156-315.81 Exam Questions

Total 422 Questions

Last Updated Exam : 16-Dec-2024

You have successfully backed up Check Point configurations without the OS information. What command would you use to restore this backup?


A. restore_backup


B. import backup


C. cp_merge


D. migrate import





D.
  migrate import


Explanation:

The command migrate import can be used to restore a backup of Check Point configurations without the OS information. This command imports the configuration from a file that was created using the migrate export command, which backs up only the Check Point configuration and not the OS settings. The other commands are either not valid or not suitable for restoring a backup without the OS information. References: Check Point R81 Installation and Upgrade Guide

Full synchronization between cluster members is handled by Firewall Kernel. Which port is used for this?


A. UDP port 265


B. TCP port 265


C. UDP port 256


D. TCP port 256





D.
  TCP port 256


Explanation:

Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from another member. References: [ClusterXL Administration Guide]

Which Check Point feature enables application scanning and the detection?


A. Application Dictionary


B. AppWiki


C. Application Library


D. CPApp





B.
  AppWiki


Explanation:

AppWiki is the Check Point feature that enables application scanning and the detection. AppWiki is an easy to use tool that lets you search and filter Check Point’s Web 2.0 Applications Database to find out information about internet applications, including social network widgets; filter by a category, tag, or risk level; and search for a keyword or application1. AppWiki helps you to identify and control the applications on your network, and to apply granular policies based on the application type, risk, and characteristics1. AppWiki is integrated with the Check Point Application Control Software Blade, which provides the industry’s strongest application security and identity control to organizations of all sizes1.

References:
1: AppWiki | Check Point Software

Which of the following Windows Security Events will not map a username to an IP address in Identity Awareness?


A. Kerberos Ticket Renewed


B. Kerberos Ticket Requested


C. Account Logon


D. Kerberos Ticket Timed Out





D.
  Kerberos Ticket Timed Out


Explanation:

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

• 1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”

• 2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1

• 3, Check Point Certified Security Expert R81, page 5

• 5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”

Which of the following is NOT an option to calculate the traffic direction?


A. Incoming


B. Internal


C. External


D. Outgoing





D.
  Outgoing


Explanation:

The option that is NOT an option to calculate the traffic direction is Outgoing. Traffic direction is a parameter that determines how traffic is classified as internal or external based on its source and destination. Traffic direction can be calculated using three options: Incoming, Internal, or External. Incoming means that traffic is classified as internal if its destination is one of the Security Gateway’s interfaces, and external otherwise. Internal means that traffic is classified as internal if its source or destination belongs to one of the internal networks defined in the topology, and external otherwise. External means that traffic is classified as internal if both its source and destination belong to one of the internal networks defined in the topology, and external otherwise. Outgoing is not a valid option to calculate traffic direction.

You can access the ThreatCloud Repository from:


A. R81.20 SmartConsole and Application Wiki


B. Threat Prevention and Threat Tools


C. Threat Wiki and Check Point Website


D. R81.20 SmartConsole and Threat Prevention





D.
  R81.20 SmartConsole and Threat Prevention


Explanation:

According to the Check Point R81 release notes, you can access the ThreatCloud Repository from R81.20 SmartConsole and Threat Prevention. The ThreatCloud Repository is a cloud-based service that provides real-time threat intelligence and updates to Check Point products. The other options are either outdated or nonexistent. References: Check Point R81

The system administrator of a company is trying to find out why acceleration is not working for the traffic. The traffic is allowed according to the rule base and checked for viruses. But it is not accelerated.

What is the most likely reason that the traffic is not accelerated?


A. There is a virus found. Traffic is still allowed but not accelerated.


B. The connection required a Security server.


C. Acceleration is not enabled.


D. The traffic is originating from the gateway itself.





B.
  The connection required a Security server.


Explanation:

According to the Check Point R81 release notes, acceleration is not supported for connections that require a Security server, such as HTTPS Inspection, Content Awareness, or Anti-Virus. The Security server performs deep inspection and modification of the traffic, which prevents acceleration. The other options are either false or not the most likely reason.

References:

Check Point R81

Which file contains the host address to be published, the MAC address that needs to be associated with the IP Address, and the unique IP of the interface that responds to ARP request?


A. /opt/CPshrd-R81/conf/local.arp


B. /var/opt/CPshrd-R81/conf/local.arp


C. $CPDIR/conf/local.arp


D. $FWDIR/conf/local.arp





D.
  $FWDIR/conf/local.arp


Explanation:

The file that contains the host address to be published, the MAC address that needs to be associated with the IP address, and the unique IP of the interface that responds to ARP request is $FWDIR/conf/local.arp. Local.arp is a configuration file that defines static ARP entries for hosts behind NAT devices. This file allows the Security Gateway to respond to ARP requests for NATed hosts with the correct MAC address, and to publish the NATed IP address instead of the real IP address. The other files are either not related or not valid.

For best practices, what is the recommended time for automatic unlocking of locked admin accounts?


A. 20 minutes


B. 15 minutes


C. Admin account cannot be unlocked automatically


D. 30 minutes at least





D.
  30 minutes at least


Explanation:

For best practices, the recommended time for automatic unlocking of locked admin accounts is 30 minutes at least. Admin accounts can be locked due to failed login attempts, password expiration, or manual locking by another admin. To prevent unauthorized access or brute force attacks, locked admin accounts should not be unlocked automatically too soon. The recommended minimum time for automatic unlocking is 30 minutes, which can be configured from the SmartConsole under Manage > Permissions and Administrators > Advanced > Unlock locked administrators after.

Which of the following describes how Threat Extraction functions?


A. Detect threats and provides a detailed report of discovered threats.


B. Proactively detects threats.


C. Delivers file with original content.


D. Delivers PDF versions of original files with active content removed.





D.
  Delivers PDF versions of original files with active content removed.


Explanation:

Threat Extraction is a software blade that delivers PDF versions of original files with active content removed. Active content, such as macros, scripts, or embedded objects, can be used by attackers to deliver malware or exploit vulnerabilities. Threat Extraction removes or sanitizes the active content from the files and converts them to PDF format, which is safer and more compatible. Threat Extraction can also work together with Threat Emulation to provide both clean and original files to the users. References: Check Point Security Expert R81 Course, Threat Extraction Administration Guide


Page 1 out of 43 Pages