CheckPoint 156-315.81 Online Practice Questions and Exam Preparation

CheckPoint 156-315.81 Online Questions & Answers

• Question 341:

  Return oriented programming (ROP) exploits are detected by which security blade?

  A. Data Loss Prevention
  B. Check Point Anti-Virus / Threat Emulation
  C. Application control
  D. Intrusion Prevention Software
  B. Check Point Anti-Virus / Threat Emulation

  ---

  Explanation/Reference:

  Return-oriented programming (ROP) exploits are detected by Check Point Anti-Virus / Threat Emulation blade. ROP exploits are a type of code reuse attack that bypasses common exploit mitigation techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Check Point Anti-Virus / Threat Emulation blade can detect and prevent ROP exploits using its behavioral analysis engine that monitors the execution flow of processes and identifies malicious patterns. References: [Check Point Security Expert R81 Threat Prevention Administration Guide], page 17.

• Question 342:

  Pamela is Cyber Security Engineer working for Global Instance Firm with large scale deployment of Check Point Enterprise Appliances using GAiA/R81.20. Company's Developer Team is having random access issue to newly deployed Application Server in DMZ's Application Server Farm Tier and blames DMZ Security Gateway as root cause. The ticket has been created and issue is at Pamela's desk for an investigation. Pamela decides to use Check Point's Packet Analyzer Tool-fw monitor to iron out the issue during approved Maintenance window.

  What do you recommend as the best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic?

  A. Pamela should check SecureXL status on DMZ Security gateway and if it's turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures.
  B. Pamela should check SecureXL status on DMZ Security Gateway and if it's turned OFF. She should turn ON SecureXL before using fw monitor to avoid misleading traffic captures.
  C. Pamela should use tcpdump over fw monitor tool as tcpdump works at OS-level and captures entire traffic.
  D. Pamela should use snoop over fw monitor tool as snoop works at NIC driver level and captures entire traffic.
  A. Pamela should check SecureXL status on DMZ Security gateway and if it's turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures.

  ---

  Explanation/Reference:

  The best suggestion for Pamela to make sure she successfully captures entire traffic in context of Firewall and problematic traffic is: Pamela should check SecureXL status on DMZ Security gateway and if it's turned ON. She should turn OFF SecureXL before using fw monitor to avoid misleading traffic captures. SecureXL is a technology that accelerates network traffic processing by offloading intensive operations from the Firewall kernel to a dedicated SecureXL device. However, this also means that some traffic might not be seen by fw monitor, which is a tool that captures packets at different inspection points in the Firewall kernel. Therefore, to ensure that fw monitor captures all traffic, SecureXL should be turned OFF before using fw monitor. The other suggestions are either incorrect or less effective in capturing traffic.

• Question 343:

  With MTA (Mail Transfer Agent) enabled the gateways manages SMTP traffic and holds external email with potentially malicious attachments. What is required in order to enable MTA (Mail Transfer Agent) functionality in the Security Gateway?

  A. Threat Cloud Intelligence
  B. Threat Prevention Software Blade Package
  C. Endpoint Total Protection
  D. Traffic on port 25
  B. Threat Prevention Software Blade Package

  ---

  Explanation/Reference:

  To enable MTA (Mail Transfer Agent) functionality in the Security Gateway, the Threat Prevention Software Blade Package is required. The Threat Prevention Software Blade Package includes the Anti-Virus, Anti-Bot, and Threat Emulation blades, which can scan and hold external email with potentially malicious attachments. The MTA functionality allows the Security Gateway to act as an SMTP relay between the mail server and the Internet, and apply Threat Prevention policies to the email traffic. The other options are either not related or not sufficient to enable MTA functionality. R

• Question 344:

  The Firewall kernel is replicated multiple times, therefore: A. The Firewall kernel only touches the packet if the connection is accelerated

  B. The Firewall can run different policies per core
  C. The Firewall kernel is replicated only with new connections and deletes itself once the connection times out
  D. The Firewall can run the same policy on all cores.
  D. The Firewall can run the same policy on all cores.

  ---

  Explanation/Reference:

  On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance is a complete and

  independent inspection kernel. When CoreXL is enabled, all the kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.

  References:

• Question 345:

  Which statements below are CORRECT regarding Threat Prevention profiles in Smart Dashboard?

  A. You can assign only one profile per gateway and a profile can be assigned to one rule Only.
  B. You can assign multiple profiles per gateway and a profile can be assigned to one rule only.
  C. You can assign multiple profiles per gateway and a profile can be assigned to one or more rules.
  D. You can assign only one profile per gateway and a profile can be assigned to one or more rules.
  C. You can assign multiple profiles per gateway and a profile can be assigned to one or more rules.

  ---

  Explanation/Reference:

  In SmartDashboard, Threat Prevention profiles can be assigned to one or more rules. This means that you can have multiple profiles assigned to a single gateway, and each of these profiles can be associated with one or more rules. This allows for granular control over threat prevention settings for different rules or scenarios.

  References: Check Point Certified Security Expert R81 documentation and learning resources.

• Question 346:

  You have used the SmartEvent GUI to create a custom Event policy. What is the best way to display the correlated Events generated by SmartEvent Policies?

  A. Open SmartView Monitor and select the SmartEvent Window from the main menu.
  B. In the SmartConsole / Logs and Monitor --> open the Logs View and use type:Correlated as query filter.
  C. In the SmartConsole / Logs and Monitor -> open a new Tab and select External Apps / SmartEvent.
  D. Select the Events tab in the SmartEvent GUI or use the Events tab in the SmartView web interface.
  B. In the SmartConsole / Logs and Monitor --> open the Logs View and use type:Correlated as query filter.

  ---

  Explanation/Reference:

• Question 347:

  Fill in the blank: The command ___________________ provides the most complete restoration of a R81 configuration.

  A. upgrade_import
  B. cpconfig
  C. fwm dbimport -p
  D. cpinfo ecover
  A. upgrade_import

• Question 348:

  Which NAT rules are prioritized first?

  A. Post-Automatic/Manual NAT rules
  B. Manual/Pre-Automatic NAT
  C. Automatic Hide NAT
  D. Automatic Static NAT
  B. Manual/Pre-Automatic NAT

  ---

  Explanation/Reference:

  The NAT rules that are prioritized first are Manual/Pre-Automatic NAT. NAT stands for Network Address Translation, and it is a feature that allows Security Gateways to modify the source or destination IP addresses or ports of packets that pass through them. NAT rules are the rules that define how NAT is applied to traffic that matches certain criteria. There are three types of NAT rules: Manual/Pre-Automatic NAT, Automatic NAT, and Manual/Post-Automatic NAT. Manual/Pre-Automatic NAT rules are the rules that are manually created by administrators and placed before the automatic NAT rules in the rulebase. These rules have the highest priority and are processed first by the Security Gateway. Automatic NAT rules are the rules that are automatically generated by the Security Gateway based on the NAT properties of network objects. These rules have the second highest priority and are processed after the manual/pre-automatic NAT rules. Manual/ Post-Automatic NAT rules are the rules that are manually created by administrators and placed after the automatic NAT rules in the rulebase. These rules have the lowest priority and are processed last by the Security Gateway.

• Question 349:

  When configuring SmartEvent Initial settings, you must specify a basic topology for SmartEvent to help it calculate traffic direction for events. What is this setting called and what are you defining?

  A. Network, and defining your Class A space
  B. Topology, and you are defining the Internal network
  C. Internal addresses you are defining the gateways
  D. Internal network(s) you are defining your networks
  D. Internal network(s) you are defining your networks

  ---

  Explanation/Reference:

  When configuring SmartEvent Initial settings, you must specify a basic topology for SmartEvent to help it calculate traffic direction for events. This setting is called Internal network(s) and you are defining your networks. You can specify one or more networks or IP addresses that are considered internal for SmartEvent. This helps SmartEvent to determine the direction of the traffic (inbound, outbound, or internal) and generate events accordingly. References: [SmartEvent Administration Guide]

• Question 350:

  When a packet arrives at the gateway, the gateway checks it against the rules in the hop Policy Layer, sequentially from top to bottom, and enforces the first rule that matches a packet. Which of the following statements about the order of rule enforcement is true?

  A. If the Action is Accept, the gateway allows the packet to pass through the gateway.
  B. If the Action is Drop, the gateway continues to check rules in the next Policy Layer down.
  C. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.
  D. If the Action is Drop, the gateway applies the Implicit Clean-up Rule for that Policy Layer.
  C. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.

  ---

  Explanation/Reference:

  When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom, and enforces the first rule that matches the packet. The order of rule enforcement depends on the action of the matching rule. If the action is Accept, the gateway allows the packet to pass through the gateway, but also continues to check rules in the next Policy Layer down. If the action is Drop, Reject, or Encrypt, the gateway applies that action to the packet and stops checking rules in that Policy Layer and any subsequent Policy Layers. If there is no matching rule in a Policy Layer, the gateway applies the Implicit Clean-up Rule for that Policy Layer, which is usually Drop.