Pass the Checkpoint CCSE R81 156-315.81 Questions and answers with CertsForce

Central Licensing is the preferred and recommended method of licensing because it simplifies the license management process and reduces the risk of license issues. Central Licensing ties to the IP address of the management server and is not dependent on the IP of any gateway in the event it changes. This means that you can easily add, remove, or replace gateways without affecting your license status. Central Licensing also allows you to view and manage all your licenses from one central location using SmartConsole or SmartUpdate. Central Licensing is supported with Gaia and is not the only option when deploying Gaia. Central Licensing does not tie to the IP address of a gateway and cannot be changed to any gateway if needed. References: Check Point R81 Licensing and Contract Administration Guide, page 7

 A star VPN community is a type of VPN community that allows a central gateway to create VPN tunnels with multiple satellite gateways or hosts, but does not allow satellite gateways or hosts to create VPN tunnels with each other. This type of community is suitable for hub-and-spoke topologies, where the central gateway acts as the hub and the satellite gateways or hosts act as the spokes. The central gateway can initiate or terminate VPN traffic to any satellite member, but the satellite members can only initiate or terminate VPN traffic to the central gateway. 

The mechanism that can ensure that the Security Gateway can communicate with the Management Server with ease in situations with overwhelmed network resources is called Management Data Plane Separation (MDPS)1. MDPS is a feature that allows a Security Gateway to have isolated Management and Data networks. The network system of each domain (plane) is independent and includes interfaces, routes, sockets, and processes. The Management Plane is a domain that accesses, provisions, and monitors the Security Gateway. The Data Plane is a domain that handles all other traffic1. MDPS has the following benefits2:

It improves the performance and stability of the Security Gateway by separating the management traffic from the data traffic.

It enhances the security of the Security Gateway by preventing any packet from crossing between the planes.

It simplifies the network configuration and troubleshooting by having separate routing tables for each plane. MDPS is supported on Check Point Appliances with R80.40 and higher versions1. It is also supported on Quantum Maestro and Quantum Scalable Chassis with R81.20 and higher versions3. MDPS can be configured using Gaia Clish commands or Gaia Portal1. References: Management Data Plane Separation (MDPS) - Check Point Software, Tip of the Week: Management Data Plane Separation - Check Point CheckMates, Management Data Plane Separation (MDPS) on Maestro R81.20 - Check Point Software

The Check Point installation history feature provides the following:

Policy Installation Date: The date and time when the policy was installed on the Security Gateway.

View install changes: The ability to view the differences between two policy versions that were installed on the Security Gateway.

Install specific version: The ability to install a specific policy version from the installation history on the Security Gateway3. References: Check Point R81 SmartConsole Guide

 The reason why the web session is being disconnected after 10 minutes is that the idle timeout for the web session is specified with the “set web session-timeout” command, not the “set inactivity-timeout” command. The “set inactivity-timeout” command only affects the CLI session, not the web session. To prevent the web session from being disconnected after 10 minutes of inactivity, you need to use the “set web session-timeout” command with a higher value than 10 minutes. References: [Check Point Security Expert R81 Administration Guide], page 77.

 The Anti-Virus feature of the Threat Prevention policy blocks traffic from infected websites by matching logs against ThreatCloud information about the reputation of the website. ThreatCloud is a collaborative network that collects and analyzes threat data from millions of sources worldwide. It assigns a reputation score to each website based on its malicious activity and behavior. If a website has a low reputation score, it is considered infected and blocked by the Anti-Virus blade. References: Training & Certification | Check Point Software, CCSE section

The process that pulls the application monitoring status from gateways is cpd1. The cpd process is responsible for the communication between the Security Management Server and the Security Gateway2. It handles tasks such as policy installation, status reporting, logging, and synchronization2. The cpd process also monitors the application status of the Security Gateway, such as CPU, memory, disk space, and processes3. The cpd process sends this information to the Security Management Server, which displays it in SmartConsole and SmartView Monitor3.

References: How to troubleshoot issues with Check Point Application Control and URL Filtering blades - Check Point Software, Processes and Daemons in Gaia OS - Check Point Software, Monitoring Device Status - Check Point Software

 To verify the CPUSE agent build, you can use either of these methods:

In WebUI Status and Actions page

By running the following command in CLISH: show installer status build The CPUSE agent build indicates the version of the CPUSE agent that is installed on the machine. The CPUSE agent is responsible for downloading, verifying, installing, and removing packages on Gaia OS. It is recommended to keep the CPUSE agent up-to-date to ensure a smooth installation and upgrade process. References: [CPUSE Agent]

CoreXL is a performance-enhancing technology that enables the Security Gateway to utilize multiple CPU cores for processing traffic. CoreXL creates multiple instances of the Firewall kernel, each running on a separate CPU core. Each Firewall instance can handle traffic concurrently and independently, applying the same security policy to the packets that are assigned to it. CoreXL does not allow different policies per core, as this would create inconsistency and complexity in the security enforcement.

The references are:

Best Practices - Security Gateway Performance

Check Point Certified Security Expert R81.20 (CCSE) Core Training, slide 16

Check Point R81 Quantum Security Gateway Guide, page 42

Authentication rules are defined for user groups, not individual users or all users in the database. Authentication rules allow you to control which user groups can access specific resources or services through the Security Gateway. You can define different authentication methods and schemes for different user groups, such as Check Point Password, OS Password, RADIUS, TACACS, SecurID, LDAP, or Certificate. You can also define different session timeouts and source restrictions for different user groups. Authentication rules are processed before the network access rules in the rule base.

 According to out of the box SmartEvent policy, the blade that will automatically be correlated into events is IPS. IPS (Intrusion Prevention System) is a blade that detects and prevents network attacks by inspecting traffic and applying signatures and protections. SmartEvent correlates IPS logs into events based on predefined event definitions, such as IPS Attack, IPS Attack High Confidence, IPS Attack Critical Confidence, etc. The other blades are not automatically correlated into events by default, but they can be added to the SmartEvent policy manually. References: [SmartEvent Policy]

 RPM upgrade is not a valid upgrade method to R81.20. RPM upgrade is a method of upgrading from R80.20.M1 to R80.20.M2 or later, but it is not supported for upgrading to R81.20. The valid upgrade methods to R81.20 are CPUSE upgrade, advanced upgrade, and upgrade with migration. References: [Check Point Security Expert R81 Installation and Upgrade Guide], page 12.

 cp.macro is an electronically signed file used by Check Point to translate the features in the license into a code. It is located in the $FWDIR/conf directory on the Security Management Server. The cp.macro file contains a list of features and their corresponding codes, which are used to generate the license file (.lic) based on the contract file (.xml). The license file (.lic) is then installed on the Security Gateway or Security Management Server to activate the licensed features. References: Check Point R81 Licensing and Contract Administration Guide, page 10

 The biggest benefit of policy layers is that they enable flexible control over the security policy. Policy layers and sub-policies allow administrators to break one policy into several virtual policies, each with its own set of rules and actions. Policy layers can be ordered, shared, and reused across different policies. Policy layers can also include Threat Prevention as a sub-policy for the firewall policy. References: [Check Point R81 Security Management Guide]

 The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities. This option lets you specify which VPN communities are allowed or denied by the rule. A VPN community is a group of VPN gateways or hosts that share the same VPN policy and keys. You can create different types of VPN communities, such as star, meshed, or remote access, depending on your network topology and security requirements. You can also use tags to group VPN gateways or hosts into logical categories.