanation/Reference:
The Software Updates feature was renamed to Check Point Upgrade Service Engine (CPUSE) in R77. 20. With
CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_AdminWebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_Gaia_AdminWebAdminGuide/112109
QUESTION 288
How would you deploy TE250X Check Point appliance just for email traffic and in-line mode without a Check
Point Security Gateway?
Correct Answer: C
Explanation/Reference:
http://dl3.checkpoint.com/paid/f2/f2faf02dba06acad8cc4c57833593df6/
CP_TE100X_TE250X_Appliance_GettingStartedGuide.pdf?
Product Benefits
Prevent new and unknown attacks in documents and executable files
Makes it virtually impossible for hackers to evade detection
Reduces costs by leveraging existing security infrastructure
Maximize protection through unified management, monitoring, and reporting
Increase security with automatic sharing of new attack information with ThreatCloud™
Product Features
Identify new malware hidden in over 40 files types, including: Adobe PDF, Microsoft Office, Java, Flash,
executables, and archives
Protect against attacks targeting multiple Windows OS environments
A range of appliances are available with scan rates from 100K to 2M file-scans per month
Threat Extraction removes exploitable content to deliver clean files without delay
Unique CPU-Level technology catches malware before it has an opportunity to deploy and evade detection
Insights
With the increase in sophistication of cyber threats, many targeted attacks begin with exploiting software
vulnerabilities in downloaded files and email attachments. These threats include new exploits, or even variants
of known exploits unleashed almost daily with no existing signatures and therefore no standard solutions to
detect those variants. New and undiscovered threats require new solutions that go beyond signatures of known
threats.
Solution
Check Point SandBlast Zero-Day Protection, with evasion-resistant malware detection, provides
comprehensive protection from even the most dangerous attacks while ensuring quick delivery of safe content
to your users. At the core of our solution are two unique capabilities – Threat Emulation and Threat Extraction
that take threat defense to the next level.
As part of the Check Point SandBlast solution, the Threat Emulation engine picks up malware at the exploit
phase, even before hackers can apply evasion techniques attempting to bypass the sandbox. Files are quickly
quarantined and inspected, running in a virtual sandbox to discover malicious behavior before it enters your
network. This innovative solution combines CPU-level inspection and OS-level sandboxing to prevent infection
from the most dangerous exploits, and zero-day and targeted attacks.
In addition, the SandBlast Threat Extraction capability immediately provides a safe version of potentially
malicious content to users. Exploitable content, including active content and various forms of embedded
objects, are extracted out of the reconstructed file to eliminate potential threats. Access to the original
suspicious version is blocked, until it can be fully analyzed by SandBlast Zero-Day Protection. Users have
immediate access to content, and can be confident they are protected from the most advanced malware and
zero-day threats.
QUESTION 289
In SmartEvent, what are the different types of automatic reactions that the administrator can configure?
A. Mail, Block Source, Block Event Activity, External Script, SNMP Trap
B. Mail, Block Source, Block Destination, Block Services, SNMP Trap
C. Mail, Block Source, Block Destination, External Script, SNMP Trap
D. Mail, Block Source, Block Event Activity, Packet Capture, SNMP Trap
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_SmartEvent_AdminGuide/17401.htm
QUESTION 290
Identify the API that is not supported by Check Point currently.
Correct Answer: C
Explanation/Reference:
http://dl3.checkpoint.com/paid/29/29532b9eec50d0a947719ae631f640d0/
CP_R80_CheckPoint_API_ReferenceGuide.pdf?
HashKey=1517091458_be29bd4732d8d22283df32ccaaffc482&xtn=.pdf
OPSEC SDK
The OPSEC SDK contains APIs for commands that were originally used with SecurePlatform. You
can also use these commands on the Gaia operating system. The OPSEC APIs can open and
monitor connections between the Security Management Server and gateways and other hosts and
objects. The OPSEC SDK is very powerful and accesses the tables in the Security Management
Server database.
For more about how to use the OPSEC SDK, go to sk63026
http://supportcontent.checkpoint.com/solutions?id=sk63026.
Sample Command with OPSEC SDK
You can use the cp_conf sic state command to show the SIC status for a gateway or host.
> cp_conf sic state
Output - Trust State: Trust established
QUESTION 291
Using mgmt_cli, what is the correct syntax to import a host object called Server_1 from the CLI?
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-host~v1.1
mgmt_cli add host name "New Host 1" ip-address "192.0.2.1" --version 1.1 --format json
• "--format json" is optional. By default the output is presented in plain text.
QUESTION 292
SandBlast has several functional components that work together to ensure that attacks are prevented in
realtime. Which the following is NOT part of the SandBlast component?
A. Threat Emulation
B. Mobile Access
C. Mail Transfer Agent
D. Threat Cloud
Correct Answer: C
Explanation/Reference:
https://www.checkpoint.com/products-solutions/zero-day-protection/
QUESTION 293
Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via
email. An e-mail with Security_report.pdf file was delivered to her e-mail inbox. When she opened the PDF file,
she noticed that the file is basically empty and only few lines of text are in it. The report is missing some graphs,
tables and links. Which component of SandBlast protection is her company using on a Gateway?
Correct Answer: D
Explanation/Reference:
SandBlast Threat Extraction
As part of the Check Point Zero-Day Protection SandBlast solution, the Threat Extraction capability removes
exploitable content, including active content and embedded objects, reconstructs files to eliminate potential
threats, and promptly delivers sanitized content to users to maintain business flow.
QUESTION 294
What is the command to see cluster status in cli expert mode?
A. fw ctl stat
B. clusterXL stat
C. clusterXL status
D. cphaprob stat
Correct Answer: D
Explanation/Reference:
PDF answer is A, but I think it should be D.
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_CLI_ReferenceGuide/
html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/
CP_R80.30_CLI_ReferenceGuide/204663_1
cphaprob stat list the state of the high availability cluster members. Should show active and standby devices.
QUESTION 295
On R80.10 when configuring Third-Party devices to read the logs using the LEA (Log Export API) the default
Log Server uses port:
A. 18210
B. 18184
C. 257
D. 18191
Correct Answer: B
Explanation/Reference:
Configuring SmartEvent to use a Non-Standard LEA Port
You can get logs from and send logs to a third-party Log Server. The Check Point Log Server and the third
party Log Server use the LEA (Log Export API) protocol to read logs. By default, the Check Point Log Server
uses port 18184 for this connection. If you configure the Log Server to use a different LEA port, you must
manually configure the new port on the SmartEvent Server and on the SmartEvent Correlation Unit.
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?
topic=documents/R80/CP_R80_LoggingAndMonitoring/120829
QUESTION 296
If the first packet of an UDP session is rejected by a security policy, what does the firewall send to the client?
A. Nothing
B. TCP FIN
C. TCP RST
D. ICMP unreachable
Correct Answer: A
Explanation/Reference:
QUESTION 297
What is the mechanism behind Threat Extraction?
A. This is a new mechanism which extracts malicious files from a document to use it as a counter-attack
against its sender
B. This is a new mechanism which is able to collect malicious files out of any kind of file types to destroy it prior
to sending it to the intended recipient
C. This is a new mechanism to identify the IP address of the sender of malicious codes and to put it into the
SAM database (Suspicious Activity Monitoring).
D. Any active contents of a document, such as JavaScripts, macros and links will be removed from the
document and forwarded to the intended recipient, which makes this solution very fast.
Correct Answer: D
Explanation/Reference:
QUESTION 298
What is the benefit of Manual NAT over Automatic NAT?
A. If you create a new Security Policy, the Manual NAT rules will be transferred to this new policy
B. There is no benefit since Automatic NAT has in any case higher priority over Manual NAT
C. You have the full control about the priority of the NAT rules
D. On IPSO and GAIA Gateways, it is handled in a Stateful manner
Correct Answer: C
Explanation/Reference:
QUESTION 299
The CPD daemon is a Firewall Kernel Process that does NOT do which of the following?
Correct Answer: B
Explanation/Reference:
PDF is D - pulls, But I think it should be B, because it by cpwd. A C D are done via cpd.
CPD
Port 18191 - Generic process (add-ons container) for many Check Point services, such as installing and
fetching policy, and online updates
Port 18211 - SIC push certificate (from Internal CA)
fwm (Firewall Management): runs on Security Management Server (SMS) only and handles most
SmartConsole GUI connections, policy verification & compilation, and Management HA Sync
fwd (Firewall Daemon): runs on both SMS's and Security Gateways - mainly handles passing of logs from the
Security Gateways to the SMS, but on the Security Gateway also acts as a parent process to many security
server processes that do advanced inspection outside the kernel
cpd (Check Point Daemon): runs on both SMS's and Security Gateways - handles generic functions such as
SIC/certificates, licensing, SmartView Monitor, and pushing/fetching policy between the SMS and Security
Gateway
cpwd (Check Point Watchdog Daemon): runs on both SMS's and Security Gateways - Monitors all Check
Point user-space processes and restarts them if they die similarly to the Unix process "init". Run "cpwd_admin
list" to see what daemons it monitors
“CPD – Check Point Daemon is a core process on every Check Point product. It allows SIC functionality, pulls
application monitoring status, transfers messages between firewall processes, fetches and installs policy,
and more.”
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk97638
QUESTION 300
Which of the following is NOT an attribute of packer acceleration?
A. Source address
B. Protocol
C. Destination port
D. Application Awareness
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92711.htm
QUESTION 301
Which is a suitable command to check whether Drop Templates are activated or not?
Correct Answer: B
Explanation/Reference:
[Expert@FW]# fwaccel stat
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk71200
QUESTION 302
Please choose correct command syntax to add an “emailserver1” host with IP address 10.50.23.90 using GAIA
management CLI?
Correct Answer: D
Explanation/Reference:
D for GAiA management CLI - management API commands in Gaia's shell
C would be correct in CLISH - API commands from the SmartConsole GUI
https://sc1.checkpoint.com/documents/R80/APIs/#gaia_cli%20
QUESTION 303
The CDT utility supports which of the following?
Correct Answer: D
Explanation/Reference:
Central Deployment Tool (CDT) The Central Deployment Tool (CDT) is a utility that runs on an Security
Management Server / Multi-Domain Security Management Server (running Gaia OS).
It allows the administrator to automatically install CPUSE Offline packages (Hotfixes, Jumbo Hotfix
Accumulators (Bundles), Upgrade to a Minor Version, Upgrade to a Major Version) on multiple managed
Security Gateways and Cluster Members at the same time.
The CDT uses CPUSE (Gaia Software Updates) Agents on the remote managed Security Gateways and
Cluster Members to perform package installation. The CDT monitors and manages the entire process.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk97443
QUESTION 304
Using ClusterXL, what statement is true about the Sticky Decision Function?
Correct Answer: A
Explanation/Reference:
The Sticky Decision Function enables certain services to operate in a Load Sharing deployment. For
example, it is required for L2TP traffic, or when the cluster is a participant in a site to site VPN tunnel with a
third party peer.
The following services and connection types are now supported by enabling the Sticky Decision Function:
VPN deployments with third-party VPN peers
SecureClient/SecuRemote/SSL Network Extender encrypted connections, including SecureClient visitor
mode
The Sticky Decision Function has the following limitations:
Sticky Decision Function is not supported when employing either Performance Pack or a hardware-based
accelerator card. Enabling the Sticky Decision Function disables these acceleration products.
When the Sticky Decision Function is used in conjunction with VPN, cluster members are prevented from
opening more than one connection to a specific peer. Opening another connection would cause another SA
to be generated, which a third-party peer, in many cases, would not be able to process.
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7290.htm
QUESTION 305
What command would show the API server status?
A. cpm status
B. api restart
C. api status
D. show api status
Correct Answer: C
Explanation/Reference:
api status or api status -s
API Settings:
———————
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Port Details:
——————-
QUESTION 306
How Capsule Connect and Capsule Workspace differ?
A. Capsule Connect provides a Layer3 VPN. Capsule Workspace provides a Desktop with usable applications
B. Capsule Workspace can provide access to any application
C. Capsule Connect provides Business data isolation
D. Capsule Connect does not require an installed application at client
Correct Answer: A
Explanation/Reference:
QUESTION 307
Which of the following is a new R80.10 Gateway feature that had not been available in R77.X and older?
A. The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the
order in which they are defined, allowing control over the rule base flow and which security functionalities
take precedence.
B. Limits the upload and download throughput for streaming media in the company to 1 Gbps.
C. Time object to a rule to make the rule active only during specified times.
D. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched,
inspection will continue in the sub policy attached to it rather than in the next rule.
Correct Answer: D
Explanation/Reference:
http://dl3.checkpoint.com/paid/1f/1f850d1640792cf885336cc6ae8b2743/CP_R80_ReleaseNotes.pdf?
QUESTION 308
What are the three components for Check Point Capsule?
A. Capsule Docs, Capsule Cloud, Capsule Connect
B. Capsule Workspace, Capsule Cloud, Capsule Connect
C. Capsule Workspace, Capsule Docs, Capsule Connect
D. Capsule Workspace, Capsule Docs, Capsule Cloud
Correct Answer: D
Explanation/Reference:
https://www.checkpoint.com/products-solutions/mobile-security/check-point-capsule/
QUESTION 309
# Full synchronization between cluster members is handled by Firewall Kernel. Which port is used for this?
Correct Answer: D
Explanation/Reference:
PDF answer is B_TCP 265, BUT
Synchronization works in two modes:
Full Sync transfers all Security Gateway kernel table information from one Cluster Member to another. The fwd
daemon handles the Full Sync using an encrypted TCP connection on port 256.
Delta Sync transfers changes in the kernel tables between Cluster Members. The Security Gateway kernel
handles the Delta Sync using UDP connections on port 8116.
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ClusterXL_AdminGuide/
html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/
CP_R80.10_ClusterXL_AdminGuide/7288&anchor=o197005
QUESTION 310
What is true about the IPS-Blade?
Correct Answer: A
Explanation/Reference:
QUESTION 311
Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new
multicore CPU to replace the existing single core CPU. After installation, is the administrator required to
perform any additional tasks?
A. Go to clash-Run cpstop | Run cpstart
B. Go to clash-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot
Security Gateway
C. Administrator does not need to perform any task. Check Point will make use of the newly installed CPU and
Cores
D. Go to clash-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot
Security Gateway | Install Security Policy
Correct Answer: B
Explanation/Reference:
QUESTION 312
When installing a dedicated R80 SmartEvent server, what is the recommended size of the root partition?
A. Any size
B. Less than 20GB
C. More than 10GB and less than 20 GB
D. At least 20GB
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?
topic=documents/R80/CP_R80_LoggingAndMonitoring/120829
QUESTION 313
Which firewall daemon is responsible for the FW CLI commands?
A. fwd
B. fwm
C. cpm
D. cpd
Correct Answer: A
Explanation/Reference:
last letter "d" means daemon.
QUESTION 314
If the Active Security Management Server fails or if it becomes necessary to change the Active to Standby, the
following steps must be taken to prevent data loss. Providing the Active Security Management Server is
responsible, which of these steps should NOT be performed:
A. Rename the hostname of the Standby member to match exactly the hostname of the Active member.
B. Change the Standby Security Management Server to Active.
C. Change the Active Security Management Server to Standby.
D. Manually synchronize the Active and Standby Security Management Servers.
Correct Answer: A
Explanation/Reference:
QUESTION 315
Using R80 Smart Console, what does a “pencil icon” in a rule mean?
Correct Answer: A
Explanation/Reference:
QUESTION 316
Which method below is NOT one of the ways to communicate using the Management API’s?
Correct Answer: D
Explanation/Reference:
D is http, is not https !!! TMD
Using the Management APIs,There are four ways to communicate use the management APIs:
Typing API commands from a dialog inside the SmartConsole GUI application.
Typing API commands using the "mgmt_cli" executable (available in both Windows, Linux/Gaia flavors).
Typing API commands using Gaia's secure shell (clish).
Sending API commands over an https connection using web-services
https://sc1.checkpoint.com/documents/R80/APIs/#introduction
QUESTION 317
Session unique identifiers are passed to the web api using which http header option?
A. X-chkp-sid
B. Accept-Charset
C. Proxy-Authorization
D. Application
Correct Answer: A
Explanation/Reference:
PDF answer is C_Proxy-Auth, But should be A_ X-chkp-sid
Log in to the server with your Check Point User Center username (usually an email address) and password.
The server returns your session unique identifier. Enter this session unique identifier in the 'X-chkp-sid' header
of each request.
X-chkp-sid - Session unique identifier as the response to the login request
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/
CP_R80.20_Zero_Touch_REST_API_User_Guide/html_frameset.htm?topic=documents/R80.20_GA/
WebAdminGuides/EN/CP_R80.20_Zero_Touch_REST_API_User_Guide/205199
QUESTION 318
What is the main difference between Threat Extraction and Threat Emulation?
A. Threat Emulation never delivers a file and takes more than 3 minutes to complete
B. Threat Extraction always delivers a file and takes less than a second to complete
C. Threat Emulation never delivers a file that takes less than a second to complete
D. Threat Extraction never delivers a file and takes more than 3 minutes to complete
Correct Answer: B
Explanation/Reference:
QUESTION 319
Which one of these features is NOT associated with the Check Point URL Filtering and Application Control
Blade?
A. Detects and blocks malware by correlating multiple detection engines before users are affected.
B. Configure rules to limit the available network bandwidth for specified users or groups.
C. Use UserCheck to help users understand that certain websites are against the company’s security policy.
D. Make rules to allow or block applications and Internet sites for individual applications, categories, and risk
levels.
Correct Answer: A
Explanation/Reference:
The Application Control and URL Filtering Policy determines who can access which applications and sites
from an organization. The primary component of the Policy is the Rule Base. The rules use the Application and
URL Filtering Database, network objects and custom objects (if defined).
Limit Objects
Use the Limit action in rules to limit the bandwidth that is permitted for a rule in the Application Control and
URL Filtering Rule Base. Configure a maximum throughput for uploads and downloads. The Limit action makes
sure that employee use of the internet does not impede important business tasks.
You can add one Limit object to a rule. It can include upload and download rates.
Download - From the internet to the organization.
Upload - From the organization to the internet.
When the limit is reached, the gateway begins to drop packets. The Application Control logs show dropped
packets.
Application Categories
In the Application and URL Filtering Database, each application is assigned to one primary category based on
its most defining aspect. See the category in the description of each application and in the logs.
In the Application and URL Filtering Database, each application can have additional categories, which are
characteristics of the application. For example, some of the additional categories of Gmail include: Supports
File Transfer, Sends mail, and Instant Chat. If an additional category is in a rule, the rule matches all
applications that are marked with it.
Note - In the AppWiki, additional categories are called tags.
When you use the AppWiki or add applications to the Rule Base, you can filter by additional category or risk
level to see all applications with that characteristic. This is a good way to get ideas of types of applications that
you might want to block or allow.
If new applications are added to an additional category that is in an Application Control or URL Filtering rule, the
rule is updated automatically when the database is updated.
https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/60902.htm
QUESTION 320
You want to store the GAIA configuration in a file for later reference. What command should you use?
Correct Answer: D
Explanation/Reference:
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk102234
QUESTION 321
Traffic from source 192.168.1.1 is going to www.google.com. The Application Control Blade on the gateway is
inspecting the traffic. Assuming acceleration is enable which path is handling the traffic?
A. Slow Path
B. Medium Path
C. Fast Path
D. Accelerated Path
Correct Answer: A
Explanation/Reference:
QUESTION 322
From SecureXL perspective, what are the tree paths of traffic flow:
Correct Answer: D
Explanation/Reference:
Using SecureXL
SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise
security. When SecureXL is enabled on a Security Gateway, some CPU intensive operations are processed by
virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more
efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:
Slow path (Firewall path)– Packets and connections that are inspected by the Firewall and are not processed
by SecureXL.
Accelerated path – Packets and connections that are offloaded to SecureXL and are not processed by the
Firewall.
Medium path – Packets that require deeper inspection cannot use the accelerated path. It is not necessary for
the Firewall to inspect these packets, they can be offloaded and do not use the slow path.
For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the
IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the
slow path.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92711.htm
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk98737#Packet
QUESTION 323
You are asked to check the status of several user-mode processes on the management server and
gateway.Which of the following processes can only be seen on a Management Server?
A. fwd
B. fwm
C. cpd
D. cpwd
Correct Answer: B
Explanation/Reference:
QUESTION 324
R80.10 management server can manage gateways with which versions installed?
Correct Answer: C
Explanation/Reference:
PDF answer is B-R76,
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk113113
=======
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ReleaseNotes/
html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/
CP_R80.10_ReleaseNotes/195189&anchor=o161621
QUESTION 325
You want to verify if there are unsaved changes in GAIA that will be lost with a reboot. What command can be
used?
A. show unsaved
B. show save-state
C. show configuration diff
D. show config-state
Correct Answer: D
Explanation/Reference:
QUESTION 326
In what way is Secure Network Distributor (SND) a relevant feature of the Security Gateway?
A. SND is a feature to accelerate multiple SSL VPN connections
B. SND is an alternative to IPSec Main Mode, using only 3 packets
C. SND is used to distribute packets among Firewall instances
D. SND is a feature of fw monitor to capture accelerated packets
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm
QUESTION 327
Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an
ActiveActive cluster.
A. Symmetric routing
B. Failovers
C. Asymmetric routing
D. Anti-Spoofing
Correct Answer: C
Explanation/Reference:
PDF answer is B-Failovers, But I think maybe C-Asymmetric routing.
At its most basic level, there can be a race condition between Load Sharing cluster members in which
asymmetric return traffic for a new connection “outruns” the state sync update between cluster members. When
an outrun occurs SDF ensures the packet is always handled by the same cluster member and not dropped.
QUESTION 328
What are the steps to configure the HTTPS Inspection Policy?
Correct Answer: A
Explanation/Reference:
PDF answer is C. BUT it should be A
QUESTION 329
What is the difference between SSL VPN and IPSec VPN?
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Mobile_Access_WebAdmin/83586.htm
QUESTION 330
Which statement is NOT TRUE about Delta synchronization?
Correct Answer: A
Explanation/Reference:
How State Synchronization Works
Synchronization works in two modes:
Full sync transfers all Security Gateway kernel table information from one cluster member to another. It is
handled by the fwd daemon using an encrypted TCP connection.
Delta sync transfers changes in the kernel tables between cluster members. Delta sync is handled by the
Security Gateway kernel using UDP multicast or broadcast on port 8116.
Full sync is used for initial transfers of state information, for many thousands of connections. If a cluster
member is brought up after being down, it will perform full sync. After all members are synchronized, only
updates are transferred via delta sync. Delta sync is quicker than full sync.
State Synchronization traffic typically makes up around 90% of all Cluster Control Protocol (CCP) traffic. State
Synchronization packets are distinguished from the rest of CCP traffic via an opcode in the UDP data header.
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7288.htm
QUESTION 331
Under which file is the proxy arp configuration stored?
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76SP.10/CP_R76SP.10_SecuritySystem_AdminGuide/105233.htm
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk30197
Configuration for Proxy ARP is two-fold:
Configuring Layer2-to-Layer3 matching on Security Gateway / each cluster member - matching IP addresses
of the relevant hosts on the Internal network (where the hosts are located) to the MAC Address of the Security
Gateway on the External network (where the IP addresses of these hosts should be published).
On Check Point Security Gateway / Cluster member, this matching is saved in the $FWDIR/conf/local.arp file
QUESTION 332
Customer’s R80 management server needs to be upgraded to R80.10. What is the best upgrade method when
the management server is not connected to the Internet?
A. Export R80 configuration, clean install R80.10 and import the configuration
B. CPUSE online upgrade
C. CPUSE offline upgrade
D. SmartUpdate upgrade
Correct Answer: C
Explanation/Reference:
QUESTION 333
SmartEvent does NOT use which of the following procedures to identity events:
Correct Answer: C
Explanation/Reference:
High Level Overview of Event Identification
Events are detected by the SmartEvent Correlation Unit. The Correlation Unit task is to scan logs for criteria
that match an Event Definition.
SmartEvent uses these procedures to identify events:
https://sc1.checkpoint.com/documents/R76/CP_R76_SmartEvent_AdminGuide/17401.htm
QUESTION 334
John is using Management HA Which Smartcenter should be connected to for making changes?
A. secondary Smartcenter
B. active Smartcenter
C. connect virtual IP of Smartcenter HA
D. primary Smartcenter
Correct Answer: B
Explanation/Reference:
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk54160
QUESTION 335
Which path below is available only when CoreXL is enabled?
A. Slow path
B. Firewall path
C. Medium path
D. Accelerated path
Correct Answer: C
Explanation/Reference:
Accelerated path - The packet is completely handled by the SecureXL device. It is processed and forwarded to
the network.
Medium path (PXL) - Packet flow when the packet is handled by the SecureXL device, except for IPS (some
protections) / VPN (in some configurations) / Application Control / Content Awareness / Anti-Virus / Anti-Bot /
HTTPS Inspection / Proxy mode / Mobile Access / VoIP / Web Portals. The CoreXL layer passes the packet to
one of the CoreXL FW instances to perform the processing.
This path is available only when CoreXL is enabled.
Firewall path / Slow path - The SecureXL device is unable to process the packet (refer to sk32578 (SecureXL
Mechanism)). The packet is passed on to the CoreXL layer and then to one of the CoreXL FW instances for full
processing.
This path also processes all packets when SecureXL is disabled.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk98737#Packet
QUESTION 336
Which of the following describes how Threat Extraction functions?
Correct Answer: B
Explanation/Reference:
If D-Deliver is "extraction” remove actiev content from MSOffice and PDF and deliver a safe copy always" ,
should be D.
QUESTION 337
The SmartEvent R80 Web application for real-time event monitoring is called:
A. SmartView Monitor
B. SmartEventWeb
C. There is no Web application for SmartEvent
D. SmartView
Correct Answer: B
Explanation/Reference:
SmartView Web Application
A SmartEvent Web application. It has the same real-time event monitoring and analysis views as
SmartConsole, with the convenience of not having to install a client.
Browse to: https://<Server IP>/smartview/, where <Server IP> is IP address of the Security Management Server
or SmartEvent server.
QUESTION 338
SandBlast offers flexibility in implementation based on their individual business needs. What is an option for
deployment of Check Point SandBlast Zero-Day Protection?
Correct Answer: C
Explanation/Reference:
PDF answer is A-cloud services. BUT prefer C-Thret Agent Soultion
QUESTION 339
What SmartEvent component creates events?
A. Consolidation Policy
B. Correlation Unit
C. SmartEvent Policy
D. SmartEvent GUI
Correct Answer: B
Explanation/Reference:
QUESTION 340
Which Threat Prevention Profile is not included by default in R80 Management?
A. Basic – Provides reliable protection on a range of non-HTTP protocols for servers, with minimal impact on
network performance
B. Optimized – Provides excellent protection for common network products and protocols against recent or
popular attacks
C. Strict – Provides a wide coverage for all products and protocols, with impact on network performance
D. Recommended – Provides all protection for all common network products and servers, with impact on
network performance
Correct Answer: D
Explanation/Reference:
SmartConsole includes these default Threat Prevention profiles:
Optimized - Provides excellent protection for common network products and protocols against recent or
popular attacks
Strict - Provides a wide coverage for all products and protocols, with impact on network performance
Basic - Provides reliable protection on a range of non-HTTP protocols for servers, with minimal impact on
network performance
https://sc1.checkpoint.com/documents/R80/CP_R80BC_ThreatPrevention/html_frameset.htm?
topic=documents/R80/CP_R80BC_ThreatPrevention/136486
QUESTION 341
When using Monitored circuit VRRP, what is a priority delta?
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/87911.htm
QUESTION 342
Which of the following is NOT an option to calculate the traffic direction?
A. Incoming
B. Internal
C. External
D. Outgoing
Correct Answer: C
Explanation/Reference:
PDF is D-Outgoing, But I think it is C-External
To help SmartEvent conclude if events originated internally or externally, you must define the Internal Network.
These are the options to calculate the traffic direction:
Incoming – all the sources are external to the network and all destinations are inner
Outgoing – all sources are in the network and all destinations external
Internal – sources and destinations are all in the network
Other – a mixture of and internal and external values makes the result indeterminate
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?
topic=documents/R80/CP_R80_LoggingAndMonitoring/131915
QUESTION 343
When an encrypted packet is decrypted, where does this happen?
A. Security policy
B. Inbound chain
C. Outbound chain
D. Decryption is not supported
Correct Answer: B
Explanation/Reference:
PDF is A-Security policy, But I dont sure, maybe B-Inbound chain ....
fw ctl chain
Example:
in chain (17):
0: -7f800000 (f206df90) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: – 2000000 (f149dd70) (00000003) vpn decrypt (vpn)
2: – 1fffff8 (f14a8b20) (00000001) l2tp inbound (l2tp)
3: – 1fffff6 (f206f290) (00000001) Stateless verifications (in) (asm)
4: – 1fffff2 (f14c4940) (00000003) vpn tagging inbound (tagging)
5: – 1fffff0 (f149bc10) (00000003) vpn decrypt verify (vpn_ver)
6: – 1000000 (f20c4980) (00000003) SecureXL conn sync (secxl_sync)
7: 0 (f201df50) (00000001) fw VM inbound (fw)
8: 1 (f2087ed0) (00000002) wire VM inbound (wire_vm)
9: 10 (f202f610) (00000001) fw accounting inbound (acct)
10: 2000000 (f149eaf0) (00000003) vpn policy inbound (vpn_pol)
11: 10000000 (f20ca740) (00000003) SecureXL inbound (secxl)
12: 7f600000 (f20646b0) (00000001) fw SCV inbound (scv)
13: 7f730000 (f21b11f0) (00000001) passive streaming (in) (pass_str)
14: 7f750000 (f231c540) (00000001) TCP streaming (in) (cpas)
15: 7f800000 (f206e320) (ffffffff) IP Options Restore (in) (ipopt_res)
16: 7fb00000 (f22de3b0) (00000001) HA Forwarding (ha_for)
https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-x-Performance-Tuning-and-Debug-
Tips-fw-monitor/td-p/41563
QUESTION 344
Which of the following is NOT a component of Check Point Capsule?
A. Capsule Docs
B. Capsule Cloud
C. Capsule Enterprise
D. Capsule Workspace
Correct Answer: C
Explanation/Reference:
https://www.checkpoint.com/download/products/sg-capsule-solution.pdf
QUESTION 345
You have successfully backed up your Check Point configurations without the OS information. What command
would you use to restore this backup?
A. restore_backup
B. import backup
C. cp_merge
D. migrate import
Correct Answer: D
Explanation/Reference:
PDF is A-restor_backup , But I think it should be D-migrate import
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk54100#1.1.1
QUESTION 346
What is the best sync method in the ClusterXL deployment?
Correct Answer: B
Explanation/Reference:
Maybe because this reason...
Important Note: Based on the reports from the field and multiple tests in the lab, the use of more than one
Synchronization Network for redundancy is not supported for the following reasons:
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk92804#Limitations
QUESTION 347
Can multiple administrators connect to a Security Management Server at the same time?
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/124265
QUESTION 348
What Identity Agent allows packet tagging and computer authentication?
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/
EN/CP_R80.10_IdentityAwareness_AdminGuide/148759
https://sc1.checkpoint.com/documents/R77/CP_R77_IdentityAwareness_WebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_IdentityAwareness_WebAdminGuide/62838
QUESTION 349
In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. Which of the following
options can you add to each Log, Detailed Log and Extended Log?
A. Accounting
B. Suppression
C. Accounting/Suppression
D. Accounting/Extended
Correct Answer: C
Explanation/Reference:
Tracking Options
Network Log - Generates a log with only basic Firewall information: Source, Destination, Source Port,
Destination Port, and Protocol.
Log - Equivalent to the Network Log option, but also includes the application name (for example, Dropbox), and
application information (for example, the URL of the Website). This is the default Tracking option.
Full Log - Equivalent to the log option, but also records data for each URL request made.
If suppression is not selected, it generates a complete log (as defined in pre-R80 management).
If suppression is selected, it generates an extended log (as defined in pre-R80 management).
None - Do not generate a log.
You can add these options to a Log, Full Log, or Network Log:
Accounting - If selected, update the log every 10 minutes, to show how much data has passed in the
connection: Upload bytes, Download bytes, and browse time.
Suppression - If selected, one log is generated every three hours for all the connections.
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?
topic=documents/R80/CP_R80_LoggingAndMonitoring/131914
QUESTION 350
You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were
dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to
use Priority Queues and fully enable Dynamic Dispatcher. How can you enable them?
Correct Answer: A
Explanation/Reference:
SK105261
Configuration on Security Gateway R80.10 and above
fw ctl multik dynamic_dispatching on
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261
QUESTION 351
Which two of these Check Point Protocols are used by SmartEvent Processes?
Correct Answer: D
Explanation/Reference:
?????
PDF is B-FWD and LEA, ... But , FWD is Deamon ...
LEA - The Log Export API enables you to export log files to third-party log servers.
ELA - The Event Logging API allows Check Point to receive logs from third-party software.
https://sc1.checkpoint.com/documents/R77/CP_R77_SmartEvent_WebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_SmartEvent_WebAdminGuide/55201
QUESTION 352
To ensure that VMAC mode is enabled, which CLI command you should run on all cluster members?
Correct Answer: C
Explanation/Reference:
PDF is B , BUT I Think is D
1) First get the current value of global kernel parameter by running this command on a cluster member:
fw ctl get int fwha_vmac_global_param_enabled
2) Set the new value by running
fw ctl set int fwha_vmac_global_param_enabled VALUE
Where:
VALUE Description
1 VMAC enabled
0 VMAC disabled
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7292.htm
To minimize possible traffic outage during a fail-over, configure the cluster to use a virtual MAC address
(VMAC).
By enabling Virtual MAC in ClusterXL High Availability mode, or Load Sharing Unicast mode, all cluster
members associate the same Virtual MAC address with all Cluster Virtual Interfaces and the Virtual IP address.
In Virtual MAC mode, the VMAC that is advertised by the cluster members (through G-ARP Requests) keeps
the real MAC address of each member and adds a Virtual MAC address on top of it.
VMAC mode is supported only on SecurePlatform and Gaia.
=============
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk50840
QUESTION 353
What is the SOLR database for?
A. Used for full text search and enables powerful matching capabilities
B. Writes data to the database and full text search
C. Serves GUI responsible to transfer request to the DLE server
D. Enables powerful matching capabilities and writes data to the database
Correct Answer: A
Explanation/Reference:
https://en.wikipedia.org/wiki/Apache_Solr
QUESTION 354
Which of the following commands is used to monitor cluster members?
A. cphaprob state
B. cphaprob status
C. cphaprob
D. cluster state
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7298.htm
QUESTION 355
# Fill in the blank: Service blades must be attached to a .
A. Security Gateway
B. Management container
C. Management server
D. Security Gateway container
Correct Answer: D
Explanation/Reference:
PDF answer is A, BUT The CCSA R80 book (Page 446).
“Service Blades must be attached to a Security Gateway Container.”
When a Service Blade is purchased à la carte, that is to say a Service Blade purchased outside of a gateway
bundle package or support renewal, it must be manually attached to the Security Gateway.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk80840
QUESTION 356
Fill in the blank: An LDAP server holds one or more .
A. Server Units
B. Administrator Units
C. Account Units
D. Account Servers
Correct Answer: C
Explanation/Reference:
Account Units
An Account Unit is the interface between the Security Management server, Security Gateways, and the LDAP
servers.
An Account Unit represents one or more branches of the data on the LDAP server. You can have several
Account Units, for one or multiple LDAP servers. The users in the system are divided among the branches of
an Account Unit, and among all the Account Units.
For example, in a bank with one LDAP server, one Account Unit represents users with businesses accounts
and a second Account Unit represents users with private accounts. In the business accounts Account Unit,
large business users are in one branch and small business users are in another branch.
https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityManagement_WebAdminGuide/
html_frameset.htm?topic=documents/R77/CP_R77_SecurityManagement_WebAdminGuide/94041
QUESTION 357
Fill in the blank: In Security Gateways R75 and above, SIC uses for encryption.
A. AES-128
B. AES-256
C. DES
D. 3DES
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/125443
QUESTION 358
# What protocol is specifically used for clustered environments?
A. Cluster Protocol
B. Synchronized Cluster Protocol
C. Control Cluster Protocol
D. Cluster Control Protocol
Correct Answer: D
Explanation/Reference:
The Cluster Control Protocol (CCP) is a proprietary Check Point protocol. It is the basis of Check Point High
Availability (CPHA) and new synchronization functionality.
https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/5990/FILE/
sk31085_Cluster_Control_Protocol_Functionality.pdf
QUESTION 359
Which of the following is NOT a tracking option? (Select three)
A. Partial log
B. Log
C. Network log
D. Full log
Explanation/Reference:
Tracking Options
Select these options in the Track column of a rule:
None - Do not generate a log.
Log - This is the default Track option. It shows all the information that the Security Gateway used to match
the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is
a match on a rule that specifies an application, a session log shows the application name (for example,
Dropbox). If there is a match on a rule that specifies a Data Type, the session log shows information about
the files, and the contents of the files.
Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed in
the connection: Upload bytes, Download bytes, and browse time.
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.10/
WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/131914
QUESTION 360
Which command shows the installed licenses?
A. cplic print
B. print cplic
C. fwlic print
D. show licenses
Correct Answer: A
Explanation/Reference:
QUESTION 361
Of all the Check Point components in your network, which one changes most often and should be backed up
most frequently?
A. SmartManager
B. SmartConsole
C. Security Gateway
D. Security Management Server
Correct Answer: D
Explanation/Reference:
QUESTION 362
Which option would allow you to make a backup copy of the OS and Check Point configuration, without
stopping Check Point processes?
Correct Answer: D
Explanation/Reference:
Creating snapshot on Gaia OS does not stop Check Point services on R75.47, R77 and above
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk106127
QUESTION 363
# What is the Transport layer of the TCP/IP model responsible for?
Correct Answer: B
Explanation/Reference:
QUESTION 364
What needs to be configured if the NAT property ‘Translate destination on client side’ is not enabled in Global
properties?
Correct Answer: C
Explanation/Reference:
??
The Translate destination on client side option, a gateway default setting, tells the gateway to translate
destination addresses on the client side of the connection.
This setting helps to remedy anti-spoofing and routing implications in previous versions of Check Point. In
older versions of Check Point FireWall-1, address translation occurred on the server side and static routes
were necessary to forward packets to the correct destination.This setting allows backward compatibility within
NGX if you have upgraded from a version without this functionality.
QUESTION 365
In the Check Point Security Management Architecture, which component(s) can store logs?
A. SmartConsole
B. Security Management Server and Security Gateway
C. Security Management Server
D. SmartConsole and Security Management Server
Correct Answer: B
Explanation/Reference:
QUESTION 366
Fill in the blank: In order to install a license, it must first be added to the .
A. User Center
B. Package repository
C. Download Center Web site
D. License and Contract repository
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_Non_Gaia_Installation_and_Upgrade_Guide/13128.htm
QUESTION 367
When logging in for the first time to a Security management Server through SmartConsole, a fingerprint is
saved to the:
A. Security Management Server’s /home/.fgpt file and is available for future SmartConsole authentications.
B. Windows registry is available for future Security Management Server authentications.
C. There is no memory used for saving a fingerprint anyway.
D. SmartConsole cache is available for future Security Management Server authentications.
Correct Answer: B
Explanation/Reference:
PDF is D-SmartConsole, But ...It is B-Windows registry is
The first time the administrator connects to the Security Management server, the Security Management server
displays a Fingerprint verification window. The administrator, who has the original Fingerprint on hand,
compares it to the displayed Fingerprint. If the two are identical, the administrator approves the Fingerprint as
valid. This action saves the Fingerprint (along with the Security Management server's IP address) to the
SmartConsole machine's registry, where it remains available to automatically authenticate the Security
Management server in the future.
If the Fingerprints are not identical, the administrator quits the Fingerprint verification window and returns to the
initial login window. In this case, the administrator should verify the resolvable name or IP address of the
Security Management server.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/118037
QUESTION 368
Fill in the blank: By default, the SIC certificates issued by R80 Management Server are based on the
algorithm.
A. SHA-256
B. SHA-200
C. MD5
D. SHA-128
Correct Answer: A
Explanation/Reference:
Notes about R80 Management Server: Starting from R80, the default signing algorithm of the Internal CA (ICA)
was changed from SHA-1 to SHA-256
QUESTION 369
Which message indicates IKE Phase 2 has completed successfully?
Correct Answer: A
Explanation/Reference:
QUESTION 370
# Administrator Dave logs into R80 Management Server to review and makes some rule changes. He notices
that there is a padlock sign next to the DNS rule in the Rule Base.
A. DNS Rule is using one of the new feature of R80 where an administrator can mark a rule with the padlock
icon to let other administrators know it is important.
B. Another administrator is logged into the Management and currently editing the DNS Rule.
C. DNS Rule is a placeholder rule for a rule that existed in the past but was deleted.
D. This is normal behavior in R80 when there are duplicate rules in the Rule Base.
Correct Answer: B
Explanation/Reference:
QUESTION 371
Fill in the blank: When tunnel test packets no longer invoke a response, SmartView Monitor displays
for the given VPN tunnel.
A. Down
B. No Response
C. Inactive
D. Failed
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/
R77/CP_R77_VPN_AdminGuide/14018
QUESTION 372
# Which of the following is the most secure means of authentication?
A. Password
B. Certificate
C. Token
D. Pre-shared secret
Correct Answer: B
Explanation/Reference:
QUESTION 373
What is the BEST command to view configuration details of all interfaces in Gaia CLISH?
A. ifconfig -a
B. show interfaces
C. show interfaces detail
D. show configuration interface
Correct Answer: D
Explanation/Reference:
QUESTION 374
Fill in the blank: Authentication rules are defined for .
A. User groups
B. Users using UserCheck
C. Individual users
D. All users in the database
Correct Answer: A
Explanation/Reference:
Authentication rules are defined by user groups, rather than individual users. Therefore, you must first define
users and then add them to groups to define authentication rules. You can define users with the Security
Gateway proprietary user database or with an LDAP server.
https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6721.htm
QUESTION 375
# Which tool provides a list of trusted files to the administrator so they can specify to the Threat Prevention
blade that these files do not need to be scanned or analyzed?
A. ThreatWiki
B. Whitelist Files
C. AppWiki
D. IPS Protections
Correct Answer: B
Explanation/Reference:
PDF is A-ThreatWiki , But I think is B-Whitelist Files
Whitelist is a list of files that are trusted. Check Point Threat Prevention engine does not inspect trusted files for
malware, viruses, and bots, which helps decrease resource utilization on the gateway.
https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/82209.htm
https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/101703.htm
QUESTION 376
# Which of the following is an authentication method used for Identity Awareness?
A. SSL
B. Captive Portal
C. PKI
D. RSA
Correct Answer: B
Explanation/Reference:
QUESTION 377
The SIC Status “Unknown” means
A. There is connection between the gateway and Security Management Server but it is not trusted.
B. The secure communication is established.
C. There is no connection between the gateway and Security Management Server.
D. The Security Management Server can contact the gateway, but cannot establish SIC.
Correct Answer: C
Explanation/Reference:
SIC Status
After the gateway receives the certificate issued by the ICA, the SIC status shows if the Security Management
Server can communicate securely with this gateway:
Communicating - The secure communication is established.
Unknown - There is no connection between the gateway and Security Management Server.
Not Communicating - The Security Management Server can contact the gateway, but cannot establish
SIC. A message shows more information.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/125443
QUESTION 378
What is a reason for manual creation of a NAT rule?
A. In R80 all Network Address Translation is done automatically and there is no need for manually defined
NAT-rules.
B. Network Address Translation of RFC1918-compliant networks is needed to access the Internet.
C. Network Address Translation is desired for some services, but not for others.
D. The public IP-address is different from the gateway’s external IP
Correct Answer: C
Explanation/Reference:
PDF is D-Public IP address , But I think is C-NAT is desired.
These are some situations that must use manual NAT rules:
Rules that are restricted to specified destination IP addresses and to specified source IP addresses
Translate both source and destination IP addresses in the same packet.
Static NAT in only one direction
Translate services (destination ports)
Rules that only use specified services (ports)
Translate IP addresses for dynamic objects
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/
CP_R80.30_SecurityManagement_AdminGuide/html_frameset.htm?topic=documents/R80.30/
WebAdminGuides/EN/CP_R80.30_SecurityManagement_AdminGuide/94349
QUESTION 379
Which of the following commands is used to verify license installation?
Correct Answer: B
Explanation/Reference:
QUESTION 380
To enforce the Security Policy correctly, a Security Gateway requires:
A. a routing table
B. awareness of the network topology
C. a Demilitarized Zone
D. a Security Policy install
Correct Answer: B
Explanation/Reference:
The network topology represents the internal network (both the LAN and the DMZ) protected by the gateway.
The gateway must be aware of the layout of the network topology to:
Correctly enforce the Security Policy.
Ensure the validity of IP addresses for inbound and outbound traffic.
Configure a special domain for Virtual Private Networks.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/118037
QUESTION 381
Which configuration element determines which traffic should be encrypted into a VPN tunnel vs. sent in the
clear?
Correct Answer: C
Explanation/Reference:
not sure
QUESTION 382
You have discovered suspicious activity in your network. What is the BEST immediate action to take?
Correct Answer: B
Explanation/Reference:
Immediate Actions
If the status shows an issue, you can act on that network object.
For example:
Disconnect client - Disconnect one or more of the connected SmartConsole clients.
Start/Stop cluster member - You can see all Cluster Members of a Gateway Cluster in SmartView Monitor.
You can start or stop a selected Cluster Member.
Suspicious Action Rules - You can block suspicious network activity while you investigate the real risk or to
quickly block an obvious intruder.
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.10/
WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/118300
QUESTION 383
Tom has connected to the R80 Management Server remotely using SmartConsole and is in the process of
making some Rule Base changes, when he suddenly loses connectivity. Connectivity is restored shortly
afterward. What will happen to the changes already made:
A. Tom’s changes will have been stored on the Management when he reconnects and he will not lose any of
this work.
B. Tom will have to reboot his SmartConsole computer, and access the Management cache store on that
computer, which is only accessible after a reboot.
C. Tom’s changes will be lost since he lost connectivity and he will have to start again.
D. Tom will have to reboot his SmartConsole computer, clear the cache and restore changes.
Correct Answer: A
Explanation/Reference:
QUESTION 384
Which GUI tool can be used to view and apply Check Point licenses?
A. cpconfig
B. Management Command Line
C. SmartConsole
D. SmartUpdate
Correct Answer: D
Explanation/Reference:
SmartUpdate GUI is the recommended way of managing licenses.
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_AdminWebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_Gaia_AdminWebAdminGuide/79993
QUESTION 385
How would you determine the software version from the CLI?
A. fw ver
B. fw stat
C. fw monitor
D. cpinfo
Correct Answer: A
Explanation/Reference:
QUESTION 386
In R80 Management, apart from using SmartConsole, objects or rules can also be modified using:
A. 3rd Party integration of CLI and API for Gateways prior to R80.
B. A complete CLI and API interface using SSH and custom CPCode integration.
C. 3rd Party integration of CLI and API for Management prior to R80.
D. A complete CLI and API interface for Management with 3rd Party integration.
Correct Answer: D
Explanation/Reference:
PDF Answer is B, But , Maybe D ... By ATM
QUESTION 387
When connected to the Check Point R80 Management Server using the SmartConsole the first administrator to
connect has a lock on:
A. Only the objects being modified in the Management Database and other administrators can connect to
make changes using a special session as long as they all connect from the same LAN network.
B. The entire Management Database and other administrators can connect to make changes only if the first
administrator switches to Read-only.
C. The entire Management Database and all sessions and other administrators can connect only as Readonly.
D. Only the objects being modified in his session of the Management Database and other administrators can
connect to make changes using different sessions.
Correct Answer: D
Explanation/Reference:
QUESTION 388
Which is NOT an encryption algorithm that can be used in an IPSEC Security Association (Phase 2)?
A. AES-GCM-256
B. AES-CBC-256
C. AES-GCM-128
D. DES
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/
R77/CP_R77_VPN_AdminGuide/13847
QUESTION 389
Fill in the blank: To create policy for traffic to or from a particular location, use the .
Correct Answer: B
Explanation/Reference:
The Shared Policies section in the Security Policies shows the policies that are not in a Policy package.They
are shared between all Policy packages.Shared policies are installed with the Access Control Policy.
Software Blade Description
Mobile Access Launch Mobile Access policy in a SmartConsole. Configure how your remote users access
internal resources, such as their email accounts,
when they are mobile.
DLP Launch Data Loss Prevention policy in a SmartConsole. Configure advanced tools to
automatically identify data that must not go outside the network, to block the leak, and to educate users.
Geo Policy Create a policy for traffic to or from specific geographical or political locations.
HTTPS Inspection The HTTPS Policy allows the Security Gateway to inspect HTTPS traffic to prevent
security risks related to the SSL protocol. The HTTPS Policy shows if HTTPS inspection is enabled on one or
more Gateways.
Inspection Settings You can configure Inspection Settings for the Firewall:Deep packet inspection settings /
Protocol parsing inspection settings / VoIP packet inspection settings
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_NexGenSecurityGateway_Guide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/
EN/CP_R80.10_NexGenSecurityGateway_Guide/137006
QUESTION 390
After trust has been established between the Check Point components, what is TRUE about name and
IPaddress changes?
Correct Answer: A
Explanation/Reference:
A and B are possible action without re-trust.
The sic is based on name of the Manager so C is the only correct answer! sk40993
QUESTION 391
# Which two Identity Awareness commands are used to support identity sharing?
Correct Answer: A
Explanation/Reference:
Identity Awareness Commands
These terms are used in the CLI commands:
PDP - The process on the Security Gateway responsible for collecting and sharing identities.
PEP - The process on the Security Gateway responsible for enforcing network access restrictions. Decisions
are made according to identity data collected from the PDP.
AD Query - AD Query is the module responsible for acquiring identities of entities (users or computers) from
the Active Directory (AD). AD Query was called Identity Logging in previous versions and in some cases is also
referenced as AD Log. The adlog is the command line process used to control and monitor the AD Query
feature.
test_ad_connectivity - A utility that runs connectivity tests from the Security Gateway to an AD domain
controller.
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/66477.htm
QUESTION 392
# True or False: In R80, more than one administrator can login to the Security Management Server with write
permission at the same time.
Correct Answer: D
Explanation/Reference:
PDF answer is B - True, ...a session . But, management server not a smartconsole, it is login to security.
==========
More than one administrator can connect to the Security Management Server at the same time. Every
administrator has their own username, and works in a session that is independent of the other administrators.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/124265
QUESTION 393
Which one of the following is TRUE?
Correct Answer: C
Explanation/Reference:
QUESTION 394
Which deployment adds a Security Gateway to an existing environment without changing IP routing?
A. Distributed
B. Bridge Mode
C. Remote
D. Standalone
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_GuidewebAdmin/86429.htm
QUESTION 395
Fill in the blank: An identity server uses a for user authentication.
A. Shared secret
B. Certificate
C. One-time password
D. Token
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62050.htm
QUESTION 396
# You can see the following graphic:
What is presented on it?
Correct Answer: A
Explanation/Reference:
QUESTION 397
When configuring LDAP User Directory integration, Changes applied to a User Directory template are:
Correct Answer: A
Explanation/Reference:
The users and user groups are arranged on the Account Unit in the tree structure of the LDAP server. User
management in User Directory is external, not local. You can change the User Directory templates. Users
associated with this template get the changes immediately. You can change user definitions manually in
SmartDashboard, and the changes are immediate on the server.
https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityManagement_WebAdminGuide/
html_frameset.htm?topic=documents/R77/CP_R77_SecurityManagement_WebAdminGuide/94041
QUESTION 398
Choose what BEST describes the reason why querying logs now is very fast.
Correct Answer: B
Explanation/Reference:
QUESTION 399
Check Point ClusterXL Active/Active deployment is used when:
Correct Answer: B
Explanation/Reference:
PDF is D-High Availability, But It is B B B !!! - Load Sharing
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7292.htm
QUESTION 400
Which of the following methods can be used to update the trusted log server regarding the policy and
configuration changes performed on the Security Management Server?
A. Save Policy
B. Install Database
C. Save session
D. Install Policy
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/
CP_R80.30_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.30/
WebAdminGuides/EN/CP_R80.30_LoggingAndMonitoring_AdminGuide/120829
You can enable logging on the Security Management Server (enabled by default), or deploy a dedicated Log
Server. After you deploy the Log Server, you must configure the Security Gateways for logging.
You must execute the Install Database function on the remote Log Server when you:
Enable or disable a logging related blade or function, including Log Indexing in a server object.
Add a new Log Server to the system.
Change a gateway's Log Server.
Change a Log Server's log settings or make any other Log Server object change.
Change anything in the Global Properties that might affect the Log Server
QUESTION 401
From the Gaia web interface, which of the following operations CANNOT be performed on a Security
Management Server?
Correct Answer: A
Explanation/Reference:
PDF is B-Open a termianl shell. But I prefer A-Verify Sec Policy
A Smart Console is verifing the policy and not the management server itself
C Add Route should be in Security Gateway.
QUESTION 402
# Which of the following are types of VPN communities?
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/
R77/CP_R77_VPN_AdminGuide/13894
QUESTION 403
What are the three types of UserCheck messages?
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_DataLossPrevention_AdminGuide/html_frameset.htm?topic=documents/R80.10/
WebAdminGuides/EN/CP_R80.10_DataLossPrevention_AdminGuide/94711
QUESTION 404
What two ordered layers make up the Access Control Policy Layer?
Explanation/Reference:
??? Maybe B
QUESTION 405
Which statement is TRUE of anti-spoofing?
Correct Answer: C
Explanation/Reference:
??
https://community.checkpoint.com/t5/General-Topics/A-Primer-on-Anti-Spoofing/td-p/23042
QUESTION 406
Fill in the blank: The position of an implied rule is manipulated in the window.
A. NAT
B. Firewall
C. Global Properties
D. Object Explorer
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92703.htm
QUESTION 407
How can the changes made by an administrator before publishing the session be seen by a superuser
administrator?
Correct Answer: C
Explanation/Reference:
PDF Answer is C-From SmartView Tracker, But Maybe D in R80
https://community.checkpoint.com/t5/General-Management-Topics/Review-the-changes-in-your-current-
session-in-SmartConsole/td-p/38753
QUESTION 408
Which Check Point software blade monitors Check Point devices and provides a picture of network and
security performance?
A. Application Control
B. Threat Emulation
C. Logging and Status
D. Monitoring
Correct Answer: D
Explanation/Reference:
https://www.checkpoint.com/downloads/product-related/datasheets/DS_Monitoring.pdf
QUESTION 409
Your internal networks 10.1.1.0/24, 10.2.2.0/24 and 192.168.0.0/16 are behind the Internet Security Gateway.
Considering that Layer 2 and Layer 3 setup is correct, what are the steps you will need to do in SmartConsole
in order to get the connection working?
Correct Answer: C
Explanation/Reference:
QUESTION 410
True or False: The destination server for Security Gateway logs depends on a Security Management Server
configuration.
A. False, log servers are configured on the Log Server General Properties
B. True, all Security Gateways will only forward logs with a SmartCenter Server configuration
C. True, all Security Gateways forward logs automatically to the Security Management Server
D. False, log servers are enabled on the Security Gateway General Properties
Correct Answer: C
Explanation/Reference:
???
PDF is B, But Maybe D
Starting from R77.30, Check Point allows gateways directly send the logs to external syslog server without
going through Management server.
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/
CP_R80.30_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.30/
WebAdminGuides/EN/CP_R80.30_LoggingAndMonitoring_AdminGuide/120829
You can enable logging on the Security Management Server (enabled by default), or deploy a dedicated Log
Server. After you deploy the Log Server, you must configure the Security Gateways for logging.
You must execute the Install Database function on the remote Log Server when you:
Enable or disable a logging related blade or function, including Log Indexing in a server object.
Add a new Log Server to the system.
Change a gateway's Log Server.
Change a Log Server's log settings or make any other Log Server object change.
Change anything in the Global Properties that might affect the Log Server
QUESTION 411
Consider the Global Properties following settings:
The selected option “Accept Domain Name over UDP (Queries)” means:
A. UDP Queries will be accepted by the traffic allowed only through interfaces with external anti-spoofing
topology and this will be done before first explicit rule written by Administrator in a Security Policy.
B. All UDP Queries will be accepted by the traffic allowed through all interfaces and this will be done before
first explicit rule written by Administrator in a Security Policy.
C. No UDP Queries will be accepted by the traffic allowed through all interfaces and this will be done before
first explicit rule written by Administrator in a Security Policy.
D. All UDP Queries will be accepted by the traffic allowed by first explicit rule written by Administrator in a
Security Policy.
Correct Answer: A
Explanation/Reference:
Domain Name over UDP ( Not all UDP Queries)
Accept Domain Name over UDP (Queries)—Allows DNS requests to traverse the firewall.
QUESTION 412
How is communication between different Check Point components secured in R80?
A. By using IPSEC
B. By using SIC
C. By using ICA
D. By using 3DES
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/125443
QUESTION 413
Identify the ports to which the Client Authentication daemon listens on by default?
A. 259, 900
B. 256, 257
C. 8080, 529
D. 80, 256
Correct Answer: A
Explanation/Reference:
256 TCP FW1 (fwd) policy install port FWD_SVC_PORT
257 TCP FW1_log FW1_log FWD_LOG_PORT
258 TCP FW1_mgmt FWM_SSVVC_PORT
259 TCP FW1_clientauth_telnet
260 TCP sync
http://digitalcrunch.com/check-point-firewall/list-of-check-point-ports/
QUESTION 414
What is the purpose of the CPCA process?
Correct Answer: D
Explanation/Reference:
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk97638
QUESTION 415
The Network Operations Center administrator needs access to Check Point Security devices mostly for
troubleshooting purposes. You do not want to give her access to the expert mode, but she still should be able to
run tcpdump. How can you achieve this requirement?
Correct Answer: A
Explanation/Reference:
QUESTION 416
After the initial installation on Check Point appliance, you notice that the Management interface and default
gateway are incorrect. Which commands could you use to set the IP to 192.168.80.200/24 and default gateway
to 192.168.80.1.
Correct Answer: A
Explanation/Reference:
QUESTION 417
What Check Point tool is used to automatically update Check Point products for the Gaia OS?
Correct Answer: B
Explanation/Reference:
With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. The
software update packages and full images are for major releases, minor releases and Hotfixes. All of the
CPUSE processes are handled by the Deployment Agent daemon (DA).
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_Installation_and_Upgrade_Guide/
html_frameset.htm?topic=documents/R77/CP_R77_Gaia_Installation_and_Upgrade_Guide/129978
QUESTION 418
You are the Check Point administrator for Alpha Corp with an R80 Check Point estate. You have received a call
by one of the management users stating that they are unable to browse the Internet with their new tablet
connected to the company Wireless. The Wireless system goes through the Check Point Gateway. How do you
review the logs to see what the problem may be?
Correct Answer: B
Explanation/Reference:
QUESTION 419
What are the advantages of a “shared policy” in R80?
A. Allows the administrator to share a policy between all the users identified by the Security Gateway
B. Allows the administrator to share a policy between all the administrators managing the Security
Management Server.
C. Allows the administrator to share a policy so that it is available to use in another Policy Package.
D. Allows the administrator to install a policy on one Security Gateway and it gets installed on another
managed Security Gateway
Correct Answer: C
Explanation/Reference:
QUESTION 420
To view statistics on detected threats, which Threat Tool would an administrator use?
A. Protections
B. IPS Protections
C. Profiles
D. ThreatWiki
Correct Answer: D
Explanation/Reference:
???
QUESTION 421
What is the purpose of a Clean-up Rule?
A. Clean-up Rules do not server any purpose.
B. Provide a metric for determining unnecessary rules.
C. To drop any traffic that is not explicitly allowed.
D. Used to better optimize a policy.
Correct Answer: C
Explanation/Reference:
These are basic access control rules we recommend for all Rule Bases:
Stealth rule that prevents direct access to the Security Gateway.
Cleanup rule that drops all traffic that is not allowed by the earlier rules.
There is also an implied rule that drops all traffic, but you can use the Cleanup rule to log the traffic.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92703.htm
QUESTION 422
What are the two types of NAT supported by the Security Gateway?
Correct Answer: B
Explanation/Reference:
A Security Gateway can use these procedures to translate IP addresses in your network:
Static NAT - Each internal IP address is translated to a different public IP address. The Firewall can allow
external traffic to access internal resources.
Hide NAT - The Firewall uses port numbers to translate all specified internal IP addresses to a single public IP
address and hides the internal IP structure. Connections can only start from internal computers, external
computers CANNOT access internal servers. The Firewall can translate up to 50,000 connections at the same
time from external computers and servers.
Hide NAT with Port Translation - Use one IP address and let external users access multiple application
servers in a hidden network. The Firewall uses the requested service (or destination port) to send the traffic to
the correct server. A typical configuration can use these ports: FTP server (port 21), SMTP server (port
25) and an HTTP server (port 80). It is necessary to create manual NAT rules to use Port Translation.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/6724.htm
QUESTION 423
Vanessa is attempting to log into the Gaia Web Portal. She is able to login successfully. Then she tries the
same username and password for SmartConsole but gets the message in the screenshot image below. She
has checked that the IP address of the Server is correct and the username and password she used to login into
Gaia is also correct.
What is the most likely reason?
A. Check Point R80 SmartConsole authentication is more secure than in previous versions and Vanessa
requires a special authentication key for R80 SmartConsole. Check that the correct key details are used.
B. Check Point Management software authentication details are not automatically the same as the Operating
System authentication details. Check that she is using the correct details.
C. SmartConsole Authentication is not allowed for Vanessa until a Super administrator has logged in first and
cleared any other administrator sessions.
D. Authentication failed because Vanessa’s username is not allowed in the new Threat Prevention console
update checks even though these checks passed with Gaia.
Correct Answer: B
Explanation/Reference:
QUESTION 424
What is the most complete definition of the difference between the Install Policy button on the SmartConsole’s
tab, and the Install Policy button within a specific policy?
A. The Global one also saves and publishes the session before installation.
B. The Global one can install multiple selected policies at the same time.
C. The local one does not install the Anti-Malware policy along with the Network policy.
D. The second one pre-selects the installation for only the current policy and for the applicable gateways.
Correct Answer: D
Explanation/Reference:
QUESTION 425
Which of the following is used to initially create trust between a Gateway and Security Management Server?
A. Internal Certificate Authority
B. Token
C. One-time Password
D. Certificate
Correct Answer: C
Explanation/Reference:
To establish the initial trust, a gateway and a Security Management Server use a one-time password. After the
initial trust is established, further communication is based on security certificates.
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/125443
QUESTION 426
John is the administrator of a R80 Security Management server managing r R77.30 Check Point Security
Gateway. John is currently updating the network objects and amending the rules using SmartConsole. To make
John’s changes available to other administrators, and to save the database before installing a policy, what must
John do?
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/119225
QUESTION 427
# Fill in the blanks: There are types of software containers .
Correct Answer: A
Explanation/Reference:
There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security.
http://downloads.checkpoint.com/dc/download.htm?ID=11608
QUESTION 428
Fill in the bank: In Office mode, a Security Gateway assigns a remote client to an IP address
once .
Correct Answer: A
Explanation/Reference:
Office Mode enables a Security Gateway to assign a remote client an IP address. The assignment takes place
once the user connects and authenticates. The assignment lease is renewed as long as the user is connected.
https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13857.htm
QUESTION 429
Which Identity Source(s) should be selected in Identity Awareness for when there is a requirement for a higher
level of security for sensitive servers?
A. AD Query
B. Terminal Servers Endpoint Identity Agent
C. Endpoint Identity Agent and Browser-Based Authentication
D. RADIUS and Account Logon
Correct Answer: C
Explanation/Reference:
Endpoint Identity Agents and Browser-Based Authentication - When a high level of security is
necessary. The Captive Portal is used for distributing the Endpoint Identity Agent. IP Spoofing protection can
be set to prevent packets from being IP spoofed.
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/
EN/CP_R80.10_IdentityAwareness_AdminGuide/101858
QUESTION 430
What is Identity Sharing?
A. Management servers can acquire and share identities with Security Gateways
B. Users can share identities with other users
C. Security Gateways can acquire and share identities with other Security Gateways
D. Administrators can share identifies with other administrators
Correct Answer: C
Explanation/Reference:
Identity Sharing
Best Practice - In environments that use many Security Gateways and AD Query, we recommend that you set
only one Security Gateway to acquire identities from a given Active Directory domain controller for each
physical site. If more than one Security Gateway gets identities from the same AD server, the AD server can
become overloaded with WMI queries.
Set these options on the Identity Awareness > Identity Sharing page of the Security Gateway object:
One Security Gateway to share identities with other Security Gateways. This is the Security Gateway that
gets identities from a given domain controller.
All other Security Gateways to get identities from the Security Gateway that acquires identities from the
given domain controller.
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/
EN/CP_R80.10_IdentityAwareness_AdminGuide/63005
QUESTION 431
What is the most recommended installation method for Check Point appliances?
A. SmartUpdate installation
B. DVD media created with Check Point ISOMorphic
C. USB media created with Check Point ISOMorphic
D. Cloud based installation
Correct Answer: C
Explanation/Reference:
To install a clean Gaia Operating System on a Check Point appliance, you can:
Restore your Check Point appliance to Factory Defaults. This removes all configurations.
Perform a clean install of the supported Gaia image with one of these options:
Bootable USB device.
CPUSE (if Gaia is already installed) - select the desired Check Point version and perform Clean Install. See
sk92449 for detailed steps.
Important - Always use the latest available build of the ISOmorphic Tool. If you use an outdated build, the
installation can fail.
QUESTION 432
Which of the following is NOT a role of the SmartCenter:
A. Status monitoring
B. Policy configuration
C. Certificate authority
D. Address translation
Correct Answer: D
Explanation/Reference:
PDF is C-Certificate authority, But I prefer D-Address translation.
http://www.checkfirewalls.com/datasheets/smartcenter_datasheet.pdf
QUESTION 433
Which of the following is NOT a valid application navigation tab in the R80 SmartConsole?
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80.10/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/
R80.10/SmartConsole_OLH/EN/4x3HIUbSkxYhtcFgIKlg0w2
QUESTION 434
Phase 1 of the two-phase negotiation process conducted by IKE operates in mode.
A. Main
B. Authentication
C. Quick
D. High Alert
Correct Answer: A
Explanation/Reference:
Phase I modes
Between Security Gateways, there are two modes for IKE phase I. These modes only apply to IKEv1:
Main Mode
Aggressive Mode
https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13847.htm
QUESTION 435
What is the BEST method to deploy Identity Awareness for roaming users?
Correct Answer: B
Explanation/Reference:
Using Endpoint Identity Agents give you:
User and machine identity
Minimal user intervention – all necessary configuration is done by administrators and does not require user
input.
Seamless connectivity – transparent authentication using Kerberos Single Sign-On (SSO) when users are
logged in to the domain. If you do not want to use SSO, users enter their credentials manually. You can let
them save these credentials.
Connectivity through roaming – users stay automatically identified when they move between networks, as
the client detects the movement and reconnects.
https://www.checkpoint.com/products/identity-awareness-software-blade/
QUESTION 436
What is the purpose of the Clean-up Rule?
A. To log all traffic that is not explicitly allowed or denied in the Rule Base
B. To clean up policies found inconsistent with the compliance blade reports
C. To remove all rules that could have a conflict with other rules in the database
D. To eliminate duplicate log entries in the Security Gateway
Correct Answer: A
Explanation/Reference:
These are basic access control rules we recommend for all Rule Bases:
Stealth rule that prevents direct access to the Security Gateway.
Cleanup rule that drops all traffic that is not allowed by the earlier rules.
There is also an implied rule that drops all traffic, but you can use the Cleanup rule to log the traffic.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92703.htm
QUESTION 437
Which of the following blades is NOT subscription-based and therefore does not have to be renewed on a
regular basis?
A. Application Control
B. Threat Emulation
C. Anti-Virus
D. Advanced Networking Blade
Correct Answer: D
Explanation/Reference:
PDF is B-Threat Emulation, But I think it is the D-Advanced Networking Blade
QUESTION 438
Fill in the blank: Back up and restores can be accomplished through .
Correct Answer: A
Explanation/Reference:
Backup and Restore
These options let you:
Back up the Gaia OS configuration and the firewall database to a compressed file
Restore the Gaia OS configuration and the firewall database from a compressed file
To back up a configuration:
1. Right-click the Security Gateway.
2. Select Backup and Restore > Backup.
The Backup window opens.
3. Select the backup location.
https://community.checkpoint.com/thread/5375-checkpoint-gateway-firewall-backup-through-smartconsole
QUESTION 439
What does it mean if Deyra sees the gateway status:
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/sc/SolutionsStatics/NEW_SK_NOID1493612962436/active1704302237.fw.png
QUESTION 440
CPU-level of your Security gateway is peaking to 100% causing problems with traffic. You suspect that the
problem might be the Threat Prevention settings.
The following Threat Prevention Profile has been created.
How could you tune the profile in order to lower the CPU load still maintaining security at good level?
Correct Answer: B
Explanation/Reference:
QUESTION 441
# Which icon indicates in the WebUI that read/write access is enabled?
A. Pencil
B. Padlock
C. Book
D. Eyeglasses
Correct Answer: A
Explanation/Reference:
QUESTION 442
What is NOT an advantage of Stateful Inspection?
A. High Performance
B. Good Security
C. No Screening above Network layer
D. Transparency
Correct Answer: C
Explanation/Reference:
PDF answer is A - High performance.
– good security
– full application layer
– high performance
– Extensibility
– Transparency
QUESTION 443
Which of the following Windows Security Events will NOT map a username to an IP address in Identity
Awareness?
Correct Answer: D
Explanation/Reference:
QUESTION 444
# Fill in the blank: Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific
gateways, or .
Correct Answer: B
Explanation/Reference:
Each VPN tunnel in the community may be set to be a Permanent Tunnel. Since Permanent Tunnels are
constantly monitored, if the VPN tunnel is down, then a log, alert, or user defined action, can be issued. A VPN
tunnel is monitored by periodically sending "tunnel test" packets. As long as responses to the packets are
received the VPN tunnel is considered "up." If no response is received within a given time period, the VPN
tunnel is considered "down." Permanent Tunnels can only be established between Check Point Security
Gateways. The configuration of Permanent Tunnels takes place on the community level and:
Can be specified for an entire community. This option sets every VPN tunnel in the community as
permanent.
Can be specified for a specific Security Gateway. Use this option to configure specific Security Gateways to
have permanent tunnels.
Can be specified for a single VPN tunnel. This feature allows configuring specific tunnels between specific
Security Gateways as permanent.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/
R77/CP_R77_VPN_AdminGuide/14018
Each VPN tunnel in the community may be set to be a Permanent Tunnel. Since Permanent Tunnels are
constantly monitored, if the VPN tunnel is down, then a log, alert, or user defined action, can be issued. A VPN
tunnel is monitored by periodically sending "tunnel test" packets. As long as responses to the packets are
received the VPN tunnel is considered "up." If no response is received within a given time period, the VPN
tunnel is considered "down." Permanent Tunnels can only be established between Check Point Security
Gateways. The configuration of Permanent Tunnels takes place on the community level and:
Can be specified for an entire community. This option sets every VPN tunnel in the community as permanent.
Can be specified for a specific Security Gateway. Use this option to configure specific Security Gateways to
have permanent tunnels.
Can be specified for a single VPN tunnel. This feature allows configuring specific tunnels between specific
Security Gateways as permanent
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/
html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/
CP_R80.10_SitetoSiteVPN_AdminGuide/14018
QUESTION 445
In Unified SmartConsole Gateways and Servers tab you can perform the following functions EXCEPT
Correct Answer: A
Explanation/Reference:
PDF is C-Open SSH, But I think is A-Upgrade....
QUESTION 446
Which Threat Prevention Software Blade provides protection from malicious software that can infect your
network computers?
A. Anti-Malware
B. IPS
C. Anti-bot
D. Anti-Spam
Correct Answer: C
Explanation/Reference:
Anti-Bot
The Need for Anti-Bot
There are two emerging trends in today's threat landscape:
A profit-driven cybercrime industry that uses different tools to meet its goals. This industry includes
cybercriminals, malware operators, tool providers, coders, and affiliate programs. Their "products" can be easily
ordered online from numerous sites (for example, do-it-yourself malware kits, spam sending, data theft, and
denial of service attacks) and organizations are finding it difficult to fight off these attacks.
Ideological and state driven attacks that target people or organizations to promote a political cause or carry out
a cyber-warfare campaign.
Both of these trends are driven by bot attacks.
A bot is malicious software that can invade your computer. There are many infection methods. These include
opening attachments that exploit a vulnerability and accessing a web site that results in a malicious download.
https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/102176.htm
QUESTION 447
When configuring Spoof Tracking, which tracking actions can an administrator select to be done when spoofed
packets are detected?
Correct Answer: C
Explanation/Reference:
Configure Spoof Tracking - select the tracking action that is done when spoofed packets are detected:
Log - Create a log entry (default)
Alert - Show an alert
None - Do not log or alert
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 448
# Access roles allow the firewall administrator to configure network access according to:
Correct Answer: C
Explanation/Reference:
To create an access role:
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92705.htm
QUESTION 449
What are the three deployment considerations for a secure network?
Correct Answer: D
Explanation/Reference:
PDF is A, what is the fucking Remote ..... It is D D D D D D-Standalone, Distributed, and Bridge Mode
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_Guide-webAdmin/86429.htm
QUESTION 450
Which option, when applied to a rule, allows traffic to VPN gateways in specific VPN communities?
Correct Answer: C
Explanation/Reference:
The first rule is the automatic rule for the Accept All Encrypted Traffic feature. The Firewalls for the Security
Gateways in the BranchOffices and LondonOffices VPN communities allow all VPN traffic from hosts in clients
in these communities. Traffic to the Security Gateways is dropped. This rule is installed on all Security
Gateways in these communities.
2. Site to site VPN - Connections between hosts in the VPN domains of all Site to Site VPN communities are
allowed. These are the only protocols that are allowed: FTP, HTTP, HTTPS and SMTP.
3. Remote access - Connections between hosts in the VPN domains of RemoteAccess VPN community are
allowed. These are the only protocols that are allowed: HTTP, HTTPS, and IMAP.
https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92709.htm
“Encrypted Traffic – Select Accept all encrypted traffic to encrypt and decrypt all traffic between the Security
Gateways. If this is not selected, create rules in the Security Policy Rule Base to allow encrypted traffic between
community members”
QUESTION 451
When a Security Gateways sends its logs to an IP address other than its own, which deployment option is
installed?
A. Distributed
B. Standalone
C. Bridge
Correct Answer: A
Explanation/Reference:
QUESTION 452
One of major features in R80 SmartConsole is concurrent administration. Which of the following is NOT
possible considering that AdminA, AdminB, and AdminC are editing the same Security Policy?
A. A lock icon shows that a rule or an object is locked and will be available.
B. AdminA and AdminB are editing the same rule at the same time.
C. A lock icon next to a rule informs that any Administrator is working on this particular rule.
D. AdminA, AdminB and AdminC are editing three different rules at the same time.
Correct Answer: C
Explanation/Reference:
PDF Answer is C-A lock icon next to ....
In SmartConsole, administrators work with sessions. A session is created each time an administrator logs into
SmartConsole. Changes made in the session are saved automatically. These changes are private and
available only to the administrator. To avoid configuration conflicts, other administrators see a lock icon on
objects and rules that are being edited in other sessions
http://downloads.checkpoint.com/dc/download.htm?ID=65846
QUESTION 453
When should you generate new licenses?
Correct Answer: B
Explanation/Reference:
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk84802
QUESTION 454
Fill in the blank: When a policy package is installed, are also distributed to the target installation
Security Gateways.
Correct Answer: A
Explanation/Reference:
A policy package is a collection of different types of policies. After installation, the Security Gateway enforces all
the policies in the package. A policy package can have one or more of these policy types:
Access Control - consists of these types of rules:
- Firewall
- NAT
- Application Control and URL Filtering
- Data Awareness
QoS
Desktop Security - the Firewall policy for endpoint computers that have the Endpoint Security VPN remote
access client installed as a standalone client.
Threat Prevention - consists of:
- IPS - IPS protections continually updated by IPS Services
- Anti-Bot - Detects bot-infected machines, prevents bot damage by blocking bot commands and Control (C&C)
communications
- Anti-Virus - Includes heuristic analysis, stops viruses, worms, and other malware at the gateway
- Threat Emulation - detects zero-day and advanced polymorphic attacks by opening suspicious files in a
sandbox
QUESTION 455
Which of the following is NOT a method used by Identity Awareness for acquiring identity?
A. RADIUS
B. Active Directory Query
C. Remote Access
D. Certificates
Correct Answer: D
Explanation/Reference:
https://www.checkpoint.com/products/identity-awareness-software-blade/
QUESTION 456
Which Check Point software blade provides Application Security and identity control?
A. Identity Awareness
B. Data Loss Prevention
C. URL Filtering
D. Application Control
Correct Answer: D
Explanation/Reference:
Check Point Application Control provides the industry’s strongest application security and identity control to
organizations of all sizes.
https://www.checkpoint.com/products/application-control-software-blade/
QUESTION 457
# How are the backups stored in Check Point appliances?
Correct Answer: B
Explanation/Reference:
Backup configurations are stored in: /var/CPbackup/backups/
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_Installation_and_Upgrade_Guide/
html_frameset.htm?topic=documents/R77/CP_R77_Gaia_Installation_and_Upgrade_Guide/107104
QUESTION 458
You are going to perform a major upgrade. Which back up solution should you use to ensure your database
can be restored on that device?
A. backup
B. logswitch
C. Database Revision
D. snapshot
Correct Answer: D
Explanation/Reference:
The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point
products, configuration, and operating system.
Starting in R77.10, exporting an image from one machine and importing that image on another machine of the
same type is supported.
The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will not be saved.
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk108902
QUESTION 459
Which tool is used to enable ClusterXL?
A. SmartUpdate
B. cpconfig
C. SmartConsole
D. sysconfig
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_ClusterXL_WebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_ClusterXL_WebAdminGuide/161105
QUESTION 460
What type of NAT is a one-to-one relationship where each host is translated to a unique address?
A. Source
B. Static
C. Hide
D. Destination
Correct Answer: B
Explanation/Reference:
QUESTION 461
Which one of the following is a way that the objects can be manipulated using the new API integration in R80
Management?
A. Microsoft Publisher
B. JSON
C. Microsoft Word
D. RC4 Encryption
Correct Answer: B
Explanation/Reference:
QUESTION 462
True or False: In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway
Correct Answer: D
Explanation/Reference:
QUESTION 463
Which of the following is NOT an identity source used for Identity Awareness?
A. Remote Access
B. UserCheck
C. AD Query
D. RADIUS
Correct Answer: B
Explanation/Reference:
https://www.checkpoint.com/products/identity-awareness-software-blade/
QUESTION 464
Fill in the blanks: Default port numbers for an LDAP server is for standard connections and
SSL connections.
A. 675, 389
B. 389, 636
C. 636, 290
D. 290, 675
Correct Answer: B
Explanation/Reference:
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by
default on TCP and UDP port 389, or on port 636 for LDAPS. Global Catalog is available by default on ports
3268, and 3269 for LDAPS.
QUESTION 465
Which of the following is NOT supported by Bridge Mode Check Point Security Gateway?
A. Antivirus
B. Data Loss Prevention
C. NAT
D. Application Control
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/96332.htm
QUESTION 466
Which option, when applied to a rule, allows all encrypted and non-VPN traffic that matches the rule?
Correct Answer: B
Explanation/Reference:
QUESTION 467
In which scenario is it a valid option to transfer a license from one hardware device to another?
Correct Answer: B
Explanation/Reference:
QUESTION 468
Fill in the blanks: A license requires an administrator to designate a gateway for attachment whereas a
license is automatically attached to a Security Gateway.
A. Formal; corporate
B. Local; formal
C. Local; central
D. Central; local
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_GuidewebAdmin/13128.htm
QUESTION 469
Which of the following is NOT a valid configuration screen of an Access Role Object?
A. Users
B. Networks
C. Time
D. Machines
Correct Answer: C
Explanation/Reference:
Select Users and Administrators in the Objects Tree.
Right-click Access Roles > New Access Role.
The Access Role window opens.
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62050.htm
QUESTION 470
What is the purpose of the Stealth Rule?
Correct Answer: A
Explanation/Reference:
http://www.pearsonitcertification.com/articles/article.aspx?p=387728&seqNum=3
QUESTION 471
What key is used to save the current CPView page in a filename format cpview_“cpview process
ID”.cap”number of captures”?
A. S
B. W
C. C
D. Space bar
Correct Answer: C
Explanation/Reference:
Reference:
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/
CP_R80.20_SecurityManagement_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/
WebAdminGuides/EN/CP_R80.20_SecurityManagement_AdminGuide/204685
QUESTION 472
Fill in the blank: It is Best Practice to have a rule at the end of each policy layer.
A. Explicit Drop
B. Implied Drop
C. Explicit CleanUp
D. Implicit Drop
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SmartDashboard_OLH/html_frameset.htm?
topic=documents/R80/CP_R80_SmartDashboard_OLH/NFHf4E9NLQBJlVkHRpc16w2
QUESTION 473
When defining group-based access in an LDAP environment with Identity Awareness, what is the BEST object
type to represent an LDAP group in a Security Policy?
A. Access Role
B. User Group
C. SmartDirectory Group
D. Group Template
Correct Answer: A
Explanation/Reference:
???
QUESTION 474
The software blade package uses CPU-level and OS-level sandboxing in order to detect and block
malware.
Correct Answer: B
Explanation/Reference:
QUESTION 475
Fill in the blank: Once a certificate is revoked from the Security GateWay by the Security Management Server,
the certificate information is .
Correct Answer: D
Explanation/Reference:
QUESTION 476
# Which type of attack can a firewall NOT prevent?
Correct Answer: A
Explanation/Reference:
QUESTION 477
R80 is supported by which of the following operating systems:
A. Windows only
B. Gaia only
C. Gaia, SecurePlatform, and Windows
D. SecurePlatform only
Correct Answer: B
Explanation/Reference:
https://community.checkpoint.com/t5/General-Management-Topics/R80-x-FAQ/td-p/39994
QUESTION 478
What Check Point technologies deny or permit network traffic?
Correct Answer: B
Explanation/Reference:
QUESTION 479
How do you manage Gaia?
Correct Answer: D
Explanation/Reference:
QUESTION 480
What licensing feature is used to verify licenses and activate new licenses added to the License and Contracts
repository?
A. Verification tool
B. Verification licensing
C. Automatic licensing
D. Automatic licensing and Verification tool
Correct Answer: D
Explanation/Reference:
QUESTION 481
The “Hit count” feature allows tracking the number of connections that each rule matches. Will the Hit count
feature work independently from logging and Track the hits even if the Track option is set to “None”?
A. No, it will not work independently. Hit Count will be shown only for rules with Track options set as Log or
alert
B. Yes, it will work independently as long as “analyze all rules” tick box is enabled on the Security Gateway
C. No, it will not work independently because hit count requires all rules to be logged
D. Yes, it will work independently because when you enable Hit Count, the SMS collects the data from
supported Security Gateways
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 482
How many layers make up the TCP/IP model?
A. 2
B. 7
C. 6
D. 4
Correct Answer: D
Explanation/Reference:
QUESTION 483
In SmartConsole, objects are used to represent physical and virtual network components and also some logical
components. These objects are divided into several categories. Which of the following is NOT an objects
category?
A. Limit
B. Resource
C. Custom Application / Site
D. Network Object
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_SecurityManagement_AdminGuide/html_frameset.htm?topic=documents/R80.10/
WebAdminGuides/EN/CP_R80.10_SecurityManagement_AdminGuide/162005
QUESTION 484
Which of the following is used to enforce changes made to a Rule Base?
A. Publish database
B. Save changes
C. Install policy
D. Activate policy
Correct Answer: A
Explanation/Reference:
QUESTION 485
What is UserCheck?
Correct Answer: B
Explanation/Reference:
QUESTION 486
When doing a Stand-Alone Installation, you would install the Security Management Server with which other
Check Point architecture component?
Correct Answer: D
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/
CP_R80.10_Installation_and_Upgrade_Guide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/
EN/CP_R80.10_Installation_and_Upgrade_Guide/158318
QUESTION 487
Fill in the blank: An Endpoint identity agent uses a for user authentication.
A. Shared secret
B. Token
C. Username/password or Kerberos Ticket
D. Certificate
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62050.htm
QUESTION 488
What is the purpose of a Stealth Rule?
Correct Answer: C
Explanation/Reference:
http://www.pearsonitcertification.com/articles/article.aspx?p=387728&seqNum=3
QUESTION 489
To view the policy installation history for each gateway, which tool would an administrator use?
A. Revisions
B. Gateway installations
C. Installation history
D. Gateway history
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/119225
QUESTION 490
# Which SmartConsole tab shows logs and detects security threats, providing a centralized display of potential
attack patterns from all network devices?
Correct Answer: B
Explanation/Reference:
QUESTION 491
Which of the following is NOT a valid deployment option for R80?
A. All-in-one (stand-alone)
B. Log server
C. SmartEvent
D. Multi-domain management server
Correct Answer: D
Explanation/Reference:
QUESTION 492
You have created a rule at the top of your Rule Base to permit Guest Wireless access to the Internet. However,
when guest users attempt to reach the Internet, they are not seeing the splash page to accept your Terms of
Service, and cannot access the Internet. How can you fix this?
A. Right click Accept in the rule, select “More”, and then check “Enable Identity Captive Portal”
B. On the firewall object, Legacy Authentication screen, check “Enable Identity Captive Portal”
C. In the Captive Portal screen of Global Properties, check “Enable Identity Captive Portal”
D. On the Security Management Server object, check the box “Identity Logging”
Correct Answer: A
Explanation/Reference:
QUESTION 493
Identity Awareness allows the Security Administrator to configure network access based on which of the
following?
A. Name of the application, identity of the user, and identity of the machine
B. Identity of the machine, username, and certificate
C. Network location, identity of a user, and identity of a machine
D. Browser-Based Authentication, identity of a user, and network location
Correct Answer: C
Explanation/Reference:
http://ccsawannabe.blogspot.com/2016/04/check-point-identity-awareness.html
QUESTION 494
Which option will match a connection regardless of its association with a VPN community?
Correct Answer: B
Explanation/Reference:
???
QUESTION 495
Which of the following is NOT a tracking log option in R80.x?
A. Log
B. Full Log
C. Detailed Log
D. Extended Log
Correct Answer: C
Explanation/Reference:
QUESTION 496
Which information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking
option?
A. file attributes
B. application information
C. destination port
D. data type information
Correct Answer: B
Explanation/Reference:
QUESTION 497
Where is the “Hit Count” feature enabled or disabled in SmartConsole?
Correct Answer: B
Explanation/Reference:
Analyze a Rule Base - You can delete rules that have no matching connections
Note - If you see a rule with a zero hit count it only means that in the Security Gateways enabled with Hit Count
there were no matching connections. There can be matching connections on other Security Gateways.
Improve Firewall performance - You can move a rule that has a high hit count to a higher position in the Rule
Base
Better understand the behavior of the Access Control Policy
Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/126197
QUESTION 498
Which tool is used to enable cluster membership on a Gateway?
A. SmartUpdate
B. cpconfig
C. SmartConsole
D. sysconfig
Correct Answer: B
Explanation/Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_ClusterXL_WebAdminGuide/html_frameset.htm?
topic=documents/R77/CP_R77_ClusterXL_WebAdminGuide/161105
QUESTION 499
Which key is created during Phase 2 of a site-to-site VPN?
A. Pre-shared secret
B. Diffie-Hellman Public Key
C. Symmetrical IPSec key
D. Diffie-Hellman Private Key
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13847.htm
QUESTION 500
# Fill in the blank: Each cluster, at a minimum, should have at least interfaces.
A. Five
B. Two
C. Three
D. Four
Correct Answer: C
Explanation/Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7292.htm
QUESTION 501
# Examine the sample Rule Base.
What will be the result of a verification of the policy from SmartConsole?
A. No errors or Warnings
B. Verification Error. Empty Source-List in Rule 5 (Mail Inbound)
C. Verification Error. Rule 4 (Web Inbound) hides Rule 6 (Webmaster access)
D. Verification Error. Rule 7 (Clean-Up Rule) hides Implicit Clean-up Rule
Correct Answer: C
Explanation/Reference:
QUESTION 502
You are the Check Point administrator for Alpha Corp. You received a call that one of the users is unable to
browse the Internet on their new tablet which is connected to the company wireless, which goes through a
Check Point Gateway. How would you review the logs to see what is blocking this traffic?
Correct Answer: D
Explanation/Reference:
QUESTION 503
What is a role of Publishing?
A. The Publish operation sends the modifications made via SmartConsole in the private session and makes
them public
B. The Security Management Server installs the updated policy and the entire database on Security Gateways
C. The Security Management Server installs the updated session and the entire Rule Base on Security
Gateways
D. Modifies network objects, such as servers, users, services, or IPS profiles, but not the Rule Base
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/119225
QUESTION 504
Which software blade enables Access Control policies to accept, drop, or limit web site access based on user,
group, and/or machine?
A. Application Control
B. Data Awareness
C. Identity Awareness
D. Threat Emulation
Correct Answer: A
Explanation/Reference:
???
Application Control enables IT teams to easily create granular policies based on users or groups—to identify,
block or limit usage of applications and widgets.
Identity Awareness
What the user is allowed to do depends upon rules in our Unified Access Control Policy where the source can
be an Access Role object. An Access Role is a logical representation of users and devices comprised of four
elements: networks @ user or group @ machine @ client, where client is one of the Check Point remote
access clients.
QUESTION 505
Fill in the blank: is the Gaia command that turns the server off.
A. sysdown
B. exit
C. halt
D. shut-down
Correct Answer: C
Explanation/Reference:
QUESTION 506
Which option in a firewall rule would only match and allow traffic to VPN gateways for one Community in
common?
Correct Answer: C
Explanation/Reference:
???
QUESTION 507
# Which SmartConsole tab is used to monitor network and security performance?
Correct Answer: D
Explanation/Reference:
QUESTION 508
Which statement describes what Identity Sharing is in Identity Awareness?
A. Management servers can acquire and share identities with Security Gateways
B. Users can share identities with other users
C. Security Gateways can acquire and share identities with other Security Gateways
D. Administrators can share identities with other administrators
Correct Answer: C
Explanation/Reference:
QUESTION 509
Which of the following is NOT a policy type available for each policy package?
A. Threat Emulation
B. Access Control
C. Desktop Security
D. Threat Prevention
Correct Answer: A
Explanation/Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/
CP_R80_SecMGMT/119225
QUESTION 510
An administrator is creating an IPsec site-to-site VPN between his corporate office and branch office. Both
offices are protected by Check Point Security Gateway managed by the same Security Management Server
(SMS). While configuring the VPN community to specify the pre-shared secret, the administrator did not find a
box to input the pre-shared secret. Why does it not allow him to specify the pre-shared secret?
Correct Answer: C
Explanation/Reference:
QUESTION 511
Which of the following technologies extracts detailed information from packets and stores that information in
state tables?
A. INSPECT Engine
B. Next-Generation Firewall / Maybe this is Option B - Stateful Inspection
C. Packet Filtering
D. Application Layer Firewall
Correct Answer: A
Explanation/Reference:
PDF's answer is B Next-Generation Firewall , But I prefer A-Inspect Engine
The INSPECT Engine can store and retrieve values in tables (providing dynamic context) and perform logical or
arithmetic operations on data in any part of the packet.
Same question is Q57
QUESTION 512
# To enforce the Security Policy correctly, a Security Gateway requires:
A. a routing table
B. that each Security Gateway enforces at least one rule
C. a Demilitarized Zone
D. a Security Policy install
Correct Answer: B
Explanation/Reference:
The network topology represents the internal network (both the LAN and the DMZ) protected by the gateway.
The gateway must be aware of the layout of the network topology to:
Correctly enforce the Security Policy.
Ensure the validity of IP addresses for inbound and outbound traffic.
Configure a special domain for Virtual Private Networks.
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?
topic=documents/R76/CP_R76_SecMan_WebAdmin/118037
QUESTION 513
What are the SandBlast deployment options?
1.Cloud emulation
2.Emulation on the Endpoint itself
3.Local Emulation
4 Remote emulation
Correct Answer: C
Explanation/Reference: