CheckPoint Check Point Certified Security Expert - R81.20 156-315.81 Exam Questions

Answer : D

SandBlast Threat Emulation is a technology that protects against zero-day and unknown malware by inspecting files in a secure sandbox environment and emulating their behavior.SandBlast Threat Emulation can be deployed in three modes: Cloud, Appliance and Hybrid1.

Cloud mode: The files are sent to the Check Point cloud service for emulation. This mode does not require any additional hardware or software installation. It is the easiest and most cost-effective way to deploy SandBlast Threat Emulation.

Appliance mode: The files are sent to a dedicated appliance (TE1000X, TE2500X, or TE100X) for emulation. This mode provides the highest level of performance and scalability, as well as data privacy and compliance. It is suitable for large organizations with high security and throughput requirements.

Hybrid mode: The files are first sent to the Check Point cloud service for emulation, and if the cloud service cannot determine the verdict, they are then sent to a dedicated appliance for further analysis. This mode combines the benefits of both cloud and appliance modes, offering fast response time and high accuracy.

Answer : D

To help SmartEvent determine whether events originated internally or externally, you must define the traffic direction using the Initial Settings under General Settings in the Policy Tab. There are four options available to calculate the traffic direction: Incoming, Outgoing, Internal, and Other. Incoming means the source is external and the destination is internal. Outgoing means the source is internal and the destination is external. Internal means both the source and the destination are internal. Other means both the source and the destination are external.Reference:SmartEvent R81 Administration Guide

Answer : C

Active-Active is not a cluster mode. Active-Active is a cluster configuration where both members are active and handle traffic simultaneously. However, this configuration is only supported for VSX clusters, not for regular clusters. The cluster modes for regular clusters are High Availability (HA), Load Sharing Unicast, and Load Sharing Multicast. Reference: [Check Point Security Expert R81 ClusterXL Administration Guide], page 7.

Answer : B

VPN Link Selection is a feature that allows the Security Gateway to select the best link for each VPN tunnel based on the network topology and the Link Selection configuration1.When the primary VPN link goes down, the Firewall can update the Link Selection entries to start using a different link for the same tunnel, as long as the remote peer supports this feature and has multiple IP addresses configured2. This way, the VPN tunnel can be maintained without interruption or renegotiation. The other options are not correct because:

A) The Firewall will not drop the packets, but will try to send them over another link if possible.

C) The Firewall will not send out the packet on all interfaces, but will use the routing table to determine the best interface for each destination.

D) The Firewall will not inform the client that the tunnel is down, but will try to keep the tunnel up by switching to another link.

Answer : B

For Wire mode configuration, chain modules marked with 00000001 will not apply. Wire mode is a special configuration that allows a Security Gateway to pass traffic without inspection, acting as a bridge between two network segments. In Wire mode, only chain modules that are essential for basic functionality are applied, such as VPN, QoS, ClusterXL, and SecureXL. Chain modules that are related to inspection-based Software Blades, such as Firewall, IPS, Application Control, and so on, are skipped. The chain modules that are skipped are marked with 00000001 in the output of fw ctl chain command. Reference:Wire Mode

Answer : D

The file that contains the host address to be published, the MAC address that needs to be associated with the IP address, and the unique IP of the interface that responds to ARP request is$FWDIR/conf/local.arp. Local.arp is a configuration file that defines static ARP entries for hosts behind NAT devices. This file allows the Security Gateway to respond to ARP requests for NATed hosts with the correct MAC address, and to publish the NATed IP address instead of the real IP address.The other files are either not related or not valid.

Answer : A

The header name-value that has to be in the HTTP Post request after the login when using Web Services to access the API is X-chkp-sid Session Unique Identifier. This header contains the session ID that is returned by the login command and identifies the session for subsequent API commands. The session ID is valid for a limited time and can be extended by using keepalive or logout commands. Reference: [Check Point R81 Management API Reference Guide]