156-215.80 : Check Point Certified Security Administrator (CCSA R80) : Part 04
-
What are the three conflict resolution rules in the Threat Prevention Policy Layers?
- Conflict on action, conflict on exception, and conflict on settings
- Conflict on scope, conflict on settings, and conflict on exception
- Conflict on settings, conflict on address, and conflict on exception
- Conflict on action, conflict on destination, and conflict on settings
-
What does the “unknown” SIC status shown on SmartConsole mean?
- The SMS can contact the Security Gateway but cannot establish Secure Internal Communication.
- SIC activation key requires a reset.
- The SIC activation key is not known by any administrator.
- There is no connection between the Security Gateway and SMS.
Explanation:The most typical status is Communicating. Any other status indicates that the SIC communication is problematic. For example, if the SIC status is Unknown then there is no connection between the Gateway and the Security Management server. If the SIC status is Not Communicating, the Security Management server is able to contact the gateway, but SIC communication cannot be established.
-
Kofi, the administrator of the ALPHA Corp network wishes to change the default Gaia WebUI Portal port number currently set on the default HTTPS port. Which CLISH commands are required to be able to change this TCP port?
- set web ssl-port <new port number>
- set Gaia-portal port <new port number>
- set Gaia-portal https-port <new port number>
- set web https-port <new port number>
Explanation:In Clish
A. Connect to command line on Security Gateway / each Cluster member.
B. Log in to Clish.
C. Set the desired port (e.g., port 4434):
HostName> set web ssl-port <Port_Number>
D. Save the changes:
HostName> save config
E. Verify that the configuration was saved:
[Expert@HostName]# grep ‘httpd:ssl_port’ /config/db/initial -
Browser-based Authentication sends users to a web page to acquire identities using ________ .
- User Directory
- Captive Portal and Transparent Kerberos Authentication
- Captive Portal
- UserCheck
Explanation:To enable Identity Awareness:
1. Log in to SmartDashboard.
2. From the Network Objects tree, expand the Check Point branch.
3. Double-click the Security Gateway on which to enable Identity Awareness.
4. In the Software Blades section, select Identity Awareness on the Network Security tab.
The Identity Awareness Configuration wizard opens.
5. Select one or more options. These options set the methods for acquiring identities of managed and unmanaged assets.
– AD Query – Lets the Security Gateway seamlessly identify Active Directory users and computers.
– Browser-Based Authentication – Sends users to a Web page to acquire identities from unidentified users. If Transparent Kerberos Authentication is configured, AD users may be identified transparently.
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62050.htm -
Which default Gaia user has full read/write access?
- Monitor
- Altuser
- Administrator
- Superuser
-
The _________ collects logs and sends them to the _________ .
- Log server; security management server
- Log server; Security Gateway
- Security management server; Security Gateway
- Security Gateways; log server
-
The Security Gateway is installed on GAiA R80. The default port for the WEB User Interface is _______ .
- TCP 18211
- TCP 257
- TCP 4433
- TCP 443
-
To build an effective Security Policy, use a ________ and _______ rule.
- Cleanup; stealth
- Stealth; implicit
- Cleanup; default
- Implicit; explicit
-
Which type of Check Point license is tied to the IP address of a specific Security Gateway and cannot be transferred to a gateway that has a different IP address?
- Central
- Corporate
- Formal
- Local
-
Which utility shows the security gateway general system information statistics like operating system information and resource usage, and individual software blade statistics of VPN, Identity Awareness and DLP?
-
cpconfig
-
fw ctl pstat
-
cpview
-
fw ctl multik stat
Explanation:CPView Utility is a text based built-in utility that can be run (‘cpview’ command) on Security Gateway / Security Management Server / Multi-Domain Security Management Server. CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk space) and information for different Software Blades (only on Security Gateway). The data is continuously updated in easy to access views.
-
-
The following graphic shows:
- View from SmartLog for logs initiated from source address 10.1.1.202
- View from SmartView Tracker for logs of destination address 10.1.1.202
- View from SmartView Tracker for logs initiated from source address 10.1.1.202
- View from SmartView Monitor for logs initiated from source address 10.1.1.202
-
In R80, Unified Policy is a combination of
- Access control policy, QoS Policy, Desktop Security Policy and endpoint policy.
- Access control policy, QoS Policy, Desktop Security Policy and Threat Prevention Policy.
- Firewall policy, address Translation and application and URL filtering, QoS Policy, Desktop Security Policy and Threat Prevention Policy.
- Access control policy, QoS Policy, Desktop Security Policy and VPN policy.
Explanation:D is the best answer given the choices.
Unified Policy
In R80 the Access Control policy unifies the policies of these pre-R80 Software Blades:
– Firewall and VPN
– Application Control and URL Filtering
– Identity Awareness
– Data Awareness
– Mobile Access
– Security Zones -
The command __________ provides the most complete restoration of an R80 configuration.
-
upgrade_import
-
cpconfig
-
fwm dbimport -p <export file>
-
cpinfo -recover
Explanation:(Should be “migrate import”)
“migrate import” Restores backed up configuration for R80 version, in previous versions the command was ” upgrade_import “. -
-
The Gaia operating system supports which routing protocols?
- BGP, OSPF, RIP
- BGP, OSPF, EIGRP, PIM, IGMP
- BGP, OSPF, RIP, IGRP
- BGP, OSPF, RIP, EIGRP
Explanation:The Advanced Routing Suite
The Advanced Routing Suite CLI is available as part of the Advanced Networking Software Blade.
For organizations looking to implement scalable, fault-tolerant, secure networks, the Advanced Networking blade enables them to run industry-standard dynamic routing protocols including BGP, OSPF, RIPv1, and RIPv2 on security gateways. OSPF, RIPv1, and RIPv2 enable dynamic routing over a single autonomous system – like a single department, company, or service provider – to avoid network failures. BGP provides dynamic routing support across more complex networks involving multiple autonomous systems – such as when a company uses two service providers or divides a network into multiple areas with different administrators responsible for the performance of each. -
Joey wants to configure NTP on R80 Security Management Server. He decided to do this via WebUI. What is the correct IP address and default port to access the Web UI for Gaia platform via browser?
- https://<Device_IP_Address>
- https://<Device_IP_Address>:443
- https://<Device_IP_Address>:10000
- https://<Device_IP_Address>:4434
Explanation:Access to Web UI Gaia administration interface, initiate a connection from a browser to the default administration IP address:
Logging in to the WebUI
Logging in
To log in to the WebUI:
1. Enter this URL in your browser:
https://<Gaia IP address>
2. Enter your user name and password. -
Which application should you use to install a contract file?
- SmartView Monitor
- WebUI
- SmartUpdate
- SmartProvisioning
Explanation:
Using SmartUpdate: If you already use an NGX R65 (or higher) Security Management / Provider-1 / Multi-Domain Management Server, SmartUpdate allows you to import the service contract file that you have downloaded in Step #3.
Open SmartUpdate and from the Launch Menu select ‘Licenses & Contracts’ -> ‘Update Contracts’ -> ‘From File…’ and provide the path to the file you have downloaded in Step #3:
Note: If SmartUpdate is connected to the Internet, you can download the service contract file directly from the UserCenter without going through the download and import steps.
Reference: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33089 -
Which feature is NOT provided by all Check Point Mobile Access solutions?
- Support for IPv6
- Granular access control
- Strong user authentication
- Secure connectivity
Explanation:Types of Solutions
All of Check Point’s Remote Access solutions provide:
– Enterprise-grade, secure connectivity to corporate resources.
– Strong user authentication.
– Granular access control. -
You work as a security administrator for a large company. The CSO of your company has attended a security conference where he has learned how hackers constantly modify their strategies and techniques to evade detection and reach corporate resources. He wants to make sure that his company has the right protections in place. Check Point has been selected for the security vendor. Which Check Point product protects BEST against malware and zero-day attacks while ensuring quick delivery of safe content to your users?
- IPS and Application Control
- IPS, anti-virus and anti-bot
- IPS, anti-virus and e-mail security
- SandBlast
Explanation:SandBlast Zero-Day Protection
Hackers constantly modify their strategies and techniques to evade detection and reach corporate resources. Zero-day exploit protection from Check Point provides a deeper level of inspection so you can prevent more malware and zero-day attacks, while ensuring quick delivery of safe content to your users. -
Each cluster has __________ interfaces.
- Five
- Two
- Three
- Four
Explanation:Each cluster member has three interfaces: one external interface, one internal interface, and one for synchronization. Cluster member interfaces facing in each direction are connected via a switch, router, or VLAN switch.
-
What are the three essential components of the Check Point Security Management Architecture?
- SmartConsole, Security Management Server, Security Gateway
- SmartConsole, SmartUpdate, Security Gateway
- Security Management Server, Security Gateway, Command Line Interface
- WebUI, SmartConsole, Security Gateway
Explanation:
Deployments
Basic deployments:
Standalone deployment – Security Gateway and the Security Management server are installed on the same machine.
Distributed deployment – Security Gateway and the Security Management server are installed on different machines.
Assume an environment with gateways on different sites. Each Security Gateway connects to the Internet on one side, and to a LAN on the other.
You can create a Virtual Private Network (VPN) between the two Security Gateways, to secure all communication between them.
The Security Management server is installed in the LAN, and is protected by a Security Gateway. The Security Management server manages the Security Gateways and lets remote users connect securely to the corporate network. SmartDashboard can be installed on the Security Management server or another computer.
There can be other OPSEC-partner modules (for example, an Anti-Virus Server) to complete the network security with the Security Management server and its Security Gateways.