CheckPoint Checkpoint Certifications 156-315.81 Questions & Answers

• Question 161:

  Which of the following statements is TRUE about R81 management plug-ins?

  A. The plug-in is a package installed on the Security Gateway.

  B. Installing a management plug-in requires a Snapshot, just like any upgrade process.

  C. A management plug-in interacts with a Security Management Server to provide new features and support for new products.

  D. Using a plug-in offers full central management only if special licensing is applied to specific features of the plug-in.

  Correct Answer: C

  A management plug-in is a software component that interacts with a Security Management Server to provide new features and support for new products. A management plug-in can extend the functionality of SmartConsole, SmartDashboard, SmartView Monitor, SmartView Tracker, SmartEvent, SmartReporter, SmartProvisioning, SmartUpdate, and other management tools. A management plug-in can also add new objects, policies, rules, actions, reports, views, and wizards to the management system. Some examples of management plug-ins are CloudGuard Controller, SandBlast Agent, Endpoint Security Server, Threat Extraction for Web, etc.

• Question 162:

  Which command can you use to verify the number of active concurrent connections?

  A. fw conn all

  B. fw ctl pstat

  C. show all connections

  D. show connections

  Correct Answer: B

  The command fw ctl pstat can be used to verify the number of active concurrent connections on a gateway. This command displays various statistics about the firewall kernel, such as memory usage, CPU utilization, packet rates, and connection table information. The output of this command includes a line that shows the current number of connections and the peak number of connections since the last reboot. For example:

  

  This means that there are currently 1234 active connections out of a maximum of 8192 connections, which is 15% of the connection table capacity. The peak number of connections since the last reboot was 2345.

• Question 163:

  If you needed the Multicast MAC address of a cluster, what command would you run?

  A. cphaprob if

  B. cphaconf ccp multicast

  C. cphaconf debug data

  D. cphaprob igmp

  Correct Answer: D

  The command cphaprob igmp can be used to display the Multicast MAC address of a cluster. This command shows the IGMP (Internet Group Management Protocol) information for each cluster interface, including the VRID (Virtual Router ID), the Multicast IP address, and the Multicast MAC address3. The other commands do not show the Multicast MAC address information. References: Check Point R81 ClusterXL Administration Guide

• Question 164:

  There are 4 ways to use the Management API for creating host object with R81 Management API. Which one is NOT correct?

  A. Using Web Services

  B. Using Mgmt_cli tool

  C. Using CLISH

  D. Using SmartConsole GUI console

  E. Events are collected with SmartWorkflow from Trouble Ticket systems

  Correct Answer: E

  There are four ways to use the Management API for creating host object with R81 Management API: Using Web Services, Using mgmt_cli tool, Using CLISH, and Using SmartConsole GUI console. Events are collected with SmartWorkflow from Trouble Ticket systems is not a correct option. References: Check Point Management APIs

• Question 165:

  Which of the following Check Point processes within the Security Management Server is responsible for the receiving of log records from Security Gateway?

  A. logd

  B. fwd

  C. fwm

  D. cpd

  Correct Answer: B

  The fwd process within the Security Management Server is responsible for the receiving of log records from Security Gateway. The fwd process handles the communication with the Security Gateways and log servers via TCP port 2571. The other processes have different roles, such as logd for writing logs to the database, fwm for handling GUI clients, and cpd for infrastructure tasks2. References: Check Point Ports Used for Communication by Various Check Point Modules, Check Point Processes Cheat Sheet ?LazyAdmins

• Question 166:

  Check Point Management (cpm) is the main management process in that it provides the architecture for a consolidates management console. CPM allows the GUI client and management server to communicate via web services using ___________.

  A. TCP port 19009

  B. TCP Port 18190

  C. TCP Port 18191

  D. TCP Port 18209

  Correct Answer: A

  Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default. References: CPM process

• Question 167:

  During inspection of your Threat Prevention logs you find four different computers having one event each with a Critical Severity. Which of those hosts should you try to remediate first?

  A. Host having a Critical event found by Threat Emulation

  B. Host having a Critical event found by IPS

  C. Host having a Critical event found by Antivirus

  D. Host having a Critical event found by Anti-Bot

  Correct Answer: D

  The host having a Critical event found by Anti-Bot should be remediated first, as it indicates that the host is infected by a botnet malware that is communicating with a Command and Control server. This poses a serious threat to the network security and data integrity. The other events may indicate potential malware infection or attack attempts, but not necessarily successful ones. References: Threat Prevention Administration Guide

• Question 168:

  What is true about the IPS-Blade?

  A. In R81, IPS is managed by the Threat Prevention Policy

  B. In R81, in the IPS Layer, the only three possible actions are Basic, Optimized and Strict

  C. In R81, IPS Exceptions cannot be attached to "all rules"

  D. In R81, the GeoPolicy Exceptions and the Threat Prevention Exceptions are the same

  Correct Answer: A

  In R81, IPS is managed by the Threat Prevention Policy. The Threat Prevention Policy is a unified policy that allows you to configure and enforce IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction settings in one place. References: Threat Prevention Administration Guide

• Question 169:

  To help SmartEvent determine whether events originated internally or externally you must define using the Initial Settings under General Settings in the Policy Tab. How many options are available to calculate the traffic direction?

  A. 5 Network; Host; Objects; Services; API

  B. 3 Incoming; Outgoing; Network

  C. 2 Internal; External

  D. 4 Incoming; Outgoing; Internal; Other

  Correct Answer: D

  To help SmartEvent determine whether events originated internally or externally, you must define the traffic direction using the Initial Settings under General Settings in the Policy Tab. There are four options available to calculate the traffic direction: Incoming, Outgoing, Internal, and Other. Incoming means the source is external and the destination is internal. Outgoing means the source is internal and the destination is external. Internal means both the source and the destination are internal. Other means both the source and the destination are external. References: SmartEvent R81 Administration Guide

• Question 170:

  The Event List within the Event tab contains:

  A. a list of options available for running a query.

  B. the top events, destinations, sources, and users of the query results, either as a chart or in a tallied list.

  C. events generated by a query.

  D. the details of a selected event.

  Correct Answer: C

  The Event List within the Event tab contains events generated by a query. The Event List shows the events that match the query criteria, such as time range, filter, and aggregation. The events can be sorted by different columns, such as severity, time, action, and source3. The other options are either not part of the Event tab or not related to the Event List. References: Check Point R81 Logging and Monitoring Administration Guide