156-215.81 Online Practice Questions and Answers

Correct Answer: C

This answer is correct because these are the two forms of Check Point licenses that are used to activate the software blades on the Security Gateways and the Security Management Servers. A central license is a license that is attached to a Security Management Server and can be used to manage multiple Security Gateways. A local license is a license that is attached to a specific Security Gateway and can only be used by that gateway. The other answers are not correct because they are either irrelevant or inaccurate options for Check Point licenses forms. Security Gateway and Security Management are not license forms, but software components that provide firewall, VPN, and other security features. On-premise and Public Cloud are not license forms, but deployment options for Check Point products. Access Control and Threat Prevention are not license forms, but software blades that provide different security functions.

Check Point License Guide Check Point Software Blade Quick Licensing Guide Check Point CloudGuard Network Security [Check Point Software Blades]

Correct Answer: D

Backup and restores can be accomplished through SmartConsole, WebUI, or CLI. SmartUpdate and SmartBackup are not valid options. References: Check Point R81 Security Management Administration Guide, page

Correct Answer: C

Threat Prevention is a comprehensive solution that protects networks from malicious attacks by using multiple security blades, such as Anti-Bot, Anti-Virus, IPS, Threat Emulation, and Threat Extraction. These are the Threat Prevention software components available on the Check Point Security Gateway. IPS (Intrusion Prevention System) is a blade that detects and prevents network attacks by using signatures and behavioral patterns. Anti-Bot is a blade that detects and blocks botnet communications by using reputation services and heuristics. Anti-Virus is a blade that scans files and web content for malware by using signatures and emulation. Threat Emulation is a blade that analyzes suspicious files in a sandbox environment and blocks malicious files from entering the network. Threat Extraction is a blade that removes exploitable content from files and delivers clean files to users. References: Check Point R81 Threat Prevention Administration Guide

Correct Answer: B

The default tracking option of a rule is Log. This means that the Security Gateway will generate a log entry for every connection that matches the rule. The log entry will contain information such as source, destination, service, action, and time. Other tracking options include None, Alert, Mail, SNMP Trap, User Alert, and Accounting. References: Check Point R81 Firewall Administration Guide

Correct Answer: C

The SIC Status "Unknown" means that there is no connection between the gateway and Security Management Server. This can happen if the gateway is down, unreachable, or has not been initialized yet. References: Check Point R81 Security Management Administration Guide, Free Check Point CCSA Sample Questions and Study Guide

Correct Answer: B

The Threat Prevention Software Blade that provides protection from malicious software that can infect your network computers is Anti-Virus. Anti-Virus is a software blade that scans files and traffic for viruses, worms, trojans, spyware, and other malware. Anti-Virus can block or clean infected files and prevent malware outbreaks. IPS is a software blade that provides protection from network attacks and exploits. Anti-Malware is not a software blade, but rather a term that refers to any software that can detect and remove malware. Content Awareness is a software blade that provides visibility and control over data that enters or leaves the network based on file types, data types, and keywords.

References: [Anti-Virus Software Blade], [IPS Software Blade], [What is Anti-Malware?], [Content Awareness Software Blade]

Correct Answer: A

The three main components of Check Point security management architecture are SmartConsole, Security Management, and Security Gateway. SmartConsole is the graphical user interface that allows administrators to manage and monitor Check Point products. Security Management is the server that stores the security policy and configuration data. Security Gateway is the device that enforces the security policy on the network traffic. References: Check Point R81 Security Management Administration Guide

Correct Answer: A

The correct answer is A because a pencil icon in a rule means that you have changed this rule. The pencil icon indicates that the rule has been modified but not published yet. You can hover over the pencil icon to see who made the change and when. The other options are not related to the pencil icon. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

Correct Answer: D

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

Correct Answer: B

The two Check Point Protocols that are used by are FWD and LEA. FWD is the Firewall Daemon that handles communication between different Check Point components, such as Security Management Server, Security Gateway, SmartConsole, etc. LEA is the Log Export API that allows external applications to retrieve logs from the Security Gateway or Security Management Server. Therefore, the correct answer is B. FWD and LEA. References: Border Gateway Protocol - Check Point Software, Check Point IPS Datasheet, List of valid protocols for services? - Check Point CheckMates

Correct Answer: C

An Endpoint identity agent uses a username/password or Kerberos ticket for user authentication, p. 28. An Endpoint identity agent is a lightweight client installed on endpoint computers that communicates with Identity Awareness gateways

and provides reliable identity information. An Endpoint identity agent does not use a shared secret, a token, or a certificate for user authentication.

References: Check Point CCSA - R81:Practice Test and Explanation, [Check Point Identity Awareness Administration Guide R81]

Correct Answer: C

The statement that is TRUE of anti-spoofing is that it is BEST Practice to have anti- spoofing groups in sync with the routing table. Anti-spoofing prevents attackers from sending packets with a false source IP address. Anti-spoofing groups define which IP addresses are expected on each interface of the Security Gateway. If the routing table changes, the anti-spoofing groups should be updated accordingly. References: Check Point R81 ClusterXL Administration Guide, Network Defined by Routes: Anti-Spoofing

Correct Answer: C

To optimize drops, you can use Priority Queues and fully enable Dynamic Dispatcher on the Security Gateway. Priority Queues are a mechanism that prioritizes part of the traffic when the Security Gateway is stressed and needs to drop packets. Dynamic Dispatcher is a feature that dynamically assigns new connections to a CoreXL FW instance based on the utilization of CPU cores. To enable both features, you need to run the command fw ctl multik set_mode 9 on the Security Gateway. Therefore, the correct answer is C. fw ctl multik set_mode 9. References: CoreXL Dynamic Dispatcher - Check Point Software, Firewall Priority Queues in R80.x / R81.x - Check Point Software, Separate Config for Dynamic Dispatcher and Priority Queues

Correct Answer: B

The command fwaccel stat shows the status of SecureXL, including whether Drop Templates are enabled or not. References: Check Point SecureXL R81 Administration Guide

Correct Answer: B

The padlock sign next to the DNS rule in the Rule Base indicates that another administrator is logged into the Management and currently editing the DNS Rule. This is a feature of R80 that allows multiple administrators to work on the same policy simultaneously. The padlock sign prevents other administrators from modifying the same rule until the editing administrator publishes or discards the changes. The other options are not valid explanations for the padlock sign. References: 156-215.80:Check Point Certified Security Administrator (CCSA R80) : Part 19, Multi-User Policy Editing