CheckPoint Checkpoint Certifications 156-215.81 Questions & Answers

• Question 381:

  Which option, when applied to a rule, allows traffic to VPN gateways in specific VPN communities?

  A. All Connections (Clear or Encrypted)

  B. Accept all encrypted traffic

  C. Specific VPN Communities

  D. All Site-to-Site VPN Communities

  Correct Answer: C

  The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities. This option enables you to define which VPN communities are allowed in the rule. All Connections (Clear or Encrypted) allows traffic to any destination, regardless of whether it is encrypted or not. Accept all encrypted traffic allows traffic to any encrypted destination, regardless of the VPN community. All Site-to-Site VPN Communities allows traffic to any site-to-site VPN gateway, regardless of the VPN community. Therefore, the correct answer is C. Specific VPN Communities.

• Question 382:

  If there are two administrators logged in at the same time to the SmartConsole, and there are objects locked for editing, what must be done to make them available to other administrators? Choose the BEST answer

  A. Save and install the Policy

  B. Delete older versions of database

  C. Revert the session.

  D. Publish or discard the session

  Correct Answer: D

  If there are two administrators logged in at the same time to the SmartConsole, and there are objects locked for editing, the administrator who locked the objects must publish or discard the session to make them available to other administrators. Publishing or discarding the session will save or discard the changes made by the administrator and unlock the objects for editing by others. References: Check Point R81 Security Management Administration Guide, page 18.

• Question 383:

  Where is the "Hit Count" feature enabled or disabled in SmartConsole?

  A. On the Policy Package

  B. On each Security Gateway

  C. On the Policy layer

  D. In Global Properties for the Security Management Server

  Correct Answer: C

  The "Hit Count" feature is enabled or disabled on the Policy layer in SmartConsole. To enable or disable the "Hit Count" feature, right-click on the Policy layer and select "Edit Layer". Then, check or uncheck the "Enable Hit Count" option. References: Solved: Hit Count in R80.x

• Question 384:

  The Gateway Status view in SmartConsole shows the overall status of Security Gateways and Software Blades. What does the Status Attention mean?

  A. Cannot reach the Security Gateway.

  B. The gateway and all its Software Blades are working properly.

  C. At least one Software Blade has a minor issue, but the gateway works.

  D. Cannot make SIC between the Security Management Server and the Security Gateway

  Correct Answer: C

  The Status Attention means that at least one Software Blade has a minor issue, but the gateway works. For example, this could indicate a license expiration warning, a policy installation failure, or a blade activation problem. References: Check Point R81 SmartConsole Guide, Check Point R81 Security Management Administration Guide

• Question 385:

  Which of the following cannot be configured in an Access Role Object?

  A. Networks

  B. Users

  C. Time

  D. Machines

  Correct Answer: C

  The following cannot be configured in an Access Role Object: Time. An Access Role Object is a way to define a group of users based on four criteria: Networks, Users, Machines, and Locations. Networks are IP addresses or network objects that represent the source or destination of the traffic. Users are user accounts or user groups from an identity source such as LDAP or RADIUS. Machines are endpoints that are identified by MAC addresses or certificates. Locations are geographical regions based on IP addresses. References: Check Point R81 Firewall Administration Guide, Check Point R81 Identity Awareness Administration Guide

• Question 386:

  When a gateway requires user information for authentication, what order does it query servers for user information?

  A. First - Internal user database, then LDAP servers in order of priority, finally the generic external user profile

  B. First the Internal user database, then generic external user profile, finally LDAP servers in order of priority.

  C. First the highest priority LDAP server, then the internal user database, then lower priority LDAP servers, finally the generic external profile

  D. The external generic profile, then the internal user database finally the LDAP servers in order of priority.

  Correct Answer: B

  When a gateway requires user information for authentication, it queries servers for user information in the following order: first the internal user database, then the generic external user profile, and finally LDAP servers in order of priority. The internal user database is a local database that stores user information on the Security Gateway or Security Management Server. The generic external user profile is a predefined profile that allows users to authenticate with any external server that supports RADIUS or TACACS protocols. LDAP servers are external servers that use the Lightweight Directory Access Protocol to store and retrieve user information. The gateway queries LDAP servers according to the priority that is defined in the LDAP Account Unit object properties.

• Question 387:

  What are two basic rules Check Point recommending for building an effective security policy?

  A. Accept Rule and Drop Rule

  B. Cleanup Rule and Stealth Rule

  C. Explicit Rule and Implied Rule

  D. NAT Rule and Reject Rule

  Correct Answer: B

  Two basic rules that Check Point recommends for building an effective security policy are Cleanup Rule and Stealth Rule. A Cleanup Rule is a rule that is placed at the end of the rule base and drops or logs any traffic that does not match any of the previous rules. A Stealth Rule is a rule that is placed at the top of the rule base and protects the Security Gateway from direct access by unauthorized users. The other options are not basic rules for building a security policy, but rather types or categories of rules.

• Question 388:

  Name the pre-defined Roles included in Gaia OS.

  A. AdminRole, and MonitorRole

  B. ReadWriteRole, and ReadyOnly Role

  C. AdminRole, cloningAdminRole, and Monitor Role

  D. AdminRole

  Correct Answer: A

  The pre-defined Roles included in Gaia OS are AdminRole and MonitorRole. AdminRole is the role that has full access to all Gaia features and commands. MonitorRole is the role that has read-only access to Gaia features and commands. The other options are not valid pre-defined Roles in Gaia OS.

• Question 389:

  Vanessa is attempting to log into the Gaia Web Portal. She is able to login successfully. Then she tries the same username and password for SmartConsole but gets the message in the screenshot image below. She has checked that the IP address of the Server is correct and the username and password she used to login into Gaia is also correct.

  

  What is the most likely reason?

  A. Check Point R80 SmartConsole authentication is more secure than in previous versions and Vanessa requires a special authentication key for R80 SmartConsole. Check that the correct key details are used.

  B. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. Check that she is using the correct details.

  C. SmartConsole Authentication is not allowed for Vanessa until a Super administrator has logged in first and cleared any other administrator sessions.

  D. Authentication failed because Vanessa's username is not allowed in the new Threat Prevention console update checks even though these checks passed with Gaia.

  Correct Answer: B

  The most likely reason for Vanessa's authentication failure is that she is using the wrong details for SmartConsole. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. She needs to use the credentials that were defined during the initial configuration of the Security Management Server, or the ones that were assigned to her by the administrator. The other options are not valid reasons for this error. References: SmartConsole Login,

• Question 390:

  You have enabled "Extended Log" as a tracking option to a security rule. However, you are still not seeing any data type information. What is the MOST likely reason?

  A. Identity Awareness is not enabled.

  B. Log Trimming is enabled.

  C. Logging has disk space issues

  D. Content Awareness is not enabled.

  Correct Answer: D

  Extended Log is a tracking option that enables administrators to see additional information about the traffic that matches a security rule, such as data type, file name, file size, etc. However, to see any data type information, Content Awareness must be enabled on the Security Gateway. Content Awareness is a blade that inspects files based on their type, size, name, and data. Content Awareness is required for Extended Log to work properly. References: Check Point R81 Content Awareness Administration Guide