Checkpoint 156-215.81 Check Point Certified Security Administrator R81.20 CCSA (156-215.81.20) Exam Practice Test

This answer is correct because a standalone deployment is a valid option for installing a Check Point Security Gateway and a Security Management Server on the same machine1. This option is suitable for small or medium-sized networks that do not require high availability or load balancing1.

The other answers are not correct because they are either invalid or irrelevant options for deployment. CloudSec deployment is not a valid option, but it might be confused with CloudGuard, which is a Check Point solution for securing cloud environments2. Disliked deployment is not a valid option, but it might be a typo for Distributed deployment, which is a valid option for installing a Check Point Security Gateway and a Security Management Server on separate machines1. Router only deployment is not a valid option, but it might be confused with Router mode, which is a configuration option for a Check Point Security Gateway that enables it to act as a router and forward packets between interfaces3.

Gaia R81.20 Administration Guide

CloudGuard Network Security

Configuring Router Mode in Gaia Clish

The default Gaia user that has full read/write access is admin3. The admin user is the superuser that can perform any administrative task on the Gaia system, such as configuring network settings, installing software updates, managing licenses, creating snapshots, and more. The admin user can also access the Gaia Portal, which is a web-based interface for managing Gaia settings and features. References: Check Point R81 Gaia Administration Guide

 Stateful Inspection and Proxies are two different technologies for implementing firewall security. Stateful Inspection is a technique that inspects packets at the network layer and maintains a state table that tracks the status of each connection. Proxies are applications that act as intermediaries between clients and servers, and inspect packets at the application layer. The competition between stateful inspection and proxies was based on performance, protocol support, and security. When it comes to performance, stateful inspection was significantly faster than proxies, because it did not have to process the payload of each packet and could handle more concurrent connections1. References: Check Point R81 Security Gateway Technical Administration Guide

The method to update the trusted log server regarding the policy and configuration changes performed on the Security Management Server is Save Policy. Saving a policy updates the trusted log server with the latest policy and configuration changes3. References: Check Point R81 Logging and Monitoring Administration Guide

Anti-Virus is the Check Point software blade that prevents malicious files from entering a network using virus signatures and anomaly-based protections from ThreatCloud. Anti-Virus scans files and email attachments for viruses, worms, trojans, and other types of malware. It also uses ThreatCloud, a collaborative network that delivers real-time dynamic security intelligence, to detect unknown malware based on their behavior. Firewall is a software blade that enforces security policy by inspecting and controlling network traffic. Application Control is a software blade that enables administrators to control access to web applications. Anti-spam and Email Security is a software blade that protects email infrastructure from spam, phishing, and malware attacks.

LDAP (Lightweight Directory Access Protocol) is a protocol that allows accessing and maintaining distributed directory information services over a network. User Directory integration is a feature of Identity Awareness that allows Check Point products to use LDAP servers as identity sources. When configuring LDAP with User Directory integration, changes applied to a User Directory template are reflected immediately for all users who are using that template. A User Directory template defines the settings for connecting to an LDAP server and retrieving user information3. References: Check Point R81 Identity Awareness Administration Guide

The file that is an electronically signed file used by Check Point to translate the features in the license into a code is cp.macro. This file contains a list of macros that define the license features and their values. It is located in the $FWDIR/conf directory on the Security Management Server or Security Gateway.References: [Check Point R81 Licensing Guide], [Check Point R80.40 Licensing Guide]

 The answer is A because changing the Security Gateway IP-address requires re-establishing the trust with the Security Management Server by initializing the Secure Internal Communication (SIC). Changing the Security Gateway name in command line or changing the Security Management Server name or IP-address in SmartConsole does not require re-establishing the trust, but it may require updating the topology and pushing the policy.References: [Check Point R81 Security Management Administration Guide], [Check Point R81 Security Gateway Administration Guide]

An Endpoint identity agent uses a username/password or Kerberos ticket for user authentication3, p. 28. An Endpoint identity agent is a lightweight client installed on endpoint computers that communicates with Identity Awareness gateways and provides reliable identity information. An Endpoint identity agent does not use a shared secret, a token, or a certificate for user authentication. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Identity Awareness Administration Guide R81]

The best sync method in the ClusterXL deployment is to use one dedicated sync interface56. This method provides optimal performance and reliability for synchronization traffic. Using multiple sync interfaces is not recommended as it increases CPU load and does not provide 100% sync redundancy5. Using multiple clusters is not a sync method, but a cluster topology. References: Sync Redundancy in ClusterXL, Best Practice for HA sync interface

The options to calculate the traffic direction are Incoming, Internal, and External3. Outgoing is not an option. Incoming traffic is traffic that enters the Security Gateway from an external network. Internal traffic is traffic that originates and terminates in networks that are directly connected to the Security Gateway. External traffic is traffic that originates or terminates in networks that are not directly connected to the Security Gateway. References: Check Point R81 Security Management Administration Guide

 To enforce the Security Policy correctly, a Security Gateway requires awareness of the network topology. This means that the gateway knows which networks and interfaces are internal and external, and how to route packets between them . References: [Check Point R81 Security Gateway Technical Administration Guide], Check Point CCSA - R81: Practice Test & Explanation

Check Point Gaia can be configured using:

The Command Line Interface (CLI) – This includes Clish and Expert mode, accessible via SSH, console access, or direct login.

The GAiA Portal (WebUI) – A browser-based graphical user interface used to manage Gaia settings.

Option A (incorrect): The CLI is not limited to serial console access. SSH is widely used.

Option B (incorrect): "Gaia Ultimate Shell" is not an official term.

Option D (incorrect): "Web Ultimate Interface" is not a valid name.

Thus, the correct answer is C. Command line interface; GAiA Portal.

The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3 . The other files are not related to proxy arp configuration. References: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA - R81: Practice Test & Explanation]

If a network administrator has identified a malicious host on the network and instructed you to block it, but you cannot make any firewall policy changes at this time, you can use Suspicious Activity Monitoring (SAM) rules to block this traffic. SAM rules are temporary rules that allow you to block or limit traffic from specific sources or destinations without modifying the security policy. SAM rules are created and managed by SmartView Monitor and are enforced by the security gateway for a specified duration. Anti-Bot protection, Anti-Malware protection, and Policy-based routing are not tools that can be used to block traffic without changing the firewall policy. References: [Check Point R81 SmartView Monitor Administration Guide]

The scenario where it is a valid option to transfer a license from one hardware device to another is from a 4400 Appliance to a 2200 Appliance. This is because both appliances are Check Point products and have the same license type (Central License). You can transfer a license from one hardware device to another if they have the same license type and vendor3. Therefore, the correct answer is A. From a 4400 Appliance to a 2200 Appliance. 

 Once a license is activated, a Service Contract file should be installed. This file contains information about the license expiration date, support level, and other details3. The other options are not valid file names.

References: 3: Check Point R81 Security Management Administration Guide, page 15.

Most Check Point deployments use Gaia, which is a unified operating system for all Check Point appliances, open servers, and virtualized gateways. However, some product deployments utilize special Check Point code, such as Scalable Platforms (formerly known as Maestro), which are high-performance security gateways that can scale up to 1.5 Tbps of firewall throughput. Scalable Platforms use a special version of Gaia OS called Gaia Embedded, which is planned to be unified with Gaia OS in R81.102. References: Check Point R81 Release Notes

 RADIUS Accounting gets identity data from requests generated by the accounting client. RADIUS Accounting is a feature that allows tracking and measuring resource usage of network services by users. The accounting client, which is usually a network access server (NAS), sends accounting requests to a RADIUS server with information about user sessions, such as start and stop times, bytes transmitted and received, IP addresses, etc. The RADIUS server records this information in a database for billing, auditing, or reporting purposes. One of the mandatory attributes that the accounting client must include in every accounting request is the User-Name attribute, which identifies the user who is accessing the network service.

 A one-time password is used to initially create trust between a Gateway and Security Management Server. The administrator generates a one-time password from SmartConsole and enters it on the gateway command line interface using the cpconfig command. This establishes a Secure Internal Communication (SIC) between the gateway and the server . The other options are not used for this purpose. References: [Configuring Secure Internal Communication (SIC)], [Check Point CCSA - R81: Practice Test & Explanation]

The WebUI can be used to manage Operating System user accounts and add users to your Gaia system, assign privileges to users, and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server. This is done by the SmartConsole1.

References: 1: Check Point R81 Security Management Administration Guide, page 11.

 A session starts when an Administrator logs in through SmartConsole and ends when the Administrator logs out. A session allows multiple administrators to work on the same policy simultaneously, without overwriting each other’s changes3.

References: 3: Check Point R81 Security Management Administration Guide, page 17.

The two Check Point Protocols that are used by are FWD and LEA567. FWD is the Firewall Daemon that handles communication between different Check Point components, such as Security Management Server, Security Gateway, SmartConsole, etc. LEA is the Log Export API that allows external applications to retrieve logs from the Security Gateway or Security Management Server. Therefore, the correct answer is B. FWD and LEA. References: Border Gateway Protocol - Check Point Software, Check Point IPS Datasheet, List of valid protocols for services? - Check Point CheckMates

In order to see real-time and historical graph views of Security Gateway statistics in SmartView Monitor, the Monitoring Blade feature needs to be enabled on the Security Gateway. The Monitoring Blade is a software blade that collects and displays network and security performance data from the Security Gateway, such as traffic, throughput, connections, CPU usage, memory usage, etc. The Monitoring Blade can be enabled or disabled on each Security Gateway from the SmartConsole.References: [Monitoring Blade], [SmartView Monitor]

 The best upgrade method when the management server is not connected to the Internet is CPUSE offline upgrade . This method allows you to download the upgrade package from another source and install it manually on the management server. The other methods require Internet connection or are not supported for R80.10. References: [R80.10 Upgrade Verification and FAQ], [Check Point CCSA - R81: Practice Test & Explanation]

The default shell of Gaia CLI is clish, which stands for Check Point command line interface shell1. It provides a user-friendly interface to configure and manage Check Point products. References: Check Point Gaia Administration Guide

The Full Identity Agent allows packet tagging and computer authentication2. Packet tagging is a feature that enables the Security Gateway to identify the source user and machine of each packet, regardless of NAT or routing. Computer authentication is a feature that enables the Security Gateway to authenticate machines that are not associated with any user, such as servers or unattended workstations. The other options are incorrect. Endpoint Security Client is not an Identity Agent, but a software that provides endpoint security features such as firewall, antivirus, VPN, etc. Light Agent is an Identity Agent that does not require installation and runs on a web browser, but it does not support packet tagging or computer authentication. System Agent is not an Identity Agent, but a software that provides system information and health monitoring for endpoints. References: Check Point Identity Agent for Microsoft Windows 10

NAT (Network Address Translation) is a technique that modifies the IP addresses or ports of packets that pass through a security gateway. NAT can be configured in two ways: Automatic or Manual. Automatic NAT means that the NAT rules are generated automatically by the security gateway based on the NAT properties of network objects. Manual NAT means that the NAT rules are defined explicitly by the administrator in the NAT policy. Proxy ARP (Address Resolution Protocol) is a technique that allows a security gateway to answer ARP requests on behalf of other hosts. Proxy ARP is needed when a host on one network segment tries to communicate with a host on another network segment that has a different IP address than its own. In some scenarios, an administrator will need to manually define Proxy ARP for NAT to work properly. One such scenario is when they configure a Manual Static NAT which translates to an IP address that does not belong to one of the firewall’s interfaces2. References: Check Point R81 Network Address Translation Administration Guide

The command that shows the installed licenses is cplic print. This command displays the license information on a Check Point server or Security Gateway. It shows the license type, expiration date, attached blades, etc. The other options are incorrect. print cplic is not a valid command. fwlic print is not a valid command. show licenses is not a valid command. References: [How to check license status on SecurePlatform / Gaia from CLI]

 A Security Policy is created in SmartConsole, stored in the Security Management Server, and distributed to the various Security Gateways. SmartConsole is a graphical user interface that allows administrators to create and edit security policies. The Security Management Server is a central server that stores and manages the security policies. The Security Gateways are devices that enforce the security policies on the network traffic.

References: : Check Point R81 Security Gateway Administration Guide, page 9.

 Identity Awareness is the Check Point software blade that provides visibility of users, groups and machines while also providing access control through identity-based policies. Identity Awareness enables administrators to define granular access rules based on user or machine identity, rather than just IP addresses. Identity Awareness also allows administrators to monitor user activity and generate reports based on user or machine identity.

According to the Check Point R81.10 SmartConsole for Windows1, to restore a backup, you need to supply the following data: Server, Protocol, Username, Password, and Path. The Server is the IP address or hostname of the Security Management Server. The Protocol is either SCP or SFTP. The Username and Password are the credentials for the Security Management Server. The Path is the location of the backup file on the Security Management Server. References: Check Point R81.10 SmartConsole for Windows

The Access Role object type is used to grant network access to an LDAP user group. It defines a set of users and machines that can access a specific network resource34 References: Access Role, LDAP User Group

 src:192.168.1.1 AND dst:172.26.1.1 AND action:Drop is the correct log query to show only dropped packets with source address of 192.168.1.1 and destination address of 172.26.1.1. The AND operator means that all conditions must be true for the query to match. The OR operator means that any condition can be true for the query to match3. The other queries will either show packets that are not dropped or packets that have different source or destination addresses.

The BEST method to deploy Identity Awareness for roaming users is to use identity agents, which are software components installed on endpoints that provide user and machine identity information to the Security Gateway45. Identity agents are more secure and reliable than other methods, as they do not require network changes or user interaction4. Office Mode, sharing user identities between gateways, and using captive portal are not methods to deploy Identity Awareness, but rather features or options that can be used with Identity Awareness46.

References: Identity Awareness Reference Architecture and Best Practices, Identity Awareness PDP Broker, Identity Awareness Datasheet

 The command cplic print displays the installed licenses and their expiration dates on the CLI1. References: Check Point CLI Reference Card

References: Threat Emulation is not a policy type available for each policy package. Threat Emulation is a software blade that is part of the Threat Prevention policy type. The other options are valid policy types that can be configured for each policy package. References: [Threat Prevention Administration Guide R80.40], [Security Policies Administration Guide R80.40]

The command show config-state can be used to verify if there are unsaved changes in GAiA that will be lost with a reboot . The other commands are not valid in GAiA. References: [Check Point GAiA Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation]

The answer is A because changes applied to a User Directory template are reflected immediately for all users who are using that template. A User Directory template defines the settings for connecting to an LDAP server, such as the server name, port, base DN, user filter, and group filter. When a User Directory template is modified, all users who are using that template will inherit the changes without requiring any additional actions3 References: Check Point R81 Identity Awareness Administration Guide, [Check Point R81 User Directory Templates]

 Check Point licenses are divided into two types: central and local. Central licenses are managed by a Security Management Server and can be attached to any Security Gateway managed by that server. Local licenses are tied to the IP address of a specific Security Gateway and cannot be transferred to a gateway that has a different IP address. Formal and corporate are not types of Check Point licenses. References: [Check Point R81 Licensing and Contract Administration Guide]

The default layers that are included when creating a new policy layer are Access Control, Threat Prevention, and HTTPS Inspection. Access Control is the layer that defines the basic firewall rules. Threat Prevention is the layer that enables the protection against various types of attacks, such as IPS, Anti-Virus, Anti-Bot, etc. HTTPS Inspection is the layer that allows the inspection of encrypted traffic1. The other options are not the default layers that are included when creating a new policy layer.

You should generate new licenses when the existing license expires, the license is upgraded, or the IP address associated with the license changes. These situations invalidate the current license and require a new one to be obtained from the Check Point User Center and installed on the Security Management Server or Security Gateway. Installing contract files or upgrading devices do not affect the validity of the license12 References: Check Point R81, Managing and Installing license via SmartUpdate

Manage and Command Line is not a valid application navigation tab in the R80 SmartConsole, as it does not exist in the interface. The image shows the navigation toolbar of the R80 SmartConsole, which has four tabs: Security Policies, Logs & Monitor, Gateways & Servers, and Manage & Settings1. The Command Line Interface button is located in the system information area, not in the navigation toolbar1.

References: Application Control and URL Filtering - Check Point Software

One limitation of using Security Zones in the network is that Security Zones will not work in Manual NAT rules. Manual NAT rules are rules that explicitly define how to translate the source and destination IP addresses and ports of each connection. Manual NAT rules do not support using Security Zones as objects, only network objects or groups. Automatic NAT rules are rules that automatically define how to translate the source and destination IP addresses and ports of each connection based on the network objects or groups properties. Automatic NAT rules support using Security Zones as objects. Security Zones can also work in firewall policy layer and network topology.References: [Security Zones Best Practices], [NAT Methods]

The fwm process is responsible for managing the communication between the SmartConsole and the Security Management Server. It can only be seen on a Management Server12. References: Check Point Processes and Daemons, Check Point CCSA - R81: Practice Test & Explanation

Captive Portal is an authentication method used for Identity Awareness4. Captive Portal is a web-based authentication method that redirects users to a browser-based login page when they try to access the network. Users must provide their credentials to access the network resources. Captive Portal can be used for guest users or users who are not identified by other methods4. SSL, PKI, and RSA are not authentication methods used for Identity Awareness, but rather encryption or certificate technologies. References: Identity Awareness Reference Architecture and Best Practices

 When you upload a package or license to the appropriate repository in SmartUpdate, the package or license is stored on the Security Management Server. SmartUpdate is a tool that allows you to centrally manage software updates and licenses for all Check Point products on your network.

References: : Check Point R81 Security Management Administration Guide, page 16.

The Security Management Server is the component that changes most often and should be backed up most frequently, because it stores all the security policies and configurations for the Check Point components in your network. The other components are either clients or gateways that do not change as frequently.

References: Check Point Security Management Administration Guide R81, p. 9

This answer is correct because the vpn tu command is used for VPN tunnel management and shows detailed information about VPN tunnels, such as the tunnel ID, peer IP, encryption domain, and status1. This command will bring up a menu for you to choose from, such as list all IPsec SAs, delete all IPsec SAs, or delete IPsec SA for given peer1.

The other answers are not correct because they either show different information or do not exist as commands. The cat $FWDlR/conf/vpn.conf command shows the VPN configuration file, which contains the VPN domains, communities, and encryption settings2. The vpn tu tlist command does not exist, but it might be confused with the vpn tunnelutil tlist command, which shows the tunnel utilization statistics3. The cpview command shows the Check Point real-time performance monitoring tool, which displays various system and network parameters, such as CPU, memory, disk, interfaces, and VPN4.

How to use the “vpn tu” command for VPN tunnel management

New VPN daemons in R81.10 / R81.20 - Check Point CheckMates

Remote Access VPN R81.20 Administration Guide - Check Point Software

Remote Access VPN R81 Administration Guide - Check Point Software

 The correct answer is A because a pencil icon in a rule means that you have changed this rule3. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when3. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

 Extended Log is a tracking option that enables administrators to see additional information about the traffic that matches a security rule, such as data type, file name, file size, etc. However, to see any data type information, Content Awareness must be enabled on the Security Gateway. Content Awareness is a blade that inspects files based on their type, size, name, and data. Content Awareness is required for Extended Log to work properly3. References: Check Point R81 Content Awareness Administration Guide

The option that is NOT an advantage of Stateful Inspection is No Screening above Network layer. Stateful Inspection is a firewall technology that inspects packets at all layers of the OSI model, from layer 3 (Network) to layer 7 (Application). Stateful Inspection provides screening above Network layer, such as checking TCP flags, sequence numbers, ports, and application protocols . The other options are advantages of Stateful Inspection, as it provides high performance, good security, and transparency for legitimate traffic.

References: Stateful Inspection Technology, Firewall Administration Guide

The backups are stored in Check Point appliances as *.tgz files under /var/CPbackup. This is the default location for backup files created by the backup command. Therefore, the correct answer is B. Saved as *.tgz under /var/CPbackup

Capsule Connect provides a Layer 3 VPN that allows users to access corporate resources securely from their mobile devices2. Capsule Workspace provides a secure container on the mobile device that isolates business data and applications from personal data and applications3. Capsule Workspace also provides a desktop with usable applications such as email, calendar, contacts, documents, and web applications3. References: Check Point Capsule Connect, Check Point Capsule Workspace

SmartEvent is a unified security management solution that provides real-time visibility into security events across the network. SmartEvent shows correlated logs and aggregated data to provide an overview of potential threats and attack patterns, as well as generate reports and alerts based on predefined or customized indicators. SmartView Tracker, SmartLog, and SmartView Monitor are other SmartConsole applications that can show logs, search queries, and network statistics respectively, but they do not provide the same level of correlation and analysis as SmartEvent. References: [Check Point R81 SmartEvent Administration Guide]

When enabling tracking on a rule, the default option is Log. This option generates a log entry for each connection that matches the rule. The log entry contains information such as the source, destination, service, action, and time of the connection.References: [Logging and Monitoring R81], [Logging and Monitoring]

The key that is created during Phase 2 of a site-to-site VPN is a symmetrical IPSec key3. This key is used to encrypt and decrypt the data that is exchanged between the VPN peers3. The symmetrical IPSec key is derived from the shared secret and the Diffie-Hellman public keys that are exchanged during Phase 13. References: Site to Site VPN in R80.x - Tutorial for Beginners

Service blades must be attached to a Security Gateway. A Security Gateway is a device that enforces security policies on traffic that passes through it. A service blade is a software module that provides a specific security function, such as firewall, VPN, IPS, etc. A Security Gateway can have one or more service blades attached to it, depending on the license and hardware capabilities. The other options are incorrect. A management container is a virtualized environment that hosts a Security Management Server or a Log Server. A management server is a device that manages security policies and distributes them to Security Gateways. A Security Gateway container is not a valid term in Check Point terminology. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 CloudGuard Administration Guide]

The command to restore a backup of Check Point configurations without the OS information is restore_backup4. This command restores the Gaia OS configuration and the firewall database from a compressed file. The other commands are not valid for this purpose. import backup is not a valid command. cp_merge is a command to merge policies or objects from different databases. migrate import is a command to import a previously exported database using migrate export. References: System Backup and Restore feature in Gaia, [cp_merge], [migrate import]

With the User Directory Software Blade, you can create user definitions on a(n) LDAP Server2. LDAP stands for Lightweight Directory Access Protocol and is a protocol for accessing and managing user information stored in a directory service. The User Directory Software Blade enables integration with LDAP servers such as Microsoft Active Directory, Novell eDirectory, and OpenLDAP. References: Check Point R81 Identity Awareness Administration Guide

Automatic Hide NAT enables Source Port Address Translation by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. References: Check Point R81 Firewall Administration Guide

The correct answer is D because the recommended size of the root partition for a dedicated R80 SmartEvent server is at least 20GB2. Any size, less than 20GB, or more than 10GB and less than 20GB are not sufficient for the SmartEvent server. References: Check Point R80.40 Installation and Upgrade Guide

When dealing with rule base layers, two layer types can be utilized: Ordered Layers and Inline Layers5. Ordered Layers are executed sequentially according to their order in the policy. Inline Layers are embedded in a parent layer and are executed only if the parent rule matches. References: Check Point R81 Firewall Administration Guide, [Check Point R81 Security Management Administration Guide]

Threat Prevention is a comprehensive solution that protects networks from malicious attacks by using multiple security blades, such as Anti-Bot, Anti-Virus, IPS, Threat Emulation, and Threat Extraction. These are the Threat Prevention software components available on the Check Point Security Gateway. IPS (Intrusion Prevention System) is a blade that detects and prevents network attacks by using signatures and behavioral patterns. Anti-Bot is a blade that detects and blocks botnet communications by using reputation services and heuristics. Anti-Virus is a blade that scans files and web content for malware by using signatures and emulation. Threat Emulation is a blade that analyzes suspicious files in a sandbox environment and blocks malicious files from entering the network. Threat Extraction is a blade that removes exploitable content from files and delivers clean files to users2. References: Check Point R81 Threat Prevention Administration Guide

 A firewall can NOT prevent a network bandwidth saturation attack, which is a type of denial-of-service (DoS) attack that aims to consume all the available bandwidth of a target network or device1, p. 9. A firewall can prevent other types of attacks, such as buffer overflow, SYN flood, and SQL injection, by inspecting packets and applying security rules2, p. 11-12. References: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test

To increase security, the administrator has modified the Core protection ‘Host Port Scan’ from ‘Medium’ to ‘High’ Predefined Sensitivity. The administrator should install the Threat Prevention Policy after Publishing the changes3. The Threat Prevention Policy defines how the Security Gateway inspects and protects against threats such as port scans, bot attacks, and zero-day exploits4. References: Check Point R81 Firewall Administration Guide, Check Point R81 Threat Prevention Administration Guide

The default shell of the Gaia CLI is cli.sh, which provides a limited set of commands for basic configuration and troubleshooting. To change from the cli.sh shell to the advanced shell (also known as expert mode) to run Linux commands, the administrator needs to execute the command ‘expert’ in the cli.sh shell

 Log, Alert, and None are the tracking options that an Administrator can select when configuring Anti-Spoofing. Log means that the packet will be logged in SmartView Tracker. Alert means that the packet will trigger an alert in SmartView Monitor. None means that no action will be taken2. The other options are not valid tracking options.

 The purpose of the CPCA process is generating and modifying certificates. CPCA stands for Check Point Certificate Authority and it is a process that runs on the Security Management Server or Log Server. It is responsible for creating and managing certificates for internal communication between Check Point components, such as SIC . References: [Check Point R81 Quantum Security Management Administration Guide], [Check Point R81 Quantum Security Gateway Guide]

 Captive Portal is a feature of Identity Awareness that allows you to authenticate users through a web browser before they access the Internet or corporate resources. Captive Portal can be used for various authentication methods, such as user name and password, one-time password (OTP), or certificate3. Captive Portal does not manage user permission in SmartConsole, provide remote access to SmartConsole, or authenticate users to the Gaia OS. Those are different functions that are not related to Captive Portal. References: Check Point R81 Identity Awareness Administration Guide

 UserCheck is not an identity source used for Identity Awareness. UserCheck is a feature that allows you to interact with users when they trigger Data Loss Prevention or Threat Prevention incidents2. Identity Awareness uses different methods to acquire identities, such as AD Query, Identity Agent, Browser-Based Authentication, Terminal Servers, Captive Portal, and RADIUS3 . Therefore, the correct answer is B. UserCheck.

A security zone is a group of one or more network interfaces from different centrally managed gateways that have the same security requirements. The zone is based on the network topology and determined according to where the interface leads to. For example, a zone can be defined as internal, external, DMZ, VPN, etc. Security zones are supported by Check Point firewalls and can be used to simplify security policies and network segmentation. The firewall rule can be configured to include one or more zones as source or destination objects. The local directly connected subnet defined by the subnet IP and subnet mask is not considered part of the zone, but rather a property of the interface.References: [Security Zones], [Security Zones Best Practices]

The VPN Domains configuration element determines which traffic should be encrypted into a VPN tunnel vs. sent in the clear. The VPN Domain is the set of hosts and networks that are allowed to communicate securely with the gateway12. The firewall topologies, NAT rules, and the rule base do not directly affect the VPN encryption decision. References: Check Point R81 Security Gateway Technical Administration Guide, CCSA/CCSE Exam Tips & Content - R80.X vs. R81.X - Check Point CheckMates

Bridge Mode is a deployment option for Check Point Security Gateway that allows it to act as a transparent bridge between two network segments, without changing the IP addressing scheme. Bridge Mode supports most of the security features, such as Data Loss Prevention, Antivirus, Application Control, etc. However, Bridge Mode does not support NAT, because NAT requires modifying the IP addresses or ports of the packets, which contradicts the transparent nature of Bridge Mode1. References: Check Point R81 Security Gateway Technical Administration Guide

Address translation rules are used to map an IP address space into another by modifying network address information in the IP header of packets. Address translation rules have two elements: original packet and translated packet6. The original packet is the packet before it undergoes address translation, and the translated packet is the packet after it undergoes address translation. The original packet and the translated packet may have different source and destination IP addresses, depending on the type and direction of address translation. 

The correct answer is D because from SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path3. The Firewall Path is used when SecureXL is disabled or traffic is not eligible for acceleration3. The Accelerated Path is used when SecureXL handles the entire connection and bypasses the Firewall kernel3. The Medium Path is used when SecureXL handles part of the connection and forwards packets to the Firewall kernel for further inspection3. The other options are not valid paths of traffic flow from SecureXL perspective3. References: Check Point R81 Performance Tuning Administration Guide

Stateful Inspection is a firewall technology that inspects both the header and the payload of each packet and keeps track of the state and context of each connection. Packet Filtering is a firewall technology that inspects only the header of each packet and does not keep track of the state or context of each connection. A benefit that Stateful Inspection offers over Packet Filtering is that only one rule is required for each connection, whereas Packet Filtering requires two rules for each connection (one for each direction). Stateful Inspection also offers other benefits over Packet Filtering, such as enhanced security, performance, and flexibility. Stateful Inspection does not offer unlimited connections because of virtual memory usage, nor does it avoid using memory to record the protocol used by the connection.References: [Stateful Inspection], [Packet Filtering], [Firewall Technologies]

The steps to configure the HTTPS Inspection Policy are as follows34:

Go to Manage & Settings > Blades > HTTPS Inspection > Policy.

Click on New HTTPS Inspection Rule or select an existing rule and click on Edit Rule.

Define the Source, Destination, and Action for the rule. The action can be either Inspect, Bypass, or Ask.

Click on OK and then on Install Policy to apply the changes. References: HTTPS Inspection R81 Administration Guide, Check Point CCSA - R81: Practice Test & Explanation

The command show cluster state is used to monitor cluster members in CLI. It displays information such as the cluster mode, the cluster members, their status, their priority, and their interfaces.References: [ClusterXL Administration Guide], [Check Point CLI Reference Card]

The Transport layer of the TCP/IP model is responsible for managing the flow of data between two hosts to ensure that the packets are correctly assembled and delivered to the target application. It also provides error detection and correction, flow control, and multiplexing. The Transport layer uses protocols such as TCP and UDP.

References: Check Point Security Engineering Study Guide, p. 10-11

The technologies that are used to deny or permit network traffic are Stateful Inspection, Firewall Blade, and URL/Application Blade. Stateful Inspection is a technology that inspects network traffic at the packet level and maintains the state and context of each connection. Firewall Blade is a software blade that enforces security policy and prevents unauthorized access to protected resources. URL/Application Blade is a software blade that enables administrators to control access to millions of websites and applications based on users, groups, and machines.

References: : Check Point R81 Security Gateway Administration Guide, page 9. : Check Point R81 Security Gateway Administration Guide, page 10. : Check Point R81 Security Gateway Administration Guide, page 12.

The correct answer is A because the traffic from source 192.168.1.1 to www.google.com is handled by the Slow Path if the Application Control Blade on the gateway is inspecting the traffic 2. The Slow Path is used when traffic requires inspection by one or more Software Blades2. The other paths are used for different scenarios2. References: Check Point R81 Performance Tuning Administration Guide

Smart Cloud Services is an option for deployment of Check Point SandBlast Zero-Day Protection. It is a cloud-based service that provides advanced threat prevention for files and URLs, without requiring any on-premise infrastructure or appliances . References: [Check Point SandBlast Zero-Day Protection], [Smart Cloud Services]

By default, the SIC certificates issued by R80 Management Server are based on the SHA-256 algorithm1. SHA-256 is a secure hash algorithm that produces a 256-bit digest. SHA-200, MD5, and SHA-128 are not valid algorithms for SIC certificates. References: SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)

The Sticky Decision Function (SDF) is required to prevent failovers in an Active-Active cluster. The SDF ensures that the same cluster member handles all connections that belong to a certain session. If the SDF is not enabled, different cluster members may handle different connections of the same session, which may cause a failover or a drop12. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation

There are two default users on Gaia Platform and neither can be deleted. The two default users are admin and monitor. The admin user has full access to the Gaia configuration and management tools, such as CLI and WebUI. The monitor user has read-only access to the Gaia configuration and management tools, and can only view the system status and settings. These two users cannot be deleted, but their passwords can be changed.References: [Gaia Administration Guide], [Gaia Overview]

In Check Point’s Security Management Architecture, logs can be stored on the Security Management Server and Security Gateway.

Security Management Server stores logs when configured to do so.

Security Gateways can store logs locally, but they are often forwarded to a Security Management Server or a dedicated Log Server.

Option B (Incorrect): SmartConsole is only a management interface and does not store logs.

Option C (Incorrect): SmartConsole does not store logs.

Option D (Incorrect): Logs are not exclusively stored on the Security Management Server—they can also be stored on the Security Gateway.

Thus, the correct answer is A. Security Management Server and Security Gateway.

The communication between different Check Point components is secured in R80 by using SIC. SIC stands for Secure Internal Communication and it is a mechanism that ensures the authenticity and confidentiality of communication between Check Point components, such as Security Gateways, Security Management Servers, Log Servers, etc. SIC uses certificates issued by the Internal CA (ICA) and encryption algorithms such as AES-25634. References: Check Point R81 Quantum Security Gateway Guide, Check Point R81 Quantum Security Management Administration Guide

Access roles allow the firewall administrator to configure network access according to remote access clients, a combination of computer or computer groups and networks, and users and user groups12. Therefore, the correct answer is D.

The most likely reason for Vanessa’s authentication failure is that she is using the wrong details for SmartConsole. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. She needs to use the credentials that were defined during the initial configuration of the Security Management Server, or the ones that were assigned to her by the administrator12. The other options are not valid reasons for this error. References: SmartConsole Login, Check Point CCSA - R81: Practice Test & Explanation

When tunnel test packets no longer invoke a response, SmartView Monitor displays Down for the given VPN tunnel1. This means that the VPN tunnel is not operational and there is no IKE or IPsec traffic passing through it. No Response, Inactive, and Failed are not valid statuses for VPN tunnels in SmartView Monitor. References: Smart View Monitor displays status for all S2S VPN tunnels - Phase1 UP

A main component of the Check Point security management architecture is SmartConsole2. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References: Check Point R81 Security Management Administration Guide

The correct answer is A because detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature of the Check Point URL Filtering and Application Control Blade3. This feature is part of the Check Point Anti-Virus and Anti-Bot Blades3. The other options are features of the Check Point URL Filtering and Application Control Blade3. References: Check Point R81 URL Filtering and Application Control Administration Guide

References: Certificate-based authentication is considered to be the more secure and preferred VPN authentication method. It uses digital certificates to verify the identity of the VPN client and server, and provides stronger encryption and mutual authentication. Password-based authentication methods are less secure and more vulnerable to brute-force attacks, phishing, and keylogging. MD5 is a hashing algorithm, not an authentication method. Pre-shared secret is a symmetric key that is shared between the VPN peers, but it can be compromised if it is not changed frequently or stored securely12 References: VPN authentication options, Windows VPN technical guide

A reason for manual creation of a NAT rule is when the public IP-address is different from the gateway’s external IP. This can happen when the gateway is behind another NAT device or firewall3 . References: Check Point R81 Security Gateway Administration Guide, Check Point CCSA - R81: Practice Test & Explanation

The option that allows all encrypted and non-VPN traffic that matches the rule is Accept all encrypted traffic. This option enables you to allow traffic to any destination that is encrypted, regardless of whether it is part of a VPN community or not2. Therefore, the correct answer is B. Accept all encrypted traffic. 

 The type of Check Point license that ties the package license to the IP address of the Security Management Server is Central license. A Central license is a license that is installed on the Security Management Server and applies to all the Security Gateways that are managed by it. The Central license is based on the IP address of the Security Management Server and cannot be transferred to another Security Management Server with a different IP address.References: [Check Point R81 Licensing Guide], [Managing and Installing license via SmartUpdate]

The Windows Security Event that will NOT map a username to an IP address in Identity Awareness is Kerberos Ticket Timed Out. This event occurs when a Kerberos ticket expires and is not renewed, which means that the user is no longer active on the network. Identity Awareness does not use this event to map a username to an IP address, as it does not indicate a valid user session. The other events are used by Identity Awareness to map a username to an IP address, as they indicate a successful user authentication or activity on the network.

References: [Kerberos Ticket Expiration and Renewal], [Identity Awareness AD Query]

An explicit rule is created by an administrator and configured to allow or block traffic based on specified criteria. Explicit rules are displayed in the Rule Base and can be modified by the administrator. References: Certified Security Administrator (CCSA) R81.20 Course Overview, page 12.

In a Distributed deployment, the Security Gateway and the Security Management software are installed on different computers or appliances2. This allows for better scalability and performance. References: Check Point Security Management Administration Guide R81

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

The correct command to show detailed information about VPN tunnels is vpn tu.

vpn tu is an interactive command that provides detailed VPN tunnel status and allows you to clear specific VPN-related connections.

vpn tu tlist (Option B) is not a valid command.

cat $FWDIR/conf/vpn.conf (Option A) only displays configuration settings but does not provide real-time VPN tunnel details.

cpview (Option D) is a general system monitoring tool and does not focus specifically on VPN tunnels.

Thus, the correct answer is C. vpn tu.

The Next Generation Threat Emulation software blade package uses CPU-level and OS-level sandboxing in order to detect and block malware1, p. 41. It emulates files in a virtual environment and inspects their behavior for malicious activity3. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Threat Emulation Administration Guide R81

Check Point provides an Automatic Licensing and Verification tool that ensures licenses are properly validated. This tool:

Automatically checks current licenses against Check Point's online license repository.

Activates newly added licenses.

Ensures compliance with active contracts.

Option B (incorrect): "Verification licensing" is not an official Check Point feature.

Option C (incorrect): "Verification tool" is too generic and does not refer to Check Point’s licensing system.

Option D (incorrect): "Automatic licensing" does not fully describe the verification and activation process.

Thus, the correct answer is A. Automatic Licensing and Verification tool.

When URL Filtering is set, only the host part of the URL is sent to the Check Point Online Web Service for analysis. The host part is the part of the URL that identifies the web server, such as www.example.com. The Check Point Online Web Service uses this information to categorize the URL and return the appropriate action to the Security Gateway. The other options are not sent to the Check Point Online Web Service for analysis, as they may contain sensitive or irrelevant data.

References: 1: Policy Layers 2: Adding a New Log Server 3: Suspicious Activity Monitoring : [URL Filtering]

Application Control is a blade that enables administrators to control access to applications and web sites by users, groups, machines, and time. Application Control can eliminate unknown and unwanted applications in your network to reduce IT complexity and application risk, identify and control which applications are in your IT environment and which to add to the IT environment, and automatically identify trusted software that has authorization to run1. However, Application Control cannot scan the content of files being downloaded by users in order to make policy decisions. That is the function of another blade called Content Awareness, which can inspect files based on their type, size, name, and data2. References: Check Point R81 Application Control Administration Guide, Check Point R81 Content Awareness Administration Guide

 The RFC number that acts as a best practice guide for NAT is RFC 1918. RFC 1918 defines a range of private IP addresses that are not globally routable and can be used for internal networks. NAT is a technique that maps these private IP addresses to public IP addresses that can communicate with the Internet. RFC 1918 provides guidelines and recommendations for using NAT in different scenarios and environments.References: [RFC 1918], [Network Address Translation (NAT)]

When a Security Gateway sends its logs to an IP address other than its own, it means that the deployment option is distributed. In a distributed deployment, the Security Management Server and the Security Gateway are installed on separate machines. The Security Management Server collects logs from one or more Security Gateways and manages them centrally. In a standalone deployment, the Security Management Server and the Security Gateway are installed on the same machine. The Security Gateway sends logs to its own IP address. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own. In a targeted deployment, the Security Gateway sends logs to a specific log server that is configured in the gateway object properties34 References: Part 4 - Installing Security Gateway, Deployment Options

The type of Endpoint Identity Agent that includes packet tagging and computer authentication is Full. The Full Identity Agent is a client-side software that provides full identity awareness features, such as user authentication, computer authentication, packet tagging, identity caching, and identity sharing. The other types of Endpoint Identity Agents are Custom, Complete, and Light, which have different features and capabilities. 

Identity Awareness uses several methods for acquiring identity, such as Active Directory Query, Identity Agent, Browser-Based Authentication, Terminal Servers, Captive Portal, and RADIUS12. Cloud IdP (Identity Provider) is not a method used by Identity Awareness12. Therefore, the correct answer is B. Cloud IdP (Identity Provider).

 Central License is the preferred and recommended method of licensing because it ties to the IP address of the management server and is not dependent on the IP of any gateway in the event it changes. Central License allows administrators to manage licenses for all Security Gateways from one central location. If the IP address of a gateway changes, the license remains valid as long as it is connected to the same management server. Central Licensing is supported with Gaia and is not the only option when deploying Gaia. Central Licensing does not tie to the IP address of a gateway and can not be changed to any gateway if needed.

References: 1: Rugged Appliances 2: SmartUpdate 3: Check Point Software Deployment Options : [Anti-Virus] : [Check Point Software Blades] : [Central License]

Logs are not automatically forwarded to a new Log Server. SmartConsole must be used to manually configure each gateway to send its logs to the server. After adding a new Log Server and establishing the SIC trust with the SMS, the administrator must use SmartConsole to assign the Log Server to each gateway in the Logs and Masters section of the gateway properties2. The other options are not correct, as gateways can send logs to both SMS and Log Server, Log Servers are not proprietary log archive servers, and gateways will not detect the new Log Server after the next policy install.

A correlation unit (CU) is a component of SmartEvent that analyzes log entries on log servers and identifies events based on predefined or custom rules1. A CU receives logs from one or more log servers and forwards them to the SmartEvent server, where they are stored in the events database

 Core Protections are installed as part of the Threat Prevention Policy. Core Protections are a set of IPS protections that are essential for securing your network against malicious traffic4. The other policies do not include Core Protections.

References: 1: Check Point CLI Reference Card 2: Anti-Spoofing 3: SmartView Tracker 4: Core Protections

The components of Check Point Capsule are Capsule Docs, Capsule Cloud, and Capsule Workspace123. There is no Capsule Enterprise component. Capsule Docs protects business documents everywhere they go. Capsule Cloud protects mobile users outside the enterprise security perimeter. Capsule Workspace creates a secure business environment on mobile devices. References: Check Point Capsule Datasheet, Check Point Capsule Workspace Datasheet, Mobile Secure Workspace with Capsule

Identity Sharing is a feature that allows Security Gateways to acquire and share identities with other Security Gateways, enabling identity-based access control across different network segments or domains13. Management servers, users, and administrators do not share identities with Security Gateways.

References: Identity Awareness R81.10 Administration Guide, Check Point R81.10

The difference between SSL VPN and IPSec VPN is that IPSec VPN requires installation of a resident VPN client and SSL VPN requires only an installed browser5 . IPSec VPN uses a pre-shared key or certificates to authenticate the endpoints and encrypts the data at the network layer. SSL VPN uses SSL/TLS protocols to authenticate the endpoints and encrypts the data at the application layer. References: Check Point Remote Access VPN Administration Guide R81, [Free Check Point CCSA Sample Questions and Study Guide]

 Alerts can be viewed in SmartView Monitor, which is a graphical tool that provides real-time information about the network and security activities, such as traffic, VPN tunnels, threats, and performance4.

References: 4: Check Point R81 Security Management Administration Guide, page 25.

Sub Policies are a new feature in R80.10 Gateway that allow creating and attaching sets of rules to specific rules in the main policy4. Sub Policies are useful for delegating permissions, managing large rule bases, and applying different inspection profiles4. The other options are not new features in R80.10 Gateway. References: Check Point R80.10 Security Management Administration Guide

 Authentication rules are defined for user groups rather than individual users1. To define authentication rules, you must first define users and groups. You can define users with the Check Point user database, or with an external server, such as LDAP1. UserCheck is a feature that enables user interaction with security events2. Individual users and all users in the database are not valid options for defining authentication rules. References: How to Configure Client Authentication, UserCheck

Multi-domain management server is a valid deployment option for R81, not R80. R80 supports multi-domain security management, which is a centralized management solution for large-scale, distributed environments with many different domain networks1. References: Multi-Domain Security Management Administration Guide R80

The Shared policies feature allows administrators to share a policy with other policy packages3. This can save time and effort when managing multiple gateways with similar security requirements. Shared policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers4. References: Check Point R81 Security Management Administration Guide, Check Point R81 SmartConsole R81 Resolved Issues

USB media created with Check Point ISOMorphic is the most recommended installation method for Check Point appliances, as it provides a fast and easy way to install the Gaia operating system and the latest software version4. SmartUpdate installation requires an existing Gaia installation and does not support fresh installations4. DVD media created with Check Point ISOMorphic is less convenient than USB media, as it requires burning the image to a DVD and inserting it into the appliance4. Cloud based installation is not applicable for Check Point appliances, as it is intended for cloud environments such as AWS or Azure4.

References: INSTALLATION AND UPGRADE GUIDE R81.10, Chassis R81 Installation and Upgrade Guide, Check Point R81.10