Last Updated on September 23, 2021 by Admin 3

156-215.80 : Check Point Certified Security Administrator (CCSA R80) : Part 22

  1. What is the purpose of a Clean-up Rule?

    • Clean-up Rules do not server any purpose.
    • Provide a metric for determining unnecessary rules.
    • To drop any traffic that is not explicitly allowed.
    • Used to better optimize a policy.
    Explanation:
    These are basic access control rules we recommend for all Rule Bases:
    Stealth rule that prevents direct access to the Security Gateway.
    – Cleanup rule that drops all traffic that is not allowed by the earlier rules.
    – There is also an implied rule that drops all traffic, but you can use the Cleanup rule to log the traffic.
  2. What are the two types of NAT supported by the Security Gateway?

    • Destination and Hide
    • Hide and Static
    • Static and Source
    • Source and Destination
    Explanation:
    A Security Gateway can use these procedures to translate IP addresses in your network:
    – Static NAT – Each internal IP address is translated to a different public IP address. The Firewall can allow external traffic to access internal resources.
    – Hide NAT – The Firewall uses port numbers to translate all specified internal IP addresses to a single public IP address and hides the internal IP structure. Connections can only start from internal computers, external computers CANNOT access internal servers. The Firewall can translate up to 50,000 connections at the same time from external computers and servers.
    – Hide NAT with Port Translation – Use one IP address and let external users access multiple application servers in a hidden network. The Firewall uses the requested service (or destination port) to send the traffic to the correct server. A typical configuration can use these ports: FTP server (port 21), SMTP server (port 25) and an HTTP server (port 80). It is necessary to create manual NAT rules to use Port Translation.
  3. Vanessa is attempting to log into the Gaia Web Portal. She is able to login successfully. Then she tries the same username and password for SmartConsole but gets the message in the screenshot image below. She has checked that the IP address of the Server is correct and the username and password she used to login into Gaia is also correct.

    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q03 058
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q03 058

    What is the most likely reason?

    • Check Point R80 SmartConsole authentication is more secure than in previous versions and Vanessa requires a special authentication key for R80 SmartConsole. Check that the correct key details are used.
    • Check Point Management software authentication details are not automatically the same as the Operating System authentication details. Check that she is using the correct details.
    • SmartConsole Authentication is not allowed for Vanessa until a Super administrator has logged in first and cleared any other administrator sessions.
    • Authentication failed because Vanessa’s username is not allowed in the new Threat Prevention console update checks even though these checks passed with Gaia.
  4. What is the most complete definition of the difference between the Install Policy button on the SmartConsole’s tab, and the Install Policy button within a specific policy?

    • The Global one also saves and publishes the session before installation.
    • The Global one can install multiple selected policies at the same time.
    • The local one does not install the Anti-Malware policy along with the Network policy.
    • The second one pre-selects the installation for only the current policy and for the applicable gateways.
  5. Which of the following is used to initially create trust between a Gateway and Security Management Server?

    • Internal Certificate Authority
    • Token
    • One-time Password
    • Certificate
    Explanation:

    To establish the initial trust, a gateway and a Security Management Server use a one-time password. After the initial trust is established, further communication is based on security certificates.

  6. John is the administrator of an R80 Security Management server managing an R77.30 Check Point Security Gateway. John is currently updating the network objects and amending the rules using SmartConsole. To make John’s changes available to other administrators, and to save the database before installing a policy, what must John do?

    • Logout of the session
    • File > Save
    • Install database
    • Publish the session
    Explanation:
    Installing and Publishing
    It is important to understand the differences between publishing and installing.

    You must do this: After you did this:
    Publish Opened a session in SmartConsole and made changes.
    The Publish operation sends all SmartConsole modifications to other administrators, and makes the changes you made in a private session public.
    Install the database Modified network objects, such as servers, users, services, or IPS profiles, but not the Rule Base.
    Updates are installed on management servers and log servers.
    Install a policy Changed the Rule Base.
    The Security Management Server installs the updated policy and the entire database on Security Gateways (even if you did not modify any network objects).
  7. There are ________ types of software containers ________.

    • Three; security management, Security Gateway, and endpoint security
    • Three; Security gateway, endpoint security, and gateway management
    • Two; security management and endpoint security
    • Two; endpoint security and Security Gateway

    Explanation:

    There are three types of Software Containers: Security Management, Security Gateway, and Endpoint Security.

  8. Fill in the bank: In Office mode, a Security Gateway assigns a remote client to an IP address once___________.

    • the user connects and authenticates
    • office mode is initiated
    • the user requests a connection
    • the user connects
    Explanation:
    Office Mode enables a Security Gateway to assign a remote client an IP address. The assignment takes place once the user connects and authenticates. The assignment lease is renewed as long as the user is connected.
  9. Which Identity Source(s) should be selected in Identity Awareness for when there is a requirement for a higher level of security for sensitive servers?

    • AD Query
    • Terminal Servers Endpoint Identity Agent
    • Endpoint Identity Agent and Browser-Based Authentication
    • RADIUS and Account Logon

    Explanation:

    Endpoint Identity Agents and Browser-Based Authentication – When a high level of security is necessary. The Captive Portal is used for distributing the Endpoint Identity Agent. IP Spoofing protection can be set to prevent packets from being IP spoofed.

  10. Which statement describes what Identity Sharing is in Identity Awareness?

    • Management servers can acquire and share identities with Security Gateways
    • Users can share identities with other users
    • Security Gateways can acquire and share identities with other Security Gateways
    • Administrators can share identities with other administrators

    Explanation:

    Identity Sharing

    Best Practice – In environments that use many Security Gateways and AD Query, we recommend that you set only one Security Gateway to acquire identities from a given Active Directory domain controller for each physical site. If more than one Security Gateway gets identities from the same AD server, the AD server can become overloaded with WMI queries.
    Set these options on the Identity Awareness > Identity Sharing page of the Security Gateway object:
    – One Security Gateway to share identities with other Security Gateways. This is the Security Gateway that gets identities from a given domain controller.
    – All other Security Gateways to get identities from the Security Gateway that acquires identities from the given domain controller.

  11. What is the most recommended installation method for Check Point appliances?

    • SmartUpdate installation
    • DVD media created with Check Point ISOMorphic
    • USB media created with Check Point ISOMorphic
    • Cloud based installation
  12. Which of the following is NOT a role of the SmartCenter:

    • Status monitoring
    • Policy configuration
    • Certificate authority
    • Address translation
  13. Which of the following is NOT a valid application navigation tab in the R80 SmartConsole?

    • Manage and Command Line
    • Logs and Monitor
    • Security Policies
    • Gateway and Servers

    Explanation:

    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q13 059
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q13 059
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q13 060
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q13 060
  14. Phase 1 of the two-phase negotiation process conducted by IKE operates in ______ mode.

    • Main
    • Authentication
    • Quick
    • High Alert
    Explanation:

    Phase I modes
    Between Security Gateways, there are two modes for IKE phase I. These modes only apply to IKEv1:
    – Main Mode
    – Aggressive Mode

  15. What is the BEST method to deploy Identity Awareness for roaming users?

    • Use Office Mode
    • Use identity agents
    • Share user identities between gateways
    • Use captive portal
    Explanation:
    Using Endpoint Identity Agents give you:
    – User and machine identity
    – Minimal user intervention – all necessary configuration is done by administrators and does not require user input.
    – Seamless connectivity – transparent authentication using Kerberos Single Sign-On (SSO) when users are logged in to the domain. If you do not want to use SSO, users enter their credentials manually. You can let them save these credentials.
    – Connectivity through roaming – users stay automatically identified when they move between networks, as the client detects the movement and reconnects.
  16. What is the purpose of the Clean-up Rule?

    • To log all traffic that is not explicitly allowed or denied in the Rule Base
    • To clean up policies found inconsistent with the compliance blade reports
    • To remove all rules that could have a conflict with other rules in the database
    • To eliminate duplicate log entries in the Security Gateway

    Explanation:

    These are basic access control rules we recommend for all Rule Bases:
    Stealth rule that prevents direct access to the Security Gateway.
    – Cleanup rule that drops all traffic that is not allowed by the earlier rules.
    – There is also an implied rule that drops all traffic, but you can use the Cleanup rule to log the traffic.

  17. Which of the following blades is NOT subscription-based and therefore does not have to be renewed on a regular basis?

    • Application Control
    • Threat Emulation
    • Anti-Virus
    • Advanced Networking Blade
  18. Back up and restores can be accomplished through_________.

    • SmartConsole, WebUI, or CLI
    • WebUI, CLI, or SmartUpdate
    • CLI, SmartUpdate, or SmartBackup
    • SmartUpdate, SmartBackup, or SmartConsole
    Explanation:
    Backup and Restore
    These options let you:
    – Back up the Gaia OS configuration and the firewall database to a compressed file
    – Restore the Gaia OS configuration and the firewall database from a compressed file
    To back up a configuration:
    1. Right-click the Security Gateway.
    2. Select Backup and Restore > Backup.
    The Backup window opens.
    3. Select the backup location.
  19. What does it mean if Deyra sees the gateway status:

    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q19 061
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q19 061
    • SmartCenter Server cannot reach this Security Gateway
    • There is a blade reporting a problem
    • VPN software blade is reporting a malfunction
    • Security Gateway’s MGNT NIC card is disconnected.

    Explanation:

    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q19 062
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q19 062
  20. CPU-level of your Security gateway is peaking to 100% causing problems with traffic. You suspect that the problem might be the Threat Prevention settings.

    The following Threat Prevention Profile has been created.

    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q20 063
    156-215.80 Check Point Certified Security Administrator (CCSA R80) Part 22 Q20 063

    How could you tune the profile in order to lower the CPU load still maintaining security at good level?

    • Set High Confidence to Low and Low Confidence to Inactive.
    • Set the Performance Impact to Medium or lower.
    • The problem is not with the Threat Prevention Profile. Consider adding more memory to the appliance.
    • Set the Performance Impact to Very Low Confidence to Prevent.