CheckPoint 156-315.81 Online Practice Questions and Exam Preparation

CheckPoint 156-315.81 Online Questions & Answers

• Question 1:

  What traffic does the Anti-bot feature block?

  A. Command and Control traffic from hosts that have been identified as infected
  B. Command and Control traffic to servers with reputation for hosting malware
  C. Network traffic that is directed to unknown or malicious servers
  D. Network traffic to hosts that have been identified as infected
  A. Command and Control traffic from hosts that have been identified as infected

  ---

  explanation:

  Explanation/Reference:

  The traffic that the Anti-bot feature blocks is command and control traffic from hosts that have been identified as infected. Anti-bot is a blade that detects and prevents botnet attacks by using a cloud-based service that provides up-to-date threat intelligence. When Anti-bot detects a host that is communicating with a malicious command and control server, it blocks the traffic and generates an alert. The other options are not the types of traffic that Anti-bot blocks. References: Check Point Software, Getting Started, Anti-Bot.

• Question 2:

  Which of the following is an identity acquisition method that allows a Security Gateway to identify Active Directory users and computers?

  A. UserCheck
  B. Active Directory Query
  C. Account Unit Query
  D. User Directory Query
  B. Active Directory Query

  ---

  explanation:

  Explanation/Reference:

  Active Directory Query is an identity acquisition method that allows a Security Gateway to identify Active Directory users and computers by querying domain controllers for security event logs. The Security Gateway sends a WMI query to each domain controller and receives a WMI event when a user logs in, logs out, or unlocks their computer. The Security Gateway then maps IP addresses to user names based on these events. Active Directory Query does not require any software installation on domain controllers or clients, but it requires certain permissions and configurations on the domain controllers Reference : https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62402.htm

• Question 3:

  What a valid SecureXL paths in R81.20?

  A. F2F (Slow path). Templated Path. PQX and F2V
  B. F2F (Slow path). PXL, QXL and F2V
  C. F2F (Slow path), Accelerated Path, PQX and F2V
  D. F2F (Slow path), Accelerated Path, Medium Path and F2V
  D. F2F (Slow path), Accelerated Path, Medium Path and F2V

  ---

  explanation:

  Explanation/Reference:

  The valid SecureXL paths in R81.20 are F2F (Slow path), Accelerated Path, Medium Path and F2V1. SecureXL is a technology that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2. SecureXL uses different paths to process packets, depending on the type and state of the connection3. The SecureXL paths are3: F2F (Slow path): This path handles packets that require a full inspection by the Firewall kernel. It is the slowest path, but it supports all features and blades. Examples of packets that use this path are packets that belong to a new connection, packets that match a rule with UTM blades, or packets that require address translation. Accelerated Path: This path handles packets that belong to an established connection that does not require any further inspection by the Firewall kernel. It is the fastest path, but it supports only a limited set of features and blades. Examples of packets that use this path are packets that match an accept rule with no UTM blades, or packets that match a rule with SecureXL acceleration enabled. Medium Path: This path handles packets that belong to an established connection that requires some inspection by the Firewall kernel, but not a full inspection. It is faster than the F2F path, but slower than the Accelerated path. It supports more features and blades than the Accelerated path, but less than the F2F path. Examples of packets that use this path are packets that match a rule with IPS or Anti-Bot blades, or packets that require NAT templates. F2V: This path handles packets that are encapsulated or decapsulated by the VPN kernel. It is faster than the F2F path, but slower than the Accelerated path. It supports VPN features such as encryption, decryption, encapsulation, and decapsulation. References: R81.x Security Gateway Architecture (Logical Packet Flow) - Check Point CheckMates, SecureXL Mechanism in R80.10 and above - Check Point Software, SecureXL - Check Point Software

• Question 4:

  How does the Anti-Virus feature of the Threat Prevention policy block traffic from infected websites?

  A. By dropping traffic from websites identified through ThreatCloud Verification and URL Caching
  B. By dropping traffic that is not proven to be from clean websites in the URL Filtering blade
  C. By allowing traffic from websites that are known to run Antivirus Software on servers regularly
  D. By matching logs against ThreatCloud information about the reputation of the website
  D. By matching logs against ThreatCloud information about the reputation of the website

  ---

  explanation:

  Explanation/Reference:

  The Anti-Virus feature of the Threat Prevention policy blocks traffic from infected websites by matching logs against ThreatCloud information about the reputation of the website. ThreatCloud is a collaborative network that collects and analyzes threat data from millions of sources worldwide. It assigns a reputation score to each website based on its malicious activity and behavior. If a website has a low reputation score, it is considered infected and blocked by the Anti-Virus blade. References: Training and Certification | Check Point Software, CCSE section

• Question 5:

  At what point is the Internal Certificate Authority (ICA) created?

  A. Upon creation of a certificate.
  B. During the primary Security Management Server installation process.
  C. When an administrator decides to create one.
  D. When an administrator initially logs into SmartConsole.
  B. During the primary Security Management Server installation process.

  ---

  explanation:

  Explanation/Reference:

  The Internal Certificate Authority (ICA) is created during the primary Security Management Server installation process. The ICA is responsible for issuing and managing certificates for all Check Point components in the network. The ICA is automatically installed as an integral part of the Security Management Server and can be managed from SmartConsole. References: R81 Security Management Administration Guide, page 113.

• Question 6:

  What object type would you use to grant network access to an LDAP user group?

  A. Access Role
  B. Group Template
  C. SmartDirectory Group
  D. User Group
  A. Access Role

• Question 7:

  An administrator wishes to enable Identity Awareness on the Check Point firewalls. However, they allow users to use company issued or personal laptops. Since the administrator cannot manage the personal laptops, which of the following methods would BEST suit this company?

  A. AD Query
  B. Terminal Servers Agent
  C. Identity Agents
  D. Browser-Based Authentication
  D. Browser-Based Authentication

  ---

  explanation:

  Explanation/Reference:

  Browser-Based Authentication is an identity awareness method that enables you to identify users who are not authenticated by other methods, such as Active Directory or VPN. Browser-Based Authentication redirects users to a web page where they can enter their credentials and be authenticated by an external server, such as LDAP or RADIUS. After authentication, users can access the Internet and corporate resources according to the security policy rules that apply to their identity. Browser-Based Authentication is suitable for scenarios where users can use company issued or personal laptops, since it does not require any installation or configuration on the user's device. It also supports various operating systems and browsers, and can be customized to match the company's branding. The references are: Check Point R81 Identity Awareness Administration Guide, page 9 Configuring Browser-Based Authentication in SmartConsole Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 13

• Question 8:

  In R81.20 a new feature dynamic log distribution was added. What is this for?

  A. Configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy
  B. In case of a Management High Availability the management server stores the logs dynamically on the member with the most available disk space in /var/log
  C. Synchronize the log between the primary and secondary management server in case of a Management High Availability
  D. To save disk space in case of a firewall cluster local logs are distributed between the cluster members.
  A. Configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy

  ---

  explanation:

  Explanation/Reference:

  Dynamic log distribution is a feature that allows you to configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy. This means that each log is sent to only one Log Server and the load is balanced between the primary Log Servers. If all the primary Log Servers are disconnected, the logs are distributed between the backup Log Servers. If no Log Servers are connected, the gateway writes the logs locally. This feature improves the performance and reliability of logging and reduces the network traffic and disk space consumption. You can enable this feature on the SmartConsole -> Gateways and Servers -> Logs -> Dynamic Log Distribution. The other options are incorrect because they do not describe the dynamic log distribution feature. Option B is wrong because the Management High Availability does not store the logs dynamically on the member with the most available disk space, but rather synchronizes the logs between the members using the cpd process. Option C is wrong because the dynamic log distribution feature does not synchronize the logs between the primary and secondary management server, but rather distributes the logs between the Log Servers. Option D is wrong because the dynamic log distribution feature does not save disk space in case of a firewall cluster, but rather distributes the logs between the Log Servers. The firewall cluster members do not store local logs, but rather send them to the Log Servers.

• Question 9:

  What is the amount of Priority Queues by default?

  A. There are 8 priority queues and this number cannot be changed.
  B. There is no distinct number of queues since it will be changed in a regular basis based on its system requirements.
  C. There are 7 priority queues by default and this number cannot be changed.
  D. There are 8 priority queues by default, and up to 8 additional queues can be manually configured
  D. There are 8 priority queues by default, and up to 8 additional queues can be manually configured

  ---

  explanation:

  Explanation/Reference:

  There are 8 priority queues by default, and up to 8 additional queues can be manually configured1. Priority Queues are a feature of SecureXL that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2. Priority Queues are used to prioritize traffic when the Security Gateway is stressed and needs to drop packets2. By default, there are 8 priority queues, each with a different priority level and type of connections2. You can manually configure up to 8 additional queues by setting the relevant kernel parameters in $FWDIR/boot/modules/fwkern.conf file1. You can also customize the queue length, the load balancing method, and the services that are considered as control connections1. References: Firewall Priority Queues in R80.x / R81.x - Check Point Software, SecureXL - Check Point Software

• Question 10:

  Firewall polices must be configured to accept VRRP packets on the GAiA platform if it Firewall software. The Multicast destination assigned by the internet Assigned Number Authority (IANA) for VRRP is:

  A. 224.0.0.18
  B. 224 00 5
  C. 224.0.0.102
  D. 224.0.0.22
  A. 224.0.0.18

  ---

  explanation:

  Explanation/Reference:

  The multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for VRRP is 224.0.0.18. This is a reserved multicast address that is used by VRRP routers to communicate with each other and announce their priority

  and state. Firewall policies must be configured to accept VRRP packets on the Gaia platform if it runs Firewall software. Otherwise, VRRP packets will be dropped by default. References:

  [Configuring VRRP on Gaia]