CheckPoint Checkpoint Certifications 156-315.81 Questions & Answers

• Question 211:

  You need to change the number of firewall Instances used by CoreXL. How can you achieve this goal?

  A. edit fwaffinity.conf; reboot required

  B. cpconfig; reboot required

  C. edit fwaffinity.conf; reboot not required

  D. cpconfig; reboot not required

  Correct Answer: B

  To change the number of firewall instances used by CoreXL, the cpconfig command must be used, followed by a reboot. CoreXL is a technology that improves the performance of the Security Gateway by using multiple cores to handle concurrent connections. The number of firewall instances determines how many cores are dedicated to CoreXL. The cpconfig command allows the administrator to configure various settings on the Security Gateway, including the number of firewall instances. After changing this setting, a reboot is required for the changes to take effect. The other commands are either incorrect or do not require a reboot.

• Question 212:

  Pamela is Cyber Security Engineer working for Global Instance Firm with large scale deployment of Check Point Enterprise Appliances using GAiA/R81.20. Company's Developer Team is having random access issue to newly deployed Application Server in DMZ's Application Server Farm Tier and blames DMZ Security Gateway as root cause. The ticket has been created and issue is at Pamela's desk for an investigation. Pamela decides to use Check Point's Packet Analyzer Tool-fw monitor to iron out the issue during approved Maintenance window.

  What do you recommend as the best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic?

  A. Pamela should check SecureXL status on DMZ Security gateway and if it's turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures.

  B. Pamela should check SecureXL status on DMZ Security Gateway and if it's turned OFF. She should turn ON SecureXL before using fw monitor to avoid misleading traffic captures.

  C. Pamela should use tcpdump over fw monitor tool as tcpdump works at OS-level and captures entire traffic.

  D. Pamela should use snoop over fw monitor tool as snoop works at NIC driver level and captures entire traffic.

  Correct Answer: A

  The best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic is: Pamela should check SecureXL status on DMZ Security gateway and if it's turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, this also means that some traffic might not be seen by fw monitor, which is a tool that captures packets at different inspection points in the Firewall kernel. Therefore, to ensure that fw monitor captures all traffic, SecureXL should be turned OFF before using fw monitor. The other suggestions are either incorrect or less effective in capturing traffic.

• Question 213:

  When using CPSTAT, what is the default port used by the AMON server?

  A. 18191

  B. 18192

  C. 18194

  D. 18190

  Correct Answer: B

  The default port used by the AMON server when using CPSTAT is 18192. CPSTAT is a command-line tool that allows administrators to monitor various statistics and status information about Check Point products and components, such as CPU usage, memory usage, policy installation, cluster state, etc. CPSTAT uses AMON (Advanced Monitoring) protocol to communicate with AMON server, which is a daemon that runs on Security Gateways or Management Servers and collects and provides AMON data. By default, AMON server listens on TCP port 18192 for incoming CPSTAT requests.

• Question 214:

  After trust has been established between the Check Point components, what is TRUE about name and IP-address changes?

  A. Security Gateway IP-address cannot be changed without re-establishing the trust.

  B. The Security Gateway name cannot be changed in command line without re- establishing trust.

  C. The Security Management Server name cannot be changed in SmartConsole without re- establishing trust.

  D. The Security Management Server IP-address cannot be changed without re-establishing the trust.

  Correct Answer: A

  After trust has been established between the Check Point components, the Security Gateway IP address cannot be changed without re-establishing the trust. This is because the trust is based on the Secure Internal Communication (SIC) mechanism, which uses certificates to authenticate and encrypt the communication. The certificates are issued by the Internal Certificate Authority (ICA) of the Security Management Server / Domain Management Server, and contain the name and IP address of the component. Therefore, if the IP address of a component is changed, the certificate will become invalid and the trust will be lost. To restore the trust, the certificate must be renewed or reissued by the ICA12. However, there are some exceptions to this rule. The Security Gateway name can be changed in command line without re-establishing trust, as long as the IP address remains the same. This is because the SIC mechanism does not rely on the hostname, but on the IP address and the SIC name (which is usually derived from the hostname, but can be manually changed). The Security Management Server name can be changed in SmartConsole without re-establishing trust, as long as the IP address remains the same. This is because SmartConsole uses a different mechanism to connect to the Security Management Server, which does not depend on the SIC certificate. The Security Management Server IP address can be changed without re-establishing trust, as long as some steps are followed to update the Check Point Registry file on the managed Security Gateways / Cluster Members / VSX Virtual Devices. This is because the Registry file contains the IP address of the ICA, which is used for certificate renewal. If the Registry file is not updated, then the certificate renewal will fail and the trust will be lost3. References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 162 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162 3: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk103356

• Question 215:

  In the Firewall chain mode FFF refers to:

  A. Stateful Packets

  B. No Match

  C. All Packets

  D. Stateless Packets

  Correct Answer: C

  In the Firewall chain mode FFF refers to all packets. Firewall chain mode is a feature that allows administrators to define how packets are processed by different firewall kernel modules in inbound and outbound directions. FFF is one of the predefined chain modes that applies all firewall kernel modules (Firewall, VPN, IPS, etc.) to all packets, regardless of their state or connection. This mode provides maximum security, but also consumes more CPU resources.

• Question 216:

  Fill in the blank: Browser-based Authentication sends users to a web page to acquire identities using ________ .

  A. User Directory

  B. Captive Portal and Transparent Kerberos Authentication

  C. Captive Portal

  D. UserCheck

  Correct Answer: B

  Browser-based Authentication is a method of acquiring identities from unidentified users by sending them to a web page where they can log in and authenticate. Browser-based Authentication uses two techniques to acquire identities: Captive Portal and Transparent Kerberos Authentication1. Captive Portal is a simple method that attempts authentication through a web interface before granting a user access to Intranet resources. When a user tries to access a protected resource, they are redirected to a web page where they have to enter their credentials. The credentials are verified by the Identity Awareness Security Gateway or an external authentication server. If the authentication is successful, the user's identity is associated with their IP address and they are allowed to access the resource12. Transparent Kerberos Authentication is a more seamless method that leverages the existing Kerberos infrastructure in the network. When a user tries to access a protected resource, the Identity Awareness Security Gateway intercepts the Kerberos ticket request and extracts the user's identity from it. The user's identity is then associated with their IP address and they are allowed to access the resource without any additional prompts. This method requires that the Identity Awareness Security Gateway is configured as a trusted proxy in the Active Directory domain12. Therefore, the correct answer is B. Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication. References: 1, THE IMPORTANCE OF ACCESS ROLES - Check Point Software, page 2 2, Browser-based Authentication Check Point - Bing 3, How to Configure Client Authentication - Check Point Software, page 1 4, Identity Sources - Check Point Software 5, Configuring Browser-Based Authentication - Check Point Software 6, Two Factor Authentication - Check Point Software

• Question 217:

  Which is NOT a SmartEvent component?

  A. SmartEvent Server

  B. Correlation Unit

  C. Log Consolidator

  D. Log Server

  Correct Answer: C

  Log Consolidator is NOT a SmartEvent component. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent consists of three main components: SmartEvent Server, Correlation Unit, and Log Server. SmartEvent Server is responsible for storing and displaying security events in SmartConsole and SmartEventWeb. Correlation Unit is responsible for collecting and correlating logs from various sources and generating security events based on predefined or custom scenarios. Log Server is responsible for receiving and indexing logs from Security Gateways and other Check Point modules. Log Consolidator is not a valid component or blade of SmartEvent.

• Question 218:

  Which tool provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed?

  A. ThreatWiki

  B. Whitelist Files

  C. AppWiki

  D. IPS Protections

  Correct Answer: B

  According to the Check Point website, Whitelist Files is the tool that provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed. Whitelist Files can be configured in SmartConsole under Threat Prevention > Policy > Whitelist Files. The other tools are either not related or not valid tools. References: Whitelist Files

• Question 219:

  After the initial installation on Check Point appliance, you notice that the Management- interface and default gateway are incorrect.

  Which commands could you use to set the IP to 192.168.80.200/24 and default gateway to 192.168.80.1.

  A. set interface Mgmt ipv4-address 192.168.80.200 mask-length 24set static-route default nexthop gateway address 192.168.80.1 onsave config

  B. set interface Mgmt ipv4-address 192.168.80.200 255.255.255.0add static-route 0.0.0.0.

  0.0.0.0 gw 192.168.80.1 onsave config

  C. set interface Mgmt ipv4-address 192.168.80.200 255.255.255.0set static-route 0.0.0.0.

  0.0.0.0 gw 192.168.80.1 onsave config

  D. set interface Mgmt ipv4-address 192.168.80.200 mask-length 24add static-route default nexthop gateway address 192.168.80.1 onsave config

  Correct Answer: A

  To set the IP address and default gateway of the Management interface on a Check Point appliance, you can use the following commands:

  set interface Mgmt ipv4-address 192.168.80.200 mask-length 24 - This command sets the IPv4 address of the Management interface to 192.168.80.200 and the subnet mask to 255.255.255.0 (24 bits). set static-route default nexthop

  gateway address 192.168.80.1 on - This command sets the default gateway to 192.168.80.1 and enables the static route. save config - This command saves the configuration changes to the appliance. These commands are documented in

  the Check Point appliance initial installation guide, which you can find in the web search results.

  The other options are incorrect because they use invalid syntax or parameters for the commands. For example, option B uses add static-route instead of set static-route, option C uses 0.0.0.0. instead of 0.0.0.0, and option D uses add static-

  route default instead of set static-route default.

• Question 220:

  During the Check Point Stateful Inspection Process, for packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are:

  A. Dropped without sending a negative acknowledgment

  B. Dropped without logs and without sending a negative acknowledgment

  C. Dropped with negative acknowledgment

  D. Dropped with logs and without sending a negative acknowledgment

  Correct Answer: D

  For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.