CheckPoint 156-315.81 Online Practice Questions and Exam Preparation

CheckPoint 156-315.81 Online Questions & Answers

• Question 381:

  What will SmartEvent automatically define as events?

  A. Firewall
  B. VPN
  C. IPS
  D. HTTPS
  C. IPS

  ---

  Explanation/Reference:

  SmartEvent automatically defines events based on IPS (Intrusion Prevention System) alerts. IPS is a feature that detects and prevents malicious network traffic based on predefined or custom signatures. IPS alerts are generated when IPS detects an attack or an anomaly that matches a signature. SmartEvent collects and correlates IPS alerts from different gateways and displays them as events in SmartEventWeb. The other options are not automatically defined as events by SmartEvent.

• Question 382:

  The Correlation Unit performs all but the following actions:

  A. Marks logs that individually are not events, but may be part of a larger pattern to be identified later.
  B. Generates an event based on the Event policy.
  C. Assigns a severity level to the event.
  D. Takes a new log entry that is part of a group of items that together make up an event, and adds it to an ongoing event.
  C. Assigns a severity level to the event.

  ---

  Explanation/Reference:

  The Correlation Unit in Check Point Security Management performs several actions, but it does not assign a severity level to the event. The Correlation Unit is responsible for identifying patterns in logs, marking logs that are part of larger patterns, generating events based on the Event policy, and adding new log entries to ongoing events. However, assigning a severity level to an event is typically done through the Event policy configuration, not by the Correlation Unit.

  References: Check Point Certified Security Expert R81 Study Guide

• Question 383:

  Which Remote Access Client does not provide an Office-Mode Address?

  A. SecuRemote
  B. Endpoint Security Suite
  C. Endpoint Security VPN
  D. Check Point Mobile
  A. SecuRemote

  ---

  Explanation/Reference:

  In the context of Check Point remote access clients and Office Mode, the correct answer is:

  A. SecuRemote: SecuRemote is a Check Point remote access client that does not provide an Office-Mode Address. Office Mode is a feature that assigns a unique IP address from a designated IP pool to remote users when they connect to

  the corporate network.

  SecuRemote does not support this feature.

  B. Endpoint Security Suite, C. Endpoint Security VPN, and D. Check Point Mobile are remote access clients that support Office Mode and can provide an Office-Mode Address to remote users. Therefore, option A is the correct answer as it

  correctly identifies a remote access client that does not provide an Office-Mode Address.

  References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

• Question 384:

  Which process is available on any management product and on products that require direct GUI access, such as SmartEvent and provides GUI client communications, database manipulation, policy compilation and Management HA synchronization?

  A. cpwd
  B. fwd
  C. cpd
  D. fwm
  D. fwm

  ---

  Explanation/Reference:

  Firewall Management (fwm) is available on any management product, including Multi- Domain and on products that requite direct GUI access, such as SmartEvent, It provides the following: ?GUI Client communication ?Database manipulation ?Policy Compilation ?Management HA sync

• Question 385:

  Under which file is the proxy arp configuration stored?

  A. $FWDIR/state/proxy_arp.conf on the management server
  B. $FWDIR/conf/local.arp on the management server
  C. $FWDIR/state/_tmp/proxy.arp on the security gateway
  D. $FWDIR/conf/local.arp on the gateway
  D. $FWDIR/conf/local.arp on the gateway

  ---

  Explanation/Reference:

  The proxy ARP configuration is stored under the following file:

  D. $FWDIR/conf/local.arp on the gateway

  This file, local.arp, contains the proxy ARP configuration for the Security Gateway. It is used to configure ARP (Address Resolution Protocol) settings for network communication.

  References: Check Point Certified Security Expert R81 Study Guide, Check Point documentation on proxy ARP.

• Question 386:

  To ensure that VMAC mode is enabled, which CLI command should you run on all cluster members?

  A. fw ctl set int fwha vmac global param enabled
  B. fw ctl get int vmac global param enabled; result of command should return value 1
  C. cphaprob-a if
  D. fw ctl get int fwha_vmac_global_param_enabled; result of command should return value
  D. fw ctl get int fwha_vmac_global_param_enabled; result of command should return value

  ---

  Explanation/Reference:

  To ensure that VMAC mode is enabled, the CLI command that should be run on all cluster members is fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1. VMAC mode is a feature that allows ClusterXL to use virtual MAC addresses for cluster interfaces, instead of physical MAC addresses. This improves the failover performance and compatibility of ClusterXL with switches and routers. To check if VMAC mode is enabled, the command fw ctl get int fwha_vmac_global_param_enabled can be used, which returns 1 if VMAC mode is enabled, and 0 if VMAC mode is disabled.

• Question 387:

  How many versions, besides the destination version, are supported in a Multi-Version Cluster Upgrade?

  A. 1
  B. 3
  C. 2
  D. 4
  B. 3

  ---

  Explanation/Reference:

  Multi-Version Cluster Upgrade (MVCLU) is a feature that allows you to upgrade a cluster of Security Gateways from one major version to another, without downtime1. MVCLU supports upgrading a cluster that runs on different versions, as long as the versions are compatible with the destination version1. The number of versions, besides the destination version, that are supported in a MVCLU depends on the destination version. For example, if the destination version is R81, then MVCLU supports up to three versions besides R81, which are R80.40, R80.30, and R80.202. Therefore, the correct answer is B, as three versions are supported in a MVCLU besides the destination version. References: 1: ClusterXL upgrade methods and paths - Check Point Software 2: Check Point R81 - Check Point Software

• Question 388:

  Which one is not a valid upgrade method to R81.20?

  A. RPM Upgrade
  B. Upgrade with Migration
  C. Advanced Upgrade
  D. CPUSE Upgrade
  A. RPM Upgrade

  ---

  Explanation/Reference:

  RPM upgrade is not a valid upgrade method to R81.20. RPM upgrade is a method of upgrading from R80.20.M1 to R80.20.M2 or later, but it is not supported for upgrading to R81.20. The valid upgrade methods to R81.20 are CPUSE upgrade, advanced upgrade, and upgrade with migration. References: [Check Point Security Expert R81 Installation and Upgrade Guide], page 12.

• Question 389:

  The system administrator of a company is trying to find out why acceleration is not working for the traffic. The traffic is allowed according to the rule base and checked for viruses. But it is not accelerated.

  What is the most likely reason that the traffic is not accelerated?

  A. There is a virus found. Traffic is still allowed but not accelerated.
  B. The connection required a Security server.
  C. Acceleration is not enabled.
  D. The traffic is originating from the gateway itself.
  B. The connection required a Security server.

  ---

  Explanation/Reference:

  According to the Check Point R81 release notes, acceleration is not supported for connections that require a Security server, such as HTTPS Inspection, Content Awareness, or Anti-Virus. The Security server performs deep inspection and modification of the traffic, which prevents acceleration. The other options are either false or not the most likely reason. References: Check Point R81

• Question 390:

  Which command shows detailed information about VPN tunnels?

  A. cat $FWDIR/conf/vpn.conf
  B. vpn tu tlist
  C. vpn tu
  D. cpview
  B. vpn tu tlist

  ---

  Explanation/Reference:

  The command vpn tu tlist shows detailed information about VPN tunnels, such as the peer IP address, encryption domain, IKE phase 1 and phase 2 status, encryption algorithm, and tunnel uptime. The command vpn tu is an interactive tool that allows users to list, delete, or reconnect VPN tunnels. The command cpview is a real-time performance monitoring tool that shows various statistics about the system and network. References: VPN Administration Guide, SK97638 - What is cpview Utility and How to Use it