Free Practice Questions for Checkpoint 156-315.81 Exam

 Application Control is the software blade that provides Application Security and identity control. It allows administrators to define granular policies based on users or groups to identify, block or limit the usage of web applications and widgets. Application Control also integrates with Identity Awareness to provide user-level visibility and control. References: Training & Certification | Check Point Software, Check Point Resource Library

 The command that would be used to enable the Penalty Box feature is sim erdos -e 1. Penalty Box is a feature that protects the Security Gateway from DDoS attacks by dropping packets from sources that send excessive traffic. Sim erdos is a command that allows administrators to configure and manage the Penalty Box feature. Sim erdos -e 1 enables the Penalty Box feature on the Security Gateway. The other options are either invalid or perform different functions. 

The mechanism that can ensure that the Security Gateway can communicate with the Management Server with ease in situations with overwhelmed network resources is called Management Data Plane Separation (MDPS)1. MDPS is a feature that allows a Security Gateway to have isolated Management and Data networks. The network system of each domain (plane) is independent and includes interfaces, routes, sockets, and processes. The Management Plane is a domain that accesses, provisions, and monitors the Security Gateway. The Data Plane is a domain that handles all other traffic1. MDPS has the following benefits2:

It improves the performance and stability of the Security Gateway by separating the management traffic from the data traffic.

It enhances the security of the Security Gateway by preventing any packet from crossing between the planes.

It simplifies the network configuration and troubleshooting by having separate routing tables for each plane. MDPS is supported on Check Point Appliances with R80.40 and higher versions1. It is also supported on Quantum Maestro and Quantum Scalable Chassis with R81.20 and higher versions3. MDPS can be configured using Gaia Clish commands or Gaia Portal1. References: Management Data Plane Separation (MDPS) - Check Point Software, Tip of the Week: Management Data Plane Separation - Check Point CheckMates, Management Data Plane Separation (MDPS) on Maestro R81.20 - Check Point Software

A Distinguished Name (DN) is a unique identifier for an object in an LDAP directory, such as a user, a group, or an organization. A DN consists of a sequence of relative distinguished names (RDNs), which are attributes that describe the object. The most common RDNs are:

Common Name (CN): The name of the object, such as a user’s full name or a group’s name

Country ©: The two-letter ISO code of the country where the object is located, such as US or PK

User container (UC): The name of the container that holds the user objects, such as Users or People

Domain Component (DC): The name of the domain that the object belongs to, such as checkpoint.com or example.org

An Organizational Unit (OU) is not a component of a DN, but a type of object that can be used to organize other objects in a hierarchical structure. An OU can have its own DN, which includes the OU attribute as an RDN, such as OU=Sales,DC=checkpoint,DC=com.

The references are:

Check Point R81 Identity Awareness Administration Guide, page 14

LDAP Distinguished Names

What is a Distinguished Name?

 SandBlast is the best Check Point product to protect against malware and zero-day attacks while ensuring quick delivery of safe content to your users. SandBlast is an advanced network threat prevention solution that uses a combination of technologies to detect and block known and unknown threats before they reach your network. SandBlast uses Threat Emulation, which is a sandboxing technology that inspects files for malicious behavior in a virtual environment; Threat Extraction, which removes potentially malicious elements from files and delivers clean and safe content to your users; Anti-Bot, which identifies and blocks botnet communications and prevents data exfiltration; Anti-Virus, which scans files for known malware signatures; and IPS, which monitors network traffic for malicious or anomalous patterns. SandBlast also provides comprehensive reports and forensic analysis on the detected threats and their origin and behavior. 

Comprehensive and Detailed Explanation: The “MAC magic” value, also known as the “Cluster Global ID”, is a mechanism that identifies different clusters on the same network segment. It is used to prevent MAC address conflicts and ensure proper load balancing among cluster members. The “MAC magic” value is a hexadecimal number that is appended to the virtual MAC address of the cluster interface. By default, the “MAC magic” value is set to 1 for all clusters, but it must be changed manually if there is more than one cluster connected to the same VLAN. Otherwise, the clusters will not be able to communicate with each other or with external hosts.

The “MAC magic” value does not need to be modified under the other conditions listed in the question. The firewall cluster can use either Broadcast or Multicast for CCP traffic without affecting the “MAC magic” value. The number of members in a firewall cluster also does not affect the “MAC magic” value, as long as they belong to the same cluster and have the same Cluster Global ID.

References: Verifying Magic Mac - R81.20 - Check Point CheckMates; What is Magic MAC? - Check Point CheckMates; Check Point R81 CLI Reference Guide, page 17; R81 ClusterXL Administration Guide, page 9-10

After clicking “Next”, the above configuration is supported by Active Directory integration which allows the Security Gateway to correlate Active Directory users and machines to IP addresses in a method that is completely transparent to the user. This is a feature of Identity Awareness that allows the Security Gateway to identify users and machines on the network and enforce security policies based on their identity. The administrator can configure Identity Awareness to use various methods for acquiring identity, including Active Directory integration, browser-based authentication, terminal servers, and transparent authentication1. References: Check Point Resource Library, page 3.

 In R81, more than one administrator can login to the Security Management Server with write permission at the same time. This feature is enabled by default and allows concurrent administration of the security policy. Every administrator works in a session that is independent of the other administrators. Changes made by one administrator are not visible to others until they are published. Administrators can also lock objects to prevent others from editing them until they are unlocked. References: R81 Security Management Administration Guide, page 43.

Proxy ARP is a technique that allows a device to respond to ARP requests on behalf of another IP address. Proxy ARP is required for Manual Static NAT when the translated IP address does not belong to one of the firewall’s interfaces. This is because the firewall needs to intercept the packets destined to the translated IP address and forward them to the original IP address after applying the NAT rule. Without Proxy ARP, the packets would not reach the firewall and the NAT would not work. Proxy ARP is not required for Automatic Static NAT or Automatic Hide NAT, because these types of NAT use IP addresses that belong to the firewall’s interfaces. Proxy ARP is also not required for Manual Hide NAT, because this type of NAT does not change the destination IP address of the packets, only the source IP address. References: Check Point R81 Security Management Administration Guide, page 115

 The correct way to enable Identity Captive Portal for a specific rule is to right click Accept in the rule, select “More”, and then check ‘Enable Identity Captive Portal’. This will allow guest users to see the splash page and accept the Terms of Service before accessing the Internet. Identity Captive Portal is a feature that enables identity awareness for guest users who are not authenticated by other methods, such as Active Directory or Identity Agent. Identity Captive Portal can be enabled globally or per rule, depending on the security policy requirements. 

 The biggest benefit of policy layers is that they enable flexible control over the security policy. Policy layers and sub-policies allow administrators to break one policy into several virtual policies, each with its own set of rules and actions. Policy layers can be ordered, shared, and reused across different policies. Policy layers can also include Threat Prevention as a sub-policy for the firewall policy. References: [Check Point R81 Security Management Guide]

 The main objective when using Application Control is to ensure security and privacy of information. Application Control is a blade that enables administrators to control access to web applications and web sites based on categories, users, groups, machines, and time. Application Control can also block or limit usage of applications that pose security risks or consume excessive bandwidth2. References: Check Point R81 Application Control Administration Guide

Authentication rules are defined for user groups, not individual users or all users in the database. Authentication rules allow you to control which user groups can access specific resources or services through the Security Gateway. You can define different authentication methods and schemes for different user groups, such as Check Point Password, OS Password, RADIUS, TACACS, SecurID, LDAP, or Certificate. You can also define different session timeouts and source restrictions for different user groups. Authentication rules are processed before the network access rules in the rule base.

 The Threat Prevention software components available on the Check Point Security Gateway are IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction. These components provide comprehensive protection against various types of cyber threats, such as network attacks, malware, ransomware, phishing, zero-day exploits, data leakage, and more. IPS is a network security component that detects and prevents malicious traffic based on signatures, behavioral patterns, and anomaly detection. Anti-Bot is a network security component that detects and blocks botnet communications and command-and-control servers. Anti-Virus is a network security component that scans files for known viruses, worms, and trojans. Threat Emulation is a network security component that emulates files in a sandbox environment to detect unknown malware and prevent zero-day attacks. Threat Extraction is a network security component that removes malicious content from files and delivers clean files to users. References: [Check Point R81 Threat Prevention Administration Guide], page 9-10

 cp.macro is an electronically signed file used by Check Point to translate the features in the license into a code. It is located in the $FWDIR/conf directory on the Security Management Server. The cp.macro file contains a list of features and their corresponding codes, which are used to generate the license file (.lic) based on the contract file (.xml). The license file (.lic) is then installed on the Security Gateway or Security Management Server to activate the licensed features. References: Check Point R81 Licensing and Contract Administration Guide, page 10