Pass the Checkpoint CCSE R81 156-315.81 Questions and answers with CertsForce

On R81.20, when configuring Third-Party devices to read the logs using the LEA (Log Export API), the default Log Server uses port 18184. This port can be changed using the lea_server command in expert mode. The other ports are either not related to LEA, or used for different purposes, such as 18210 for CPMI, 257 for FW1_log, and 18191 for SIC. References: [Check Point R81 Logging and Monitoring Administration Guide], [Check Point Ports Used for Communication by Various Check Point Modules]

Suspicious Activity Rules Solution

Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).

The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity rules are Firewall rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation.

References:

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer's configuration and environment settings.

References:

The features that are only supported with R81.20 Gateways and not with R77.x are described in option C:

"C. The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence."

This feature, known as Rule Base Layers, allows for greater flexibility and control in organizing and prioritizing security rules within the rule base.

Options A, B, and D do not specifically pertain to features introduced in R81.20 and are available in earlier versions as well.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

Advanced Security Checkups can be easily conducted within the Reports tab in the Logs & Monitor view in SmartConsole. The Reports tab allows you to generate and view various reports that provide insights into the security status and performance of your network. You can use predefined reports or create custom reports based on your needs. You can also schedule reports to run automatically and send them by email. Some of the predefined reports that can help you conduct advanced security checkups are:

Security Overview: This report provides a summary of the security posture of your network, including the number and severity of incidents, the top attacked hosts and services, the top attackers and attack methods, the top detected threats and vulnerabilities, etc.

Security Best Practices: This report evaluates your security configuration and policy against the Check Point best practices and provides recommendations for improvement. It covers areas such as firewall policy, NAT policy, VPN policy, identity awareness, threat prevention, etc.

Compliance Status: This report assesses your compliance level with various regulations and standards, such as PCI DSS, ISO 27001, NIST 800-53, etc. It shows the compliance score, the compliance status of each requirement, the compliance status of each gateway and blade, etc.

Network Activity: This report shows the network activity and traffic patterns on your network, including the top sources and destinations of traffic, the top protocols and applications used, the top bandwidth consumers, etc.

System Health: This report monitors the health and performance of your management server and gateways, including the CPU utilization, memory usage, disk space, network interfaces, etc. References: R81 Logging and Monitoring Administration Guide

To fully enable Dynamic Dispatcher on a Security Gateway, you need to run the following command in Expert mode then reboot:

This command sets the multi-core mode to 9, which means that Dynamic Dispatcher is enabled without Firewall Priority Queues. Dynamic Dispatcher is a feature that optimizes the performance of Security Gateways with multiple CPU cores by dynamically allocating traffic to different cores based on their load and priority. Dynamic Dispatcher can improve the throughput and scalability of the Security Gateway, especially for traffic that is not accelerated by SecureXL. The other commands are not valid or do not enable Dynamic Dispatcher. References: R81 Performance Tuning Administration Guide

Threat Simulator is not a component of Check Point SandBlast. Check Point SandBlast is a solution that provides advanced protection against zero-day threats using four components: Threat Emulation, Threat Extraction, Threat Cloud, and Threat Prevention. References: Check Point SandBlast Network

The CLI command to reset the IPS (Intrusion Prevention System) pattern matcher statistics is option D: ips pmstats reset. This command will reset the statistics related to the IPS pattern matcher.

Options A, B, and C are not the correct syntax for resetting the IPS pattern matcher statistics.

References: Check Point Certified Security Expert (CCSE) R81 documentation and learning resources.

References:

NAT rules are prioritized in the following order:

Automatic Static NAT: This is the highest priority NAT rule and it translates the source or destination IP address to a different IP address without changing the port number. It is configured in the network object properties.

Automatic Hide NAT: This is the second highest priority NAT rule and it translates the source IP address and port number to a different IP address and port number. It is configured in the network object properties.

Manual/Pre-Automatic NAT: This is the third highest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase before the automatic NAT rules.

Post-Automatic/Manual NAT rules: This is the lowest priority NAT rule and it allows you to create custom NAT rules that are not possible with automatic NAT. It is configured in the NAT policy rulebase after the automatic NAT rules.

 Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more), rather than determining their maliciousness. By cleaning the file before it enters the organization, Threat Extraction preemptively prevents both known and unknown threats, providing better protection against zero-day attacks1. Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast2. The other options are either incorrect or irrelevant to the mechanism behind Threat Extraction. References: Threat Extraction (CDR) - Check Point Software, Check Point Document Threat Extraction Technology

 Check Point Management (cpm) is the main management process that provides the architecture for a consolidated management console. CPM allows the GUI client and management server to communicate via web services using TCP port 19009 by default. References: CPM process

The difference between an event and a log is that a log entry becomes an event when it matches any rule defined in Event Policy. A log entry is a record of a network activity that is generated by a Security Gateway or a Management Server. An event is a log entry that meets certain criteria and triggers an action or a notification. The other options are either not true or not accurate definitions of events and logs. References: Check Point R81 Logging and Monitoring Administration Guide

 When doing a Stand-Alone Installation, you would install the Security Management Server with the Security Gateway as the other Check Point architecture component. A Stand-Alone Installation is where the Security Management Server and the Security Gateway are installed on the same machine2. The other options are either not Check Point architecture components, or not suitable for a Stand-Alone Installation. References: Check Point R81 Installation and Upgrade Guide