CheckPoint Checkpoint Certifications 156-315.81 Questions & Answers

• Question 431:

  What ports are used for SmartConsole to connect to the Security Management Server?

  A. CPMI (18190)

  B. ICA_Pull (18210), CPMI (18190) https (443)

  C. CPM (19009), CPMI (18190) https (443)

  D. CPM (19009), CPMI (18190) CPD (18191)

  Correct Answer: C

  The correct answer is C. CPM (19009), CPMI (18190) https (443). SmartConsole is a client application that connects to the Security Management Server to manage and configure the security policy and objects. SmartConsole uses three

  ports to communicate with the Security Management Server1:

  CPM (19009): This port is used for the communication between the SmartConsole client and the Check Point Management (CPM) process on the Security Management Server. The CPM process handles the database operations and the

  policy installation.

  CPMI (18190): This port is used for the communication between the SmartConsole client and the Check Point Management Interface (CPMI) process on the Security Management Server. The CPMI process handles the authentication and

  encryption of the SmartConsole sessions.

  https (443): This port is used for the communication between the SmartConsole client and the web server on the Security Management Server. The web server provides the SmartConsole GUI and the SmartConsole extensions. The other

  options are incorrect because they either include ports that are not used by SmartConsole or omit ports that are used by SmartConsole.

  References:

  SmartConsole R81.20 - Check Point Software1

• Question 432:

  Secure Configuration Verification (SCV), makes sure that remote access client computers are configured in accordance with the enterprise Security Policy. Bob was asked by Alice to implement a specific SCV configuration but therefore Bob needs to edit and configure a specific Check Point file. Which location file and directory is true?

  A. $FWDIR/conf/client.scv

  B. $CPDIR/conf/local.scv

  C. $CPDIR/conf/client.svc

  D. $FWDIR/conf/local.scv

  Correct Answer: D

  Secure Configuration Verification (SCV) is a feature that allows the Mobile Access Gateway to check the compliance of remote access clients with the enterprise security policy before granting them access to internal resources. SCV checks can be defined in a file named local.scv, which is located in the $FWDIR/conf directory on the Mobile Access Gateway1. The file can be edited manually or using the SCV Editor tool2. Therefore, the correct answer is D. References: 1: Secure Configuration Verification 2: SCV Editor

• Question 433:

  View the rule below. What does the lock-symbol in the left column mean? (Choose the BEST answer.)

  

  A. The current administrator has read-only permissions to Threat Prevention Policy.

  B. Another user has locked the rule for editing.

  C. Configuration lock is present. Click the lock symbol to gain read-write access.

  D. The current administrator is logged in as read-only because someone else is editing the policy.

  Correct Answer: B

  The lock symbol in the left column of the rule means that another user has locked the rule for editing. This is to prevent multiple users from editing the same rule at the same time and causing conflicts. References: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPreventi on_AdminGuide/Topics-TP-Policy/TP-Policy-Edit-Rules.htm

• Question 434:

  Kofi, the administrator of the ALPHA Corp network wishes to change the default Gaia WebUI Portal port number currently set on the default HTTPS port. Which CLISH commands are required to be able to change this TCP port?

  

  A. set web ssl-port

  B. set Gaia-portal port

  C. set Gaia-portal https-port

  D. set web https-port

  Correct Answer: A

  The CLISH command to change the default Gaia WebUI Portal port number is set web ssl-port . This command will change the port that the WebUI listens on for HTTPS connections. After changing the port, you need to save the configuration with save config and verify that the change was applied with show web ssl- port. You also need to update the Main URL in the Platform Portal section of the gateway object in SmartConsole and install the policy.

• Question 435:

  Aaron is a Syber Security Engineer working for Global Law Firm with large scale deployment of Check Point Enterprise Appliances running GAiA R81.X The Network Security Developer Team is having an issue testing the API with a newly

  deployed R81.X Security Management Server Aaron wants to confirm API services are working properly.

  What should he do first?

  A. Aaron should check API Server status with "fwm api status" from Expert mode If services are stopped, he should start them with "fwm api start".

  B. Aaron should check API Server status with "cpapi status" from Expert mode. If services are stopped, he should start them with "cpapi start"

  C. Aaron should check API Server status with "api status" from Expert mode If services are stopped, he should start them with "api start"

  D. Aaron should check API Server status with "cpm api status" from Expert mode. If services are stopped, he should start them with "cpi api start".

  Correct Answer: C

  Aaron should check API Server status with "api status" from Expert mode. If services are stopped, he should start them with "api start". This is the correct way to verify and start the API Server on a Security Management Server running Gaia R81.X. The other commands are either invalid or not related to the API Server. The api command is a wrapper script that simplifies the management of the API Server. It can be used to start, stop, restart, status, enable, or disable the API Server. References: [API Server]

• Question 436:

  Kurt is planning to upgrade his Security Management Server to R81.X. What is the lowest supported version of the Security Management he can upgrade from?

  A. R76 Splat

  B. R77.X Gaia

  C. R75 Splat

  D. R75 Gaia

  Correct Answer: D

  The lowest supported version of the Security Management that can be upgraded to R81.X is R75 Gaia. This means that the Security Management Server must be running on the Gaia Operating System and have a version of R75 or higher.

  R76 Splat, R77.X Gaia, and R75 Splat are not supported for upgrading to R81.X1. References: 1:

  Check Point Software, Getting Started, Supported Upgrade Paths.

• Question 437:

  If an administrator wants to add manual NAT for addresses now owned by the Check Point firewall, what else is necessary to be completed for it to function properly?

  A. Nothing - the proxy ARP is automatically handled in the R81 version

  B. Add the proxy ARP configurations in a file called /etc/conf/local.arp

  C. Add the proxy ARP configurations in a file called $FWDIR/conf/local.arp

  D. Add the proxy ARP configurations in a file called $CPDIR/conf/local.arp

  Correct Answer: C

  If an administrator wants to add manual NAT for addresses not owned by the Check Point firewall, they also need to add the proxy ARP configurations in a file called $FWDIR/conf/local.arp. This file contains the mappings between the IP addresses and the MAC addresses of the NATed hosts. The proxy ARP feature allows the firewall to answer ARP requests on behalf of the NATed hosts and forward the traffic to them. The local.arp file needs to be edited manually and reloaded with the command arp -f $FWDIR/conf/local.arp. References: R81 Security Management Administration Guide, page 1014.

• Question 438:

  Which of the following statements about Site-to-Site VPN Domain-based is NOT true?

  A. Domain-based- VPN domains are pre-defined for all VPN Gateways. When the Security Gateway encounters traffic originating from one VPN Domain with the destination to a VPN Domain of another VPN Gateway, that traffic is identified as VPN traffic and is sent through the VPN Tunnel between the two Gateways.

  B. Route-based- The Security Gateways will have a Virtual Tunnel Interface (VTI) for each VPN Tunnel with a peer VPN Gateway. The Routing Table can have routes to forward traffic to these VTIs. Any traffic routed through a VTI is automatically identified as VPN Traffic and is passed through the VPN Tunnel associated with the VTI.

  C. Domain-based- VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

  D. Domain-based- VPN domains are pre-defined for all VPN Gateways. A VPN domain is a host or network that can send or receive VPN traffic through a VPN Gateway.

  Correct Answer: C

  The statement that is not true about site-to-site VPN domain-based is that a VPN domain is a service or user that can send or receive VPN traffic through a VPN gateway. A VPN domain is a host or network that can send or receive VPN

  traffic through a VPN gateway, not a service or user. A service or user can be part of a VPN community, which defines the encryption and authentication methods for the VPN traffic. References:

  [Check Point Security Expert R81 Administration Guide], page 146.

• Question 439:

  When synchronizing clusters, which of the following statements is FALSE?

  A. The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized.

  B. Only cluster members running on the same OS platform can be synchronized.

  C. In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization.

  D. Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails.

  Correct Answer: B

  The statement that only cluster members running on the same OS platform can be synchronized is false. Cluster members can be synchronized even if they run on different OS platforms, as long as they have the same Check Point version and hotfixes installed. The other statements are true. The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized. In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization. Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails. References: R81 ClusterXL Administration Guide, page 9-10; [R81 Security Gateway Architecture], page 23

• Question 440:

  What is the valid range for Virtual Router Identifier (VRID) value in a Virtual Routing Redundancy Protocol (VRRP) configuration?

  A. 1-254

  B. 1-255

  C. 0-254

  D. 0 ?255

  Correct Answer: B

  The valid range for Virtual Router Identifier (VRID) value in a Virtual Routing Redundancy Protocol (VRRP) configuration is 1-255. The VRID is a unique number that identifies a virtual router in a VRRP group. It is used to associate routers

  and their virtual IP addresses. The VRID must be the same for all routers in the same VRRP group.

  References: [Configuring VRRP on Gaia]