CheckPoint 156-315.81 Online Practice Questions and Exam Preparation

CheckPoint 156-315.81 Online Questions & Answers

• Question 421:

  Which of the following blades is NOT subscription-based and therefore does not have to be renewed on a regular basis?

  A. Application Control
  B. Threat Emulation
  C. Anti-Virus
  D. Advanced Networking Blade
  D. Advanced Networking Blade

  ---

  Explanation/Reference:

  The Advanced Networking Blade is not subscription-based and therefore does not have to be renewed on a regular basis. The Advanced Networking Blade is a software blade that provides advanced routing capabilities for Check Point Security Gateways. It supports dynamic routing protocols such as OSPF, BGP, RIP, and PIM, as well as features such as Policy-Based Routing (PBR), Multicast Routing, and IPv6 support. The Advanced Networking Blade is included in the Next Generation Firewall (NGFW) package and does not require a separate license.

• Question 422:

  What is the recommended way to have a redundant Sync connection between the cluster nodes?

  A. In the SmartConsole / Gateways and Servers -> select Cluster Properties / Network Management and define two Sync interfaces per node. Connect both Sync interfaces without using a switch.
  B. Use a group of bonded interfaces. In the SmartConsole / Gateways and Servers -> select Cluster Properties / Network Management and define a Virtual IP for the Sync interface.
  C. In the SmartConsole / Gateways and Servers -> select Cluster Properties / Network Management and define two Sync interfaces per node. Use two different Switches to connect both Sync interfaces.
  D. Use a group of bonded interfaces connected to different switches. Define a dedicated sync interface, only one interface per node using the SmartConsole / Gateways and Servers -> select Cluster Properties / Network Management.
  D. Use a group of bonded interfaces connected to different switches. Define a dedicated sync interface, only one interface per node using the SmartConsole / Gateways and Servers -> select Cluster Properties / Network Management.

  ---

  Explanation/Reference:

  The recommended way to have a redundant Sync connection between the cluster nodes is to use a group of bonded interfaces connected to different switches. In the SmartConsole / Gateways and Servers -> select Cluster Properties / Network Management, you should define a dedicated sync interface, only one interface per node.

• Question 423:

  Check Point APIs allow system engineers and developers to make changes to their organization's security policy with CLI tools and Web Services for all the following except:

  A. Create new dashboards to manage 3rd party task
  B. Create products that use and enhance 3rd party solutions
  C. Execute automated scripts to perform common tasks
  D. Create products that use and enhance the Check Point Solution
  A. Create new dashboards to manage 3rd party task

  ---

  Explanation/Reference:

  Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services. You can use an API to:

  ?Use an automated script to perform common tasks

  ?Integrate Check Point products with 3rd party solutions ?Create products that use and enhance the Check Point solution References:

• Question 424:

  What destination versions are supported for a Multi-Version Cluster Upgrade?

  A. R77.30 and later
  B. R80.10 and Later
  C. R70 and Later
  D. R76 and later
  B. R80.10 and Later

  ---

  Explanation/Reference:

  The correct answer is B. R80.10 and later. According to the Check Point documentation1, the Multi-Version Cluster Upgrade (MVC) is a new feature in R80.40 and higher that replaces the Connectivity Upgrade (CU) method. MVC allows you to upgrade a cluster to a newer version without a loss in connectivity and test the new version on some of the cluster members before you decide to upgrade the rest of the cluster members. The MVC feature supports the following destination versions2: R80.10 R80.20 R80.30 R80.40 R81 R81.20 The other options are incorrect because they are either not supported by MVC or they are older than the source version (R80.40). References: Multi-Version Cluster (MVC) replaces Connectivity Upgrade (CU) in R80.401 ClusterXL upgrade methods and paths2

• Question 425:

  What CLI command compiles and installs a Security Policy on the target's Security Gateways?

  A. fwm compile
  B. fwm load
  C. fwm fetch
  D. fwm install
  B. fwm load

  ---

  Explanation/Reference:

  The CLI command that compiles and installs a Security Policy on the target's Security Gateways is fwm load. Fwm stands for FireWall Management, and it is a command that allows administrators to perform various management tasks on the

  Security Management Server or Multi-Domain Server. Fwm load takes two arguments: the name of the Security Policy and the name or IP address of the target Security Gateway or Gateway Cluster. For example:

  [Expert@SMS]# fwm load Standard_Policy fw1

  This command will compile and install the Standard_Policy on the Security Gateway named fw1. The other commands are either invalid or perform different functions.

• Question 426:

  Which one of the following is true about Threat Extraction?

  A. Always delivers a file to user
  B. Works on all MS Office, Executables, and PDF files
  C. Can take up to 3 minutes to complete
  D. Delivers file only if no threats found
  A. Always delivers a file to user

  ---

  Explanation/Reference:

  Threat Extraction is a software blade that always delivers a file to user. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. Threat Extraction works on MS Office, PDF, and archive files, but not on executables. Threat Extraction can take up to 3 minutes to complete, depending on the file size and complexity. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide

• Question 427:

  When attempting to start a VPN tunnel, in the logs the error "no proposal chosen" is seen numerous times. No other VPN-related entries are present.

  Which phase of the VPN negotiations has failed?

  A. IKE Phase 1
  B. IPSEC Phase 2
  C. IPSEC Phase 1
  D. IKE Phase 2
  A. IKE Phase 1

  ---

  Explanation/Reference:

  The error "no proposal chosen" indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret

  or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the

  connection attempt and log the error "no proposal chosen" 1.

  To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

  The same pre-shared secret or certificate

  The same encryption algorithm (e.g., AES-256)

  The same hash algorithm (e.g., SHA-256)

  The same Diffie-Hellman group (e.g., Group 14)

  The same lifetime (e.g., 86400 seconds)

  One can use the command vpn tu on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer. Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway

  object properties for the IKE Phase 1 settings 2.

  References: 1: Troubleshooting the "no proposal chosen" error - Check Point Software 2: Support, Support Requests, Training ... - Check Point Software

• Question 428:

  Which of the following authentication methods ARE NOT used for Mobile Access?

  A. RADIUS server
  B. Username and password (internal, LDAP)
  C. SecurID
  D. TACACS+
  D. TACACS+

  ---

  Explanation/Reference:

  TACACS+ is not an authentication method that is used for Mobile Access. Mobile Access supports the following authentication methods: username and password (internal, LDAP, or RADIUS), certificate, SecurID, DynamicID, and SMS2. TACACS+ is a protocol that provides access control for routers, network access servers, and other network devices, but it is not supported by Mobile Access3. References: Check Point R81 Mobile Access Administration Guide, TACACS+ -Wikipedia

• Question 429:

  You can access the ThreatCloud Repository from:

  A. R81.20 SmartConsole and Application Wiki
  B. Threat Prevention and Threat Tools
  C. Threat Wiki and Check Point Website
  D. R81.20 SmartConsole and Threat Prevention
  D. R81.20 SmartConsole and Threat Prevention

  ---

  Explanation/Reference:

  According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.20 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References: Check Point R81

• Question 430:

  Bob is asked by Alice to disable the SecureXL mechanism temporary tor further diagnostic by their Check Point partner. Which of the following Check Point Command is true:

  A. fwaccel suspend
  B. fwaccel standby
  C. fwaccel off
  D. fwaccel templates
  C. fwaccel off

  ---

  Explanation/Reference:

  You can disable the SecureXL mechanism temporarily for further diagnostic by running fwaccel off on the Security Gateway1. This command disables SecureXL, which is an acceleration solution that maximizes the performance of the Firewall by offloading CPU-intensive operations to the SecureXL device2. Disabling SecureXL can help you troubleshoot connectivity or policy issues, as it forces all traffic to go through the Firewall kernel and bypass the SecureXL device1. To run this command, you need to access the Security Gateway in expert mode and run fwaccel off1. To enable SecureXL again, you can run fwaccel on1. Note that disabling SecureXL may affect the performance of the Security Gateway, so use it with caution and only when necessary1. References: How to enable/disable Check Point SecureXL via CLI - Check Point Software, SecureXL - Check Point Software