IT Certification Guaranteed, The Easy Way!

Exam : 156-315.80

Title : Check Point Certified Security

Expert - R80

Vendor : CheckPoint

Version : V14.25

1
 IT Certification Guaranteed, The Easy Way!

NO.1 Fill in the blank: Identity Awareness AD-Query is using the Microsoft _______________ API to
learn users
from AD.
A. WMI
B. Eventvwr
C. XML
D. Services.msc
Answer: A

NO.2 With Mobile Access enabled, administrators select the web-based and native applications that
can be accessed
by remote users and define the actions that users can perform the applications. Mobile Access
encrypts all
traffic using:
A. HTTPS for web-based applications and 3DES or RC4 algorithm for native applications. For end
users to
access the native applications, they need to install the SSL. Network Extender.
B. HTTPS for web-based applications and AES or RSA algorithm for native applications. For end users
to
access the native application, they need to install the SSL. Network Extender.
C. HTTPS for web-based applications and 3DES or RC4 algorithm for native applications. For end users
to
access the native applications, no additional software is required.
D. HTTPS for web-based applications and AES or RSA algorithm for native applications. For end users
to
access the native application, no additional software is required.
Answer: A

NO.3 You need to change the number of firewall Instances used by CoreXL. How can you achieve this
goal?
A. edit fwaffinity.conf; reboot required
B. cpconfig; reboot required
C. edit fwaffinity.conf; reboot not required
D. cpconfig; reboot not required
Answer: B

NO.4 Connections to the Check Point R80 Web API use what protocol?
A. HTTPS
B. RPC
C. VPN
D. SIC
Answer: A

NO.5 Which command lists all tables in Gaia?

2
 IT Certification Guaranteed, The Easy Way!

A. fw tab -t
B. fw tab -list
C. fw-tab -s
D. fw tab -1
Answer: C

NO.6 Your manager asked you to check the status of SecureXL, and its enable templates and
features, what
command will you use to provide such information to manager?
A. fw accel stat
B. fwaccel stat
C. fw acces stats
D. fwaccel stats
Answer: B

NO.7 When installing a dedicated R80 SmartEvent server. What is the recommended size of the root
partition?
A. Any size
B. Less than 20GB
C. More than 10GB and less than 20GB
D. At least 20GB
Answer: D

NO.8 Which one of the following is true about Threat Emulation?

A. Takes less than a second to complete
B. Works on MS Office and PDF files only
C. Always delivers a file
D. Takes minutes to complete (less than 3 minutes)
Answer: D

NO.9 Which of the following is a new R80.10 Gateway feature that had not been available in R77.X
and older?
A. The rule base can be built of layers, each containing a set of the security rules. Layers are
inspected in
the order in which they are defined, allowing control over the rule base flow and which security
functionalities take precedence.
B. Limits the upload and download throughput for streaming media in the company to 1 Gbps.
C. Time object to a rule to make the rule active only during specified times.
D. Sub Policies ae sets of rules that can be created and attached to specific rules. If the rule is
matched,
inspection will continue in the sub policy attached to it rather than in the next rule.
Answer: D

3
 IT Certification Guaranteed, The Easy Way!

NO.10 After making modifications to the $CVPNDIR/conf/cvpnd.C file, how would you restart the
daemon?
A. cvpnd_restart
B. cvpnd_restart
C. cvpnd restart
D. cvpnrestart
Answer: B

NO.11 Using mgmt_cli, what is the correct syntax to import a host object called Server_1 from the
CLI?
A. mgmt_cli add-host "Server_1" ip_address "10.15.123.10" --format txt
B. mgmt_cli add host name "Server_1" ip-address "10.15.123.10" --format json
C. mgmt_cli add object-host "Server_1" ip-address "10.15.123.10" --format json
D. mgmt._cli add object "Server-1" ip-address "10.15.123.10" --format json
Answer: B
Explanation
Example:
mgmt_cli add host name "New Host 1" ip-address "192.0.2.1" --format json
* "--format json" is optional. By default the output is presented in plain text.

NO.12 In the Firewall chain mode FFF refers to:

A. Stateful Packets
B. No Match
C. All Packets
D. Stateless Packets
Answer: C

NO.13 Advanced Security Checkups can be easily conducted within:

A. Reports
B. Advanced
C. Checkups
D. Views
E. Summary
Answer: A

NO.14 Under which file is the proxy arp configuration stored?

A. $FWDIR/state/proxy_arp.conf on the management server
B. $FWDIR/conf/local.arp on the management server
C. $FWDIR/state/_tmp/proxy.arp on the security gateway
D. $FWDIR/conf/local.arp on the gateway
Answer: D

NO.15 SmartEvent has several components that function together to track security threats. What is

4
 IT Certification Guaranteed, The Easy Way!

the function of the

Correlation Unit as a component of this architecture?
A. Analyzes each log entry as it arrives at the log server according to the Event Policy. When a threat
pattern is identified, an event is forwarded to the SmartEvent Server.
B. Correlates all the identified threats with the consolidation policy.
C. Collects syslog data from third party devices and saves them to the database.
D. Connects with the SmartEvent Client when generating threat reports.
Answer: A

NO.16 In ClusterXL Load Sharing Multicast Mode:

A. only the primary member received packets sent to the cluster IP address
B. only the secondary member receives packets sent to the cluster IP address
C. packets sent to the cluster IP address are distributed equally between all members of the cluster
D. every member of the cluster received all of the packets sent to the cluster IP address
Answer: D

NO.17 Which TCP-port does CPM process listen to?

A. 18191
B. 18190
C. 8983
D. 19009
Answer: D

NO.18 The CPD daemon is a Firewall Kernel Process that does NOT do which of the following?
A. Secure Internal Communication (SIC)
B. Restart Daemons if they fail
C. Transfers messages between Firewall processes
D. Pulls application monitoring status
Answer: D

NO.19 Which statement is correct about the Sticky Decision Function?

A. It is not supported with either the Performance pack of a hardware based accelerator card
B. Does not support SPI's when configured for Load Sharing
C. It is automatically disabled if the Mobile Access Software Blade is enabled on the cluster
D. It is not required L2TP traffic
Answer: A

NO.20 Which of the following commands shows the status of processes?

A. cpwd_admin -l
B. cpwd -l
C. cpwd admin_list
D. cpwd_admin list
Answer: D

5
 IT Certification Guaranteed, The Easy Way!

NO.21 The essential means by which state synchronization works to provide failover in the event an
active member
goes down, ____________ is used specifically for clustered environments to allow gateways to report
their
own state and learn about the states of other members in the cluster.
A. ccp
B. cphaconf
C. cphad
D. cphastart
Answer: A

NO.22 John is using Management HA. Which Smartcenter should be connected to for making
changes?
A. secondary Smartcenter
B. active Smartenter
C. connect virtual IP of Smartcenter HA
D. primary Smartcenter
Answer: B

NO.23 What happen when IPS profile is set in Detect Only Mode for troubleshooting?
A. It will generate Geo-Protection traffic
B. Automatically uploads debugging logs to Check Point Support Center
C. It will not block malicious traffic
D. Bypass licenses requirement for Geo-Protection control
Answer: C
Explanation
It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial
installation of
IPS. This option overrides any protections that are set to Prevent so that they will not block any
traffic.
During this time you can analyze the alerts that IPS generates to see how IPS will handle network
traffic,
while avoiding any impact on the flow of traffic.

NO.24 During inspection of your Threat Prevention logs you find four different computers having
one event each
with a Critical Severity. Which of those hosts should you try to remediate first?
A. Host having a Critical event found by Threat Emulation
B. Host having a Critical event found by IPS
C. Host having a Critical event found by Antivirus
D. Host having a Critical event found by Anti-Bot
Answer: D

6
 IT Certification Guaranteed, The Easy Way!

NO.25 You are investigating issues with to gateway cluster members are not able to establish the
first initial cluster
synchronization. What service is used by the PWO daemon to do a Full Synchronization?
A. TCP port 443
B. TCP port 257
C. TCP port 256
D. UDP port 8116
Answer: C

NO.26 For best practices, what is the recommended time for automatic unlocking of locked admin
accounts?
A. 20 minutes
B. 15 minutes
C. Admin account cannot be unlocked automatically
D. 30 minutes at least
Answer: D

NO.27 Which two of these Check Point Protocols are used by SmartEvent Processes?
A. ELA and CPD
B. FWD and LEA
C. FWD and CPLOG
D. ELA and CPLOG
Answer: D

NO.28 During the Check Point Stateful Inspection Process, for packets that do not pass Firewall
Kernel Inspection
and are rejected by the rule definition, packets are:
A. Dropped without sending a negative acknowledgment
B. Dropped without logs and without sending a negative acknowledgment
C. Dropped with negative acknowledgment
D. Dropped with logs and without sending a negative acknowledgment
Answer: D

NO.29 What is the purpose of extended master key extension/session hash?

A. UDP VOIP protocol extension
B. In case of TLS1.x it is a prevention of a Man-in-the-Middle attack/disclosure of the client-server
communication
C. Special TCP handshaking extension
D. Supplement DLP data watermark
Answer: B

NO.30 Which command shows the current connections distributed by CoreXL FW instances?
A. fw ctl multik stat

7
 IT Certification Guaranteed, The Easy Way!

B. fw ctl affinity -l
C. fw ctl instances -v
D. fw ctl iflist
Answer: A

NO.31 Which of the following will NOT affect acceleration?

A. Connections destined to or originated from the Security gateway
B. A 5-tuple match
C. Multicast packets
D. Connections that have a Handler (ICMP, FTP, H.323, etc.)
Answer: B

NO.32 Which GUI client is supported in R80?

A. SmartProvisioning
B. SmartView Tracker
C. SmartView Monitor
D. SmartLog
Answer: C

NO.33 What is the difference between SSL VPN and IPSec VPN?
A. IPSec VPN does not require installation of a resilient VPN client.
B. SSL VPN requires installation of a resident VPN client.
C. SSL VPN and IPSec VPN are the same.
D. IPSec VPN requires installation of a resident VPN client and SSL VPN requires only an installed
Browser.
Answer: D

NO.34 Automation and Orchestration differ in that:

A. Automation relates to codifying tasks, whereas orchestration relates to codifying processes.
B. Automation involves the process of coordinating an exchange of information through web service
interactions such as XML and JSON, but orchestration does not involve processes.
C. Orchestration is concerned with executing a single task, whereas automation takes a series of
tasks and
puts them all together into a process workflow.
D. Orchestration relates to codifying tasks, whereas automation relates to codifying processes.
Answer: A

NO.35 Which statement is true regarding redundancy?

A. System Administrators know their cluster has failed over and can also see why it failed over by
using
the cphaprob -f if command.
B. ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
C. Machines in a ClusterXL High Availability configuration must be synchronized.

8
 IT Certification Guaranteed, The Easy Way!

D. Both ClusterXL and VRRP are fully supported by Gaia and available to all Check Point appliances,
open servers, and virtualized environments.
Answer: D

NO.36 What is the SandBlast Agent designed to do?

A. Performs OS-level sandboxing for SandBlast Cloud architecture
B. Ensure the Check Point SandBlast services is running on the end user's system
C. If malware enters an end user's system, the SandBlast Agent prevents the malware from spreading
with
the network
D. Clean up email sent with malicious attachments
Answer: C

NO.37 What API command below creates a new host with the name "New Host" and IP address of
"192.168.0.10"?
A. new host name "New Host" ip-address "192.168.0.10"
B. set host name "New Host" ip-address "192.168.0.10"
C. create host name "New Host" ip-address "192.168.0.10"
D. add host name "New Host" ip-address "192.168.0.10"
Answer: D

NO.38 SmartConsole R80 requires the following ports to be open for SmartEvent R80 management:
A. 19090,22
B. 19190,22
C. 18190,80
D. 19009,443
Answer: D

NO.39 How many images are included with Check Point TE appliance in Recommended Mode?
A. 2(OS) images
B. images are chosen by administrator during installation
C. as many as licensed for
D. the most new image
Answer: A

NO.40 You have existing dbedit scripts from R77. Can you use them with R80.10?
A. dbedit is not supported in R80.10
B. dbedit is fully supported in R80.10
C. You can use dbedit to modify threat prevention or access policies, but not create or modify layers
D. dbedit scripts are being replaced by mgmt_cli in R80.10
Answer: D

NO.41 What is not a component of Check Point SandBlast?

9
 IT Certification Guaranteed, The Easy Way!

A. Threat Emulation
B. Threat Simulator
C. Threat Extraction
D. Threat Cloud
Answer: B

NO.42 What command verifies that the API server is responding?

A. api stat
B. api status
C. show api_status
D. app_get_status
Answer: B

NO.43 When an encrypted packet is decrypted, where does this happen?

A. Security policy
B. Inbound chain
C. Outbound chain
D. Decryption is not supported
Answer: A

NO.44 Check Point recommends configuring Disk Space Management parameters to delete old log
entries when
available disk space is less than or equal to?
A. 50%
B. 75%
C. 80%
D. 15%
Answer: D

NO.45 To help SmartEvent determine whether events originated internally you must define using
the Initial Settings
under General Settings in the Policy Tab. How many options are available to calculate the traffic
direction?
A. 5 Network; Host; Objects; Services; API
B. 3 Incoming; Outgoing; Network
C. 2 Internal; External
D. 4 Incoming; Outgoing; Internal; Other
Answer: D

NO.46 When simulating a problem on ClusterXL cluster with cphaprob -d STOP -s problem -t 0
register, to initiate a
failover on an active cluster member, what command allows you remove the problematic state?
A. cphaprob -d STOP unregister

10
 IT Certification Guaranteed, The Easy Way!

B. cphaprob STOP unregister

C. cphaprob unregister STOP
D. cphaprob -d unregister STOP
Answer: A

NO.47 VPN Link Selection will perform the following when the primary VPN link goes down?
A. The Firewall will drop the packets.
B. The Firewall can update the Link Selection entries to start using a different link for the same
tunnel.
C. The Firewall will send out the packet on all interfaces.
D. The Firewall will inform the client that the tunnel is down.
Answer: B

NO.48 What processes does CPM control?

A. Object-Store, Database changes, CPM Process and web-services
B. web-services, CPMI process, DLEserver, CPM process
C. DLEServer, Object-Store, CP Process and database changes
D. web_services, dle_server and object_Store
Answer: D

NO.49 SSL Network Extender (SNX) is a thin SSL VPN on-demand client that is installed on the
remote user's
machine via the web browser. What are the two modes of SNX?
A. Application and Client Service
B. Network and Application
C. Network and Layers
D. Virtual Adapter and Mobile App
Answer: B

NO.50 What is correct statement about Security Gateway and Security Management Server failover
in Check Point
R80.X in terms of Check Point Redundancy driven solution?
A. Security Gateway failover is an automatic procedure but Security Management Server failover is a
manual procedure.
B. Security Gateway failover as well as Security Management Server failover is a manual procedure.
C. Security Gateway failover is a manual procedure but Security Management Server failover is an
automatic procedure.
D. Security Gateway failover as well as Security Management Server failover is an automatic
procedure.
Answer: A

NO.51 Tom has been tasked to install Check Point R80 in a distributed deployment. Before Tom
installs the systems
this way, how many machines will he need if he does NOT include a SmartConsole machine in his

11
 IT Certification Guaranteed, The Easy Way!

calculations?
A. One machine, but it needs to be installed using SecurePlatform for compatibility purposes.
B. One machine
C. Two machines
D. Three machines
Answer: C
Explanation
One for Security Management Server and the other one for the Security Gateway.

NO.52 What are the different command sources that allow you to communicate with the API server
?
A. SmartView Monitor, API_cli Tool, Gaia CLI, Web Services
B. SmartConsole GUI Console, mgmt._cli Tool, Gaia CLI, Web Services
C. SmartConsole GUI Console, API_cli Tool, Gaia CLI, Web Services
D. API_cli Tool, Gaia CLI, Web Services
Answer: B

NO.53 Which is not a blade option when configuring SmartEvent?

A. Correlation Unit
B. SmartEvent Unit
C. SmartEvent Server
D. Log Server
Answer: B
Explanation
On the Management tab, enable these Software Blades:

NO.54 Please choose correct command to add an "emailserver1" host with IP address 10.50.23.90
using GAiA
management CLI?
A. host name myHost12 ip-address 10.50.23.90
B. mgmt: add host name ip-address 10.50.23.90
C. add host name emailserver1 ip-address 10.50.23.90
D. mgmt: add host name emailserver1 ip-address 10.50.23.90
Answer: D

NO.55 What is true of the API server on R80.10?

A. By default the API-server is activated and does not have hardware requirements.
B. By default the API-server is not active and should be activated from the WebUI.
C. By default the API server is active on management and stand-alone servers with 16GB of RAM (or
more).
D. By default, the API server is active on management servers with 4 GB of RAM (or more) and on
stand-alone servers with 8GB of RAM (or more).
Answer: D

12
 IT Certification Guaranteed, The Easy Way!

NO.56 When gathering information about a gateway using CPINFO, what information is included or
excluded when
using the "-x" parameter?
A. Includes the registry
B. Gets information about the specified Virtual System
C. Does not resolve network addresses
D. Output excludes connection table
Answer: B

NO.57 Which configuration file contains the structure of the Security Server showing the port
numbers,
corresponding protocol name, and status?
A. $FWDIR/database/fwauthd.conf
B. $FWDIR/conf/fwauth.conf
C. $FWDIR/conf/fwauthd.conf
D. $FWDIR/state/fwauthd.conf
Answer: C

NO.58 Fill in the blank: The "fw monitor" tool can be best used to troubleshoot
____________________.
A. AV issues
B. VPN errors
C. Network issues
D. Authentication issues
Answer: C

NO.59 What command can you use to have cpinfo display all installed hotfixes?
A. cpinfo -hf
B. cpinfo -y all
C. cpinfo -get hf
D. cpinfo installed_jumbo
Answer: B

NO.60 You want to gather and analyze threats to your mobile device. It has to be a lightweight app.
Which
application would you use?
A. SmartEvent Client Info
B. SecuRemote
C. Check Point Protect
D. Check Point Capsule Cloud
Answer: C

NO.61 Which directory below contains log files?

13
 IT Certification Guaranteed, The Easy Way!

A. /opt/CPSmartlog-R80/log
B. /opt/CPshrd-R80/log
C. /opt/CPsuite-R80/fw1/log
D. /opt/CPsuite-R80/log
Answer: C

NO.62 What is the correct command to observe the Sync traffic in a VRRP environment?
A. fw monitor -e "accept[12:4,b]=224.0.0.18;"
B. fw monitor -e "accept(6118;"
C. fw monitor -e "accept proto=mcVRRP;"
D. fw monitor -e "accept dst=224.0.0.18;"
Answer: D

NO.63 The Firewall Administrator is required to create 100 new host objects with different IP
addresses. What API
command can he use in the script to achieve the requirement?
A. add host name <New HostName> ip-address <ip address>
B. add hostname <New HostName> ip-address <ip address>
C. set host name <New HostName> ip-address <ip address>
D. set hostname <New HostName> ip-address <ip address>
Answer: A

NO.64 Which command shows detailed information about VPN tunnels?

A. cat $FWDIR/conf/vpn.conf
B. vpn tu tlist
C. vpn tu
D. cpview
Answer: B

NO.65 What is the purpose of Priority Delta in VRRP?

A. When a box up, Effective Priority = Priority + Priority Delta
B. When an Interface is up, Effective Priority = Priority + Priority Delta
C. When an Interface fail, Effective Priority = Priority - Priority Delta
D. When a box fail, Effective Priority = Priority - Priority Delta
Answer: C
Explanation
Each instance of VRRP running on a supported interface may monitor the link state of other
interfaces. The
monitored interfaces do not have to be running VRRP.
If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the
specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is
less
than the priority a backup platform has, then the backup platform will beging to send out its own

14
 IT Certification Guaranteed, The Easy Way!

HELLO
packet.
Once the master sees this packet with a priority greater than its own, then it releases the VIP.

NO.66 Using Threat Emulation technologies, what is the best way to block .exe and .bat file types?
A. enable DLP and select.exe and .bat file type
B. enable .exe & .bat protection in IPS Policy
C. create FW rule for particular protocol
D. tecli advanced attributes set prohibited_file_types exe.bat
Answer: A

NO.67 John detected high load on sync interface. Which is most recommended solution?
A. For short connections like http service - delay sync for 2 seconds
B. Add a second interface to handle sync traffic
C. For short connections like http service - do not sync
D. For short connections like icmp service - delay sync for 2 seconds
Answer: A

NO.68 Which of the following process pulls application monitoring status?

A. fwd
B. fwm
C. cpwd
D. cpd
Answer: D

NO.69 What is the name of the secure application for Mail/Calendar for mobile devices?
A. Capsule Workspace
B. Capsule Mail
C. Capsule VPN
D. Secure Workspace
Answer: A

NO.70 In R80.10, how do you manage your Mobile Access Policy?

A. Through the Unified Policy
B. Through the Mobile Console
C. From SmartDashboard
D. From the Dedicated Mobility Tab
Answer: A

NO.71 R80.10 management server can manage gateways with which versions installed?
A. Versions R77 and higher
B. Versions R76 and higher
C. Versions R75.20 and higher

15
 IT Certification Guaranteed, The Easy Way!

D. Versions R75 and higher

Answer: C

NO.72 Using ClusterXL, what statement is true about the Sticky Decision Function?
A. Can only be changed for Load Sharing implementations
B. All connections are processed and synchronized by the pivot
C. Is configured using cpconfig
D. Is only relevant when using SecureXL
Answer: A

NO.73 Check Pont Central Deployment Tool (CDT) communicates with the Security Gateway /
Cluster Members
over Check Point SIC _____________ .
A. TCP Port 18190
B. TCP Port 18209
C. TCP Port 19009
D. TCP Port 18191
Answer: D

NO.74 How often does Threat Emulation download packages by default?

A. Once a week
B. Once an hour
C. Twice per day
D. Once per day
Answer: D

NO.75 An administrator would like to troubleshoot why templating is not working for some traffic.
How can he
determine at which rule templating is disabled?
A. He can use the fw accel stat command on the gateway.
B. He can use the fw accel statistics command on the gateway.
C. He can use the fwaccel stat command on the Security Management Server.
D. He can use the fwaccel stat command on the gateway
Answer: D

NO.76 You notice that your firewall is under a DDoS attack and would like to enable the Penalty Box
feature, which
command you use?
A. sim erdos -e 1
B. sim erdos - m 1
C. sim erdos -v 1
D. sim erdos -x 1
Answer: A

16
 IT Certification Guaranteed, The Easy Way!

NO.77 SmartEvent does NOT use which of the following procedures to identify events:
A. Matching a log against each event definition
B. Create an event candidate
C. Matching a log against local exclusions
D. Matching a log against global exclusions
Answer: C
Explanation
Events are detected by the SmartEvent Correlation Unit. The Correlation Unit task is to scan logs for
criteria
that match an Event Definition. SmartEvent uses these procedures to identify events:
* Matching a Log Against Global Exclusions
* Matching a Log Against Each Event Definition
* Creating an Event Candidate
* When a Candidate Becomes an Event

NO.78 As a valid Mobile Access Method, what feature provides Capsule Connect/VPN?
A. That is used to deploy the mobile device as a generator of one-time passwords for authenticating
to an
RSA Authentication Manager.
B. Fill Layer4 VPN -SSL VPN that gives users network access to all mobile applications.
C. Full Layer3 VPN -IPSec VPN that gives users network access to all mobile applications.
D. You can make sure that documents are sent to the intended recipients only.
Answer: C

NO.79 In R80 spoofing is defined as a method of:

A. Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
B. Hiding your firewall from unauthorized users.
C. Detecting people using false or wrong authentication logins
D. Making packets appear as if they come from an authorized IP address.
Answer: D
Explanation
IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack connections to
your
network. Attackers use IP spoofing to send malware and bots to your protected network, to execute
DoS
attacks, or to gain unauthorized access.

NO.80 Which file gives you a list of all security servers in use, including port number?
A. $FWDIR/conf/conf.conf
B. $FWDIR/conf/servers.conf
C. $FWDIR/conf/fwauthd.conf
D. $FWDIR/conf/serversd.conf
Answer: C

17
 IT Certification Guaranteed, The Easy Way!

NO.81 SecureXL improves non-encrypted firewall traffic throughput and encrypted VPN traffic
throughput.
A. This statement is true because SecureXL does improve all traffic.
B. This statement is false because SecureXL does not improve this traffic but CoreXL does.
C. This statement is true because SecureXL does improve this traffic.
D. This statement is false because encrypted traffic cannot be inspected.
Answer: C
Explanation
SecureXL improved non-encrypted firewall traffic throughput, and encrypted VPN traffic throughput,
by
nearly an order-of-magnitude- particularly for small packets flowing in long duration connections.

NO.82 Which remote Access Solution is clientless?

A. Checkpoint Mobile
B. Endpoint Security Suite
C. SecuRemote
D. Mobile Access Portal
Answer: D

NO.83 To fully enable Dynamic Dispatcher on a Security Gateway:

A. run fw ctl multik set_mode 9 in Expert mode and then Reboot.
B. Using cpconfig, update the Dynamic Dispatcher value to "full" under the CoreXL menu.
C. Edit/proc/interrupts to include multik set_mode 1 at the bottom of the file, save, and reboot.
D. run fw multik set_mode 1 in Expert mode and then reboot.
Answer: A

NO.84 What is true about VRRP implementations?

A. VRRP membership is enabled in cpconfig
B. VRRP can be used together with ClusterXL, but with degraded performance
C. You cannot have a standalone deployment
D. You cannot have different VRIDs in the same physical network
Answer: C

NO.85 The Event List within the Event tab contains:

A. a list of options available for running a query.
B. the top events, destinations, sources, and users of the query results, either as a chart or in a tallied
list.
C. events generated by a query.
D. the details of a selected event.
Answer: C

NO.86 What will SmartEvent automatically define as events?

18
 IT Certification Guaranteed, The Easy Way!

A. Firewall
B. VPN
C. IPS
D. HTTPS
Answer: C

NO.87 Identify the API that is not supported by Check Point currently.
A. R80 Management API
B. Identity Awareness Web Services API
C. Open REST API
D. OPSEC SDK
Answer: C

NO.88 Which of the following statements is TRUE about R80 management plug-ins?
A. The plug-in is a package installed on the Security Gateway.
B. Installing a management plug-in requires a Snapshot, just like any upgrade process.
C. A management plug-in interacts with a Security Management Server to provide new features and
support for new products.
D. Using a plug-in offers full central management only if special licensing is applied to specific
features of
the plug-in.
Answer: C

NO.89 What is a best practice before starting to troubleshoot using the "fw monitor" tool?
A. Run the command: fw monitor debug on
B. Clear the connections table
C. Disable CoreXL
D. Disable SecureXL
Answer: D

NO.90 What is a feature that enables VPN connections to successfully maintain a private and secure
VPN session
without employing Stateful Inspection?
A. Stateful Mode
B. VPN Routing Mode
C. Wire Mode
D. Stateless Mode
Answer: C
Explanation
Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing
Security Gateway enforcement. This improves performance and reduces downtime. Based on a
trusted source
and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and

19
 IT Certification Guaranteed, The Easy Way!

secure
VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes place,
dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can
now be
deployed. The VPN connection is no different from any other connections along a dedicated wire,
thus the
meaning of "Wire Mode".

NO.91 You want to store the GAIA configuration in a file for later reference. What command should
you use?
A. write mem <filename>
B. show config -f <filename>
C. save config -o <filename>
D. save configuration <filename>
Answer: D

NO.92 What command would show the API server status?

A. cpm status
B. api restart
C. api status
D. show api status
Answer: C

NO.93 What is the limitation of employing Sticky Decision Function?

A. With SDF enabled, the involved VPN Gateways only supports IKEv1
B. Acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF
C. With SDF enabled, only ClusterXL in legacy mode is supported
D. With SDF enabled, you can only have three Sync interfaces at most
Answer: B

NO.94 Which is the least ideal Synchronization Status for Security Management Server High
Availability
deployment?
A. Synchronized
B. Never been synchronized
C. Lagging
D. Collision
Answer: D

NO.95 Check Point APIs allow system engineers and developers to make changes to their
organization's security
policy with CLI tools and Web Services for all the following except:
A. Create new dashboards to manage 3rd party task
B. Create products that use and enhance 3rd party solutions

20
 IT Certification Guaranteed, The Easy Way!

C. Execute automated scripts to perform common tasks

D. Create products that use and enhance the Check Point Solution
Answer: A
Explanation
Check Point APIs let system administrators and developers make changes to the security policy with
CLI tools
and web-services. You can use an API to:
* Use an automated script to perform common tasks
* Integrate Check Point products with 3rd party solutions
* Create products that use and enhance the Check Point solution

NO.96 Which of the SecureXL templates are enabled by default on Security Gateway?
A. Accept
B. Drop
C. NAT
D. None
Answer: D

NO.97 What is considered Hybrid Emulation Mode?

A. Manual configuration of file types on emulation location.
B. Load sharing of emulation between an on premise appliance and the cloud.
C. Load sharing between OS behavior and CPU Level emulation.
D. High availability between the local SandBlast appliance and the cloud.
Answer: B

NO.98 Where do you create and modify the Mobile Access policy in R80?
A. SmartConsole
B. SmartMonitor
C. SmartEndpoint
D. SmartDashboard
Answer: A

NO.99 What is mandatory for ClusterXL to work properly?

A. The number of cores must be the same on every participating cluster node
B. The Magic MAC number must be unique per cluster node
C. The Sync interface must not have an IP address configured
D. If you have "Non-monitored Private" interfaces, the number of those interfaces must be the same
on all
cluster members
Answer: B

NO.100 With SecureXL enabled, accelerated packets will pass through the following:
A. Network Interface Card, OSI Network Layer, OS IP Stack, and the Acceleration Device
B. Network Interface Card, Check Point Firewall Kernal, and the Acceleration Device

21
 IT Certification Guaranteed, The Easy Way!

C. Network Interface Card and the Acceleration Device

D. Network Interface Card, OSI Network Layer, and the Acceleration Device
Answer: C

NO.101 Which command is used to set the CCP protocol to Multicast?

A. cphaprob set_ccp multicast
B. cphaconf set_ccp multicast
C. cphaconf set_ccp no_broadcast
D. cphaprob set_ccp no_broadcast
Answer: B

NO.102 SandBlast Mobile identifies threats in mobile devices by using on-device, network, and
cloud-based
algorithms and has four dedicated components that constantly work together to protect mobile
devices and
their data. Which component is NOT part of the SandBlast Mobile solution?
A. Management Dashboard
B. Gateway
C. Personal User Storage
D. Behavior Risk Engine
Answer: C

NO.103 What is the most recommended way to install patches and hotfixes?
A. CPUSE Check Point Update Service Engine
B. rpm-Uv
C. Software Update Service
D. UnixinstallScript
Answer: A

NO.104 Selecting an event displays its configurable properties in the Detail pane and a description of
the event in the
Description pane. Which is NOT an option to adjust or configure?
A. Severity
B. Automatic reactions
C. Policy
D. Threshold
Answer: C

NO.105 Check Point Management (cpm) is the main management process in that it provides the
architecture for a
consolidated management console. It empowers the migration from legacy Client-side logic to
Server-side
logic. The cpm process:
A. Allow GUI Client and management server to communicate via TCP Port 19001

22
 IT Certification Guaranteed, The Easy Way!

B. Allow GUI Client and management server to communicate via TCP Port 18191
C. Performs database tasks such as creating, deleting, and modifying objects and compiling policy.
D. Performs database tasks such as creating, deleting, and modifying objects as well as policy code
generation.
Answer: C

NO.106 What is the benefit of "tw monitor" over "tcpdump"?

A. "fw monitor" reveals Layer 2 information, while "tcpdump" acts at Layer 3.
B. "fw monitor" is also available for 64-Bit operating systems.
C. With "fw monitor", you can see the inspection points, which cannot be seen in "tcpdump"
D. "fw monitor" can be used from the CLI of the Management Server to collect information from
multiple
gateways.
Answer: C

NO.107 Which method below is NOT one of the ways to communicate using the Management API's?
A. Typing API commands using the "mgmt_cli" command
B. Typing API commands from a dialog box inside the SmartConsole GUI application
C. Typing API commands using Gaia's secure shell(clish)19+
D. Sending API commands over an http connection using web-services
Answer: D

NO.108 What are the three components for Check Point Capsule?
A. Capsule Docs, Capsule Cloud, Capsule Connect
B. Capsule Workspace, Capsule Cloud, Capsule Connect
C. Capsule Workspace, Capsule Docs, Capsule Connect
D. Capsule Workspace, Capsule Docs, Capsule Cloud
Answer: D

NO.109 You can select the file types that are sent for emulation for all the Threat Prevention
profiles. Each profile
defines a(n) _____ or ______ action for the file types.
A. Inspect/Bypass
B. Inspect/Prevent
C. Prevent/Bypass
D. Detect/Bypass
Answer: A

NO.110 As an administrator, you may be required to add the company logo to reports. To do this,
you would save the
logo as a PNG file with the name 'cover-company-logo.png' and then copy that image file to which
directory
on the SmartEvent server?

23
 IT Certification Guaranteed, The Easy Way!

A. SFWDIR/smartevent/conf
B. $RTDIR/smartevent/conf
C. $RTDIR/smartview/conf
D. $FWDIR/smartview/conf
Answer: C

NO.111 When setting up an externally managed log server, what is one item that will not be
configured on the R80
Security Management Server?
A. IP
B. SIC
C. NAT
D. FQDN
Answer: C

NO.112 The Security Gateway is installed on GAIA R80. The default port for the Web User interface
is ______.
A. TCP 18211
B. TCP 257
C. TCP 4433
D. TCP 443
Answer: D

NO.113 Which file contains the host address to be published, the MAC address that needs to be
associated with the IP
Address, and the unique IP of the interface that responds to ARP request?
A. /opt/CPshrd-R80/conf/local.arp
B. /var/opt/CPshrd-R80/conf/local.arp
C. $CPDIR/conf/local.arp
D. $FWDIR/conf/local.arp
Answer: D

NO.114 The fwd process on the Security Gateway sends logs to the fwd process on the Management
Server via which
2 processes?
A. fwd via cpm
B. fwm via fwd
C. cpm via cpd
D. fwd via cpd
Answer: A

NO.115 On R80.10 when configuring Third-Party devices to read the logs using the LEA (Log Export
API) the default

24
 IT Certification Guaranteed, The Easy Way!

Log Server uses port:

A. 18210
B. 18184
C. 257
D. 18191
Answer: B

NO.116 You find one of your cluster gateways showing "Down" when you run the "cphaprob stat"
command. You
then run the "clusterXL_admin up" on the down member but unfortunately the member continues to
show
down. What command do you run to determine the cause?
A. cphaprob -f register
B. cphaprob -d -s report
C. cpstat -f all
D. cphaprob -a list
Answer: D

NO.117 To ensure that VMAC mode is enabled, which CLI command should you run on all cluster
members?
A. fw ctl set int fwha vmac global param enabled
B. fw ctl get int vmac global param enabled; result of command should return value 1
C. cphaprob-a if
D. fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1
Answer: D

NO.118 What has to be taken into consideration when configuring Management HA?
A. The Database revisions will not be synchronized between the management servers
B. SmartConsole must be closed prior to synchronized changes in the objects database
C. If you wanted to use Full Connectivity Upgrade, you must change the Implied Rules to allow
FW1_cpredundant to pass before the Firewall Control Connections.
D. For Management Server synchronization, only External Virtual Switches are supported. So, if you
wanted to employ Virtual Routers instead, you have to reconsider your design.
Answer: A

NO.119 What makes Anti-Bot unique compared to other Threat Prevention mechanisms, such as
URL Filtering,
Anti-Virus, IPS, and Threat Emulation?
A. Anti-Bot is the only countermeasure against unknown malware
B. Anti-Bot is the only protection mechanism which starts a counter-attack against known Command
&
Control Centers
C. Anti-Bot is the only signature-based method of malware protection.

25
 IT Certification Guaranteed, The Easy Way!

D. Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection

to a
Command & Control Center.
Answer: D

NO.120 The SmartEvent R80 Web application for real-time event monitoring is called:
A. SmartView Monitor
B. SmartEventWeb
C. There is no Web application for SmartEvent
D. SmartView
Answer: B

NO.121 Which statement is true about ClusterXL?

A. Supports Dynamic Routing (Unicast and Multicast)
B. Supports Dynamic Routing (Unicast Only)
C. Supports Dynamic Routing (Multicast Only)
D. Does not support Dynamic Routing
Answer: A

NO.122 Which command will allow you to see the interface status?
A. cphaprob interface
B. cphaprob -I interface
C. cphaprob -a if
D. cphaprob stat
Answer: C

NO.123 Which of the following describes how Threat Extraction functions?

A. Detect threats and provides a detailed report of discovered threats.
B. Proactively detects threats.
C. Delivers file with original content.
D. Delivers PDF versions of original files with active content removed.
Answer: B

NO.124 Which of the following is NOT a component of Check Point Capsule?

A. Capsule Docs
B. Capsule Cloud
C. Capsule Enterprise
D. Capsule Workspace
Answer: C

NO.125 The Firewall kernel is replicated multiple times, therefore:

A. The Firewall kernel only touches the packet if the connection is accelerated
B. The Firewall can run different policies per core

26
 IT Certification Guaranteed, The Easy Way!

C. The Firewall kernel is replicated only with new connections and deletes itself once the connection
times
out
D. The Firewall can run the same policy on all cores.
Answer: D
Explanation
On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each
replicated
copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each
instance
is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in
the
Security Gateway process traffic through the same interfaces and apply the same security policy.

NO.126 What is the protocol and port used for Health Check and State Synchronization in ClusterXL?
A. CCP and 18190
B. CCP and 257
C. CCP and 8116
D. CPC and 8116
Answer: C

NO.127 Which encryption algorithm is the least secured?

A. AES-128
B. AES-256
C. DES
D. 3DES
Answer: C

NO.128 Fill in the blank: The command ___________ provides the most complete restoration of a
R80 configuration.
A. upgrade_import
B. cpconfig
C. fwm dbimport -p <export file>
D. cpinfo -recover
Answer: A

NO.129 Which command would disable a Cluster Member permanently?

A. clusterXL_admin down
B. cphaprob_admin down
C. clusterXL_admin down-p
D. set clusterXL down-p
Answer: C

NO.130 Which is NOT an example of a Check Point API?

27
 IT Certification Guaranteed, The Easy Way!

A. Gateway API
B. Management API
C. OPSC SDK
D. Threat Prevention API
Answer: A

NO.131 What SmartEvent component creates events?

A. Consolidation Policy
B. Correlation Unit
C. SmartEvent Policy
D. SmartEvent GUI
Answer: B

NO.132 Vanessa is firewall administrator in her company. Her company is using Check Point firewall
on a central and
several remote locations which are managed centrally by R77.30 Security Management Server. On
central
location is installed R77.30 Gateway on Open server. Remote locations are using Check Point UTM-
1570
series appliances with R75.30 and some of them are using a UTM-1-Edge-X or Edge-W with latest
available
firmware. She is in process of migrating to R80.
What can cause Vanessa unnecessary problems, if she didn't check all requirements for migration to
R80?
A. Missing an installed R77.20 Add-on on Security Management Server
B. Unsupported firmware on UTM-1 Edge-W appliance
C. Unsupported version on UTM-1 570 series appliance
D. Unsupported appliances on remote locations
Answer: A

NO.133 Which command collects diagnostic data for analyzing customer setup remotely?
A. cpinfo
B. migrate export
C. sysinfo
D. cpview
Answer: A
Explanation
CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time
of
execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for
uploading
files to Check Point servers).
The CPInfo output file allows analyzing customer setups from a remote location. Check Point support
engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies

28
 IT Certification Guaranteed, The Easy Way!

and
Objects. This allows the in-depth analysis of customer's configuration and environment settings.

NO.134 Fill in the blank: The tool ________ generates a R80 Security Gateway configuration report.
A. infoCP
B. infoview
C. cpinfo
D. fw cpinfo
Answer: C

NO.135 Session unique identifiers are passed to the web api using which http header option?
A. X-chkp-sid
B. Accept-Charset
C. Proxy-Authorization
D. Application
Answer: C

NO.136 In SmartEvent, what are different types of automatic reactions that the administrator can
configure?
A. Mail, Block Source, Block Event Activity, External Script, SNMP Trap
B. Mail, Block Source, Block Destination, Block Services, SNMP Trap
C. Mail, Block Source, Block Destination, External Script, SNMP Trap
D. Mail, Block Source, Block Event Activity, Packet Capture, SNMP Trap
Answer: A

NO.137 What kind of information would you expect to see using the sim affinity command?
A. The VMACs used in a Security Gateway cluster
B. The involved firewall kernel modules in inbound and outbound packet chain
C. Overview over SecureXL templated connections
D. Network interfaces and core distribution used for CoreXL
Answer: D

NO.138 You noticed that CPU cores on the Security Gateway are usually 100% utilized and many
packets were
dropped. You don't have a budget to perform a hardware upgrade at this time. To optimize drops you
decide to
use Priorities Queues and fully enable Dynamic Dispatcher. How can you enable them?
A. fw ctl multik dynamic_dispatching on
B. fw ctl multik dynamic_dispatching set_mode 9
C. fw ctl multik set_mode 9
D. fw ctl multik pq enable
Answer: C

NO.139 Which web services protocol is used to communicate to the Check Point R80 Identity

29
 IT Certification Guaranteed, The Easy Way!

Awareness Web API?

A. SOAP
B. REST
C. XLANG
D. XML-RPC
Answer: B
Explanation
The Identity Web API uses the REST protocol over SSL. The requests and responses are HTTP and in
JSON
format.

NO.140 Please choose the path to monitor the compliance status of the Check Point R80.10 based
management.
A. Gateways & Servers --> Compliance View
B. Compliance blade not available under R80.10
C. Logs & Monitor --> New Tab --> Open compliance View
D. Security & Policies --> New Tab --> Compliance View
Answer: C

NO.141 When requiring certificates for mobile devices, make sure the authentication method is set
to one of the
following, Username and Password, RADIUS or _______.
A. SecureID
B. SecurID
C. Complexity
D. TacAcs
Answer: B

NO.142 What is the command to check the status of the SmartEvent Correlation Unit?
A. fw ctl get int cpsead_stat
B. cpstat cpsead
C. fw ctl stat cpsemd
D. cp_conf get_stat cpsemd
Answer: B

NO.143 Which process handles connection from SmartConsole R80?

A. fwm
B. cpmd
C. cpm
D. cpd
Answer: C

NO.144 Which one of these features is NOT associated with the Check Point URL Filtering and

30
 IT Certification Guaranteed, The Easy Way!

Application Control
Blade?
A. Detects and blocks malware by correlating multiple detection engines before users are affected.
B. Configure rules to limit the available network bandwidth for specified users or groups.
C. Use UserCheck to help users understand that certain websites are against the company's security
policy.
D. Make rules to allow or block applications and Internet sites for individual applications, categories,
and
risk levels.
Answer: A

NO.145 How would you deploy TE250X Check Point appliance just for email traffic and in-line mode
without a Check
Point Security Gateway?
A. Install appliance TE250X on SpanPort on LAN switch in MTA mode.
B. Install appliance TE250X in standalone mode and setup MTA.
C. You can utilize only Check Point Cloud Services for this scenario.
D. It is not possible, always Check Point SGW is needed to forward emails to SandBlast appliance.
Answer: C

NO.146 Customer's R80 management server needs to be upgraded to R80.10. What is the best
upgrade method when
the management server is not connected to the Internet?
A. Export R80 configuration, clean install R80.10 and import the configuration
B. CPUSE offline upgrade
C. CPUSE online upgrade
D. SmartUpdate upgrade
Answer: C

NO.147 What is the main difference between Threat Extraction and Threat Emulation?
A. Threat Emulation never delivers a file and takes more than 3 minutes to complete.
B. Threat Extraction always delivers a file and takes less than a second to complete.
C. Threat Emulation never delivers a file that takes less than a second to complete.
D. Threat Extraction never delivers a file and takes more than 3 minutes to complete.
Answer: B

NO.148 Which CLI command will reset the IPS pattern matcher statistics?
A. ips reset pmstat
B. ips pstats reset
C. ips pmstats refresh
D. ips pmstats reset
Answer: D

31
 IT Certification Guaranteed, The Easy Way!

NO.149 Which of the following is NOT an option to calculate the traffic direction?
A. Incoming
B. Internal
C. External
D. Outgoing
Answer: D

NO.150 What is the purpose of a SmartEvent Correlation Unit?

A. The SmartEvent Correlation Unit is designed to check the connection reliability from SmartConsole
to
the SmartEvent Server.
B. The SmartEvent Correlation Unit's task it to assign severity levels to the identified events.
C. The Correlation unit role is to evaluate logs from the log server component to identify
patterns/threats
and convert them to events.
D. The SmartEvent Correlation Unit is designed to check the availability of the SmartReporter Server.
Answer: C

NO.151 Which statement is most correct regarding about "CoreXL Dynamic Dispatcher"?
A. The CoreXL FW instances assignment mechanism is based on Source MAC addresses, Destination
MAC addresses
B. The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores
C. The CoreXL FW instances assignment mechanism is based on IP Protocol type
D. The CoreXl FW instances assignment mechanism is based on Source IP addresses, Destination IP
addresses, and the IP 'Protocol' type
Answer: B

NO.152 Which command would you use to set the network interfaces' affinity in Manual mode?
A. sim affinity -m
B. sim affinity -l
C. sim affinity -a
D. sim affinity -s
Answer: D

NO.153 What cloud-based SandBlast Mobile application is used to register new devices and users?
A. Check Point Protect Application
B. Management Dashboard
C. Behavior Risk Engine
D. Check Point Gateway
Answer: D

NO.154 SandBlast appliances can be deployed in the following modes:

A. using a SPAN port to receive a copy of the traffic only

32
 IT Certification Guaranteed, The Easy Way!

B. detect only
C. inline/prevent or detect
D. as a Mail Transfer Agent and as part of the traffic flow only
Answer: C

NO.155 What is true about the IPS-Blade?

A. In R80, IPS is managed by the Threat Prevention Policy
B. In R80, in the IPS Layer, the only three possible actions are Basic, Optimized and Strict
C. In R80, IPS Exceptions cannot be attached to "all rules"
D. In R80, the GeoPolicy Exceptions and the Threat Prevention Exceptions are the same
Answer: A

NO.156 In the Check Point Firewall Kernel Module, each Kernel is associated with a key, which
specifies the type of
traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with
__________________ will not apply.
A. ffff
B. 1
C. 2
D. 3
Answer: B

NO.157 Fill in the blank. The R80 feature ___________________ permits blocking specific IP
addresses for a
specified time period.
A. Block Port Overflow
B. Local Interface Spoofing
C. Suspicious Activity Monitoring
D. Adaptive Threat Prevention
Answer: C

NO.158 What command lists all interfaces using Multi-Queue?

A. cpmq get
B. show interface all
C. cpmq set
D. show multiqueue all
Answer: A

NO.159 Which command can you use to enable or disable multi-queue per interface?
A. cpmq set
B. Cpmqueue set
C. Cpmq config
D. St cpmq enable

33
 IT Certification Guaranteed, The Easy Way!

Answer: A

NO.160 CoreXL is supported when one of the following features is enabled:

A. Route-based VPN
B. IPS
C. IPv6
D. Overlapping NAT
Answer: B
Explanation
CoreXL does not support Check Point Suite with these features:

NO.161 Which one of the following is true about Capsule Connect?

A. It is a full layer 3 VPN client
B. It offers full enterprise mobility management
C. It is supported only on iOS phones and Windows PCs
D. It does not support all VPN authentication methods
Answer: A

NO.162 How do Capsule Connect and Capsule Workspace differ?

A. Capsule Connect provides a Layer3 VPN. Capsule Workspace provides a Desktop with usable
applications.
B. Capsule Workspace can provide access to any application.
C. Capsule Connect provides Business data isolation.
D. Capsule Connect does not require an installed application at client.
Answer: A

NO.163 What is the responsibility of SOLR process on R80.10 management server?

A. Validating all data before it's written into the database
B. It generates indexes of data written to the database
C. Communication between SmartConsole applications and the Security Management Server
D. Writing all information into the database
Answer: B

NO.164 For Management High Availability, which of the following is NOT a valid synchronization
status?
A. Collision
B. Down
C. Lagging
D. Never been synchronized
Answer: B

NO.165 Pamela is Cyber Security Engineer working for Global Instance Firm with large scale
deployment of Check

34
 IT Certification Guaranteed, The Easy Way!

Point Enterprise Appliances using GAiA/R80.10. Company's Developer Team is having random access
issue
to newly deployed Application Server in DMZ's Application Server Farm Tier and blames DMZ Security
Gateway as root cause. The ticket has been created and issue is at Pamela's desk for an investigation.
Pamela
decides to use Check Point's Packet Analyzer Tool-fw monitor to iron out the issue during approved
Maintenance window. What do you recommend as the best suggestion for Pamela to make sure she
successfully captures entire traffic in context of Firewall and problematic traffic?
A. Pamela should check SecureXL status on DMZ Security gateway and if it's turned ON. She should
turn
OFF SecureXL before using fw monitor to avoid misleading traffic captures.
B. Pamela should check SecureXL status on DMZ Security Gateway and if it's turned OFF. She should
turn ON SecureXL before using fw monitor to avoid misleading traffic captures.
C. Pamela should use tcpdump over fw monitor tool as tcpdump works at OS-level and captures
entire
traffic.
D. Pamela should use snoop over fw monitor tool as snoop works at NIC driver level and captures
entire
traffic.
Answer: A

NO.166 To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, run
the following
command in Expert mode then reboot:
A. fw ctl multik set_mode 1
B. fw ctl Dynamic_Priority_Queue on
C. fw ctl Dynamic_Priority_Queue enable
D. fw ctl multik set_mode 9
Answer: D

NO.167 Which of the following links will take you to the SmartView web application?
A. https://<Security Management Server host name>/smartviewweb/
B. https://<Security Management Server IP Address>/smartview/
C. https://<Security Management Server host name>smartviewweb
D. https://<Security Management Server IP Address>/smartview
Answer: B

NO.168 What information is NOT collected from a Security Gateway in a Cpinfo?

A. Firewall logs
B. Configuration and database files
C. System message logs
D. OS and network statistics
Answer: A

35
 IT Certification Guaranteed, The Easy Way!

NO.169 What CLI command compiles and installs a Security Policy on the target's Security
Gateways?
A. fwm compile
B. fwm load
C. fwm fetch
D. fwm install
Answer: B

NO.170 You need to see which hotfixes are installed on your gateway, which command would you
use?
A. cpinfo -h all
B. cpinfo -o hotfix
C. cpinfo -l hotfix
D. cpinfo -y all
Answer: D

NO.171 In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log.
Which of the
following options can you add to each Log, Detailed Log and Extended Log?
A. Accounting
B. Suppression
C. Accounting/Suppression
D. Accounting/Extended
Answer: C

NO.172 What are the attributes that SecureXL will check after the connection is allowed by Security
Policy?
A. Source address, Destination address, Source port, Destination port, Protocol
B. Source MAC address, Destination MAC address, Source port, Destination port, Protocol
C. Source address, Destination address, Source port, Destination port
D. Source address, Destination address, Destination port, Protocol
Answer: A

NO.173 CPM process stores objects, policies, users, administrators, licenses and management data
in a database. The
database is:
A. MySQL
B. Postgres SQL
C. MarisDB
D. SOLR
Answer: B

NO.174 Which statements below are CORRECT regarding Threat Prevention profiles in

36
 IT Certification Guaranteed, The Easy Way!

SmartDashboard?
A. You can assign only one profile per gateway and a profile can be assigned to one rule Only.
B. You can assign multiple profiles per gateway and a profile can be assigned to one rule only.
C. You can assign multiple profiles per gateway and a profile can be assigned to one or more rules.
D. You can assign only one profile per gateway and a profile can be assigned to one or more rules.
Answer: C

NO.175 In a Client to Server scenario, which represents that the packet has already checked against
the tables and the
Rule Base?
A. Big l
B. Little o
C. Little i
D. Big O
Answer: D

NO.176 To accelerate the rate of connection establishment, SecureXL groups all connection that
match a particular
service and whose sole differentiating element is the source port. The type of grouping enables even
the very
first packets of a TCP handshake to be accelerated. The first packets of the first connection on the
same
service will be forwarded to the Firewall kernel which will then create a template of the connection.
Which of
the these is NOT a SecureXL template?
A. Accept Template
B. Deny Template
C. Drop Template
D. NAT Template
Answer: B

NO.177 What is the port used for SmartConsole to connect to the Security Management Server?
A. CPMI port 18191/TCP
B. CPM port/TCP port 19009
C. SIC port 18191/TCP
D. https port 4434/TCP
Answer: A

NO.178 On what port does the CPM process run?

A. TCP 857
B. TCP 18192
C. TCP 900
D. TCP 19009

37
 IT Certification Guaranteed, The Easy Way!

Answer: D

NO.179 When deploying SandBlast, how would a Threat Emulation appliance benefit from the
integration of
ThreatCloud?
A. ThreatCloud is a database-related application which is located on-premise to preserve privacy of
company-related data
B. ThreatCloud is a collaboration platform for all the CheckPoint customers to form a virtual cloud
consisting of a combination of all on-premise private cloud environments
C. ThreatCloud is a collaboration platform for Check Point customers to benefit from VMWare ESXi
infrastructure which supports the Threat Emulation Appliances as virtual machines in the EMC Cloud
D. ThreatCloud is a collaboration platform for all the Check Point customers to share information
about
malicious and benign files that all of the customers can benefit from as it makes emulation of known
files unnecessary
Answer: D

NO.180 You are asked to check the status of several user-mode processes on the management
server and gateway.
Which of the following processes can only be seen on a Management Server?
A. fwd
B. fwm
C. cpd
D. cpwd
Answer: B

NO.181 What are the steps to configure the HTTPS Inspection Policy?
A. Go to Manage&Settings > Blades > HTTPS Inspection > Configure in SmartDashboard
B. Go to Application&url filtering blade > Advanced > Https Inspection > Policy
C. Go to Manage&Settings > Blades > HTTPS Inspection > Policy
D. Go to Application&url filtering blade > Https Inspection > Policy
Answer: A

NO.182 SandBlast offers flexibility in implementation based on their individual business needs. What
is an option for
deployment of Check Point SandBlast Zero-Day Protection?
A. Smart Cloud Services
B. Load Sharing Mode Services
C. Threat Agent Solution
D. Public Cloud Services
Answer: A

NO.183 Which process is available on any management product and on products that require direct
GUI access, such

38
 IT Certification Guaranteed, The Easy Way!

as SmartEvent and provides GUI client communications, database manipulation, policy compilation
and
Management HA synchronization?
A. cpwd
B. fwd
C. cpd
D. fwm
Answer: D
Explanation
Firewall Management (fwm) is available on any management product, including Multi-Domain and o
n
products that requite direct GUI access, such as SmartEvent, It provides the following:
- GUI Client communication
- Database manipulation
- Policy Compilation
- Management HA sync

NO.184 Where you can see and search records of action done by R80 SmartConsole administrators?
A. In SmartView Tracker, open active log
B. In the Logs & Monitor view, select "Open Audit Log View"
C. In SmartAuditLog View
D. In Smartlog, all logs
Answer: B

NO.185 In order to get info about assignment (FW, SND) of all CPUs in your SGW, what is the most
accurate CLI
command?
A. fw ctl sdstat
B. fw ctl affinity -l a -r -v
C. fw ctl multik stat
D. cpinfo
Answer: B

NO.186 Which is NOT a SmartEvent component?

A. SmartEvent Server
B. Correlation Unit
C. Log Consolidator
D. Log Server
Answer: C

NO.187 When doing a Stand-Alone Installation, you would install the Security Management Server
with which other
Check Point architecture component?
A. None, Security Management Server would be installed by itself.

39
 IT Certification Guaranteed, The Easy Way!

B. SmartConsole
C. SecureClient
D. Security Gateway
E. SmartEvent
Answer: D

NO.188 What are the main stages of a policy installations?

A. Verification & Compilation, Transfer and Commit
B. Verification & Compilation, Transfer and Installation
C. Verification, Commit, Installation
D. Verification, Compilation & Transfer, Installation
Answer: B

NO.189 Which of these is an implicit MEP option?

A. Primary-backup
B. Source address based
C. Round robin
D. Load Sharing
Answer: A

NO.190 What is the command to show SecureXL status?

A. fwaccel status
B. fwaccel stats -m
C. fwaccel -s
D. fwaccel stat
Answer: D
Explanation
To check overall SecureXL status:
[Expert@HostName]# fwaccel stat

NO.191 What is the difference between an event and a log?

A. Events are generated at gateway according to Event Policy
B. A log entry becomes an event when it matches any rule defined in Event Policy
C. Events are collected with SmartWorkflow form Trouble Ticket systems
D. Log and Events are synonyms
Answer: B

NO.192 Fill in the blank: The R80 utility fw monitor is used to troubleshoot ________.
A. User data base corruption
B. LDAP conflicts
C. Traffic issues
D. Phase two key negotiations
Answer: C

40
 IT Certification Guaranteed, The Easy Way!

Explanation
Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level.
The FW
Monitor utility captures network packets at multiple capture points along the FireWall inspection
chains.
These captured packets can be inspected later using the WireShark

NO.193 Can multiple administrators connect to a Security Management Server at the same time?
A. No, only one can be connected
B. Yes, all administrators can modify a network object at the same time
C. Yes, every administrator has their own username, and works in a session that is independent of
other
administrators.
D. Yes, but only one has the right to write.
Answer: C

NO.194 You are working with multiple Security Gateways enforcing an extensive number of rules. To
simplify
security administration, which action would you choose?
A. Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
B. Create a separate Security Policy package for each remote Security Gateway.
C. Create network objects that restricts all applicable rules to only certain networks.
D. Run separate SmartConsole instances to login and configure each Security Gateway directly.
Answer: B

NO.195 What Factor preclude Secure XL Templating?

A. Source Port Ranges/Encrypted Connections
B. IPS
C. ClusterXL in load sharing Mode
D. CoreXL
Answer: A

NO.196 Which of the following Check Point processes within the Security Management Server is
responsible for the
receiving of log records from Security Gateway?
A. logd
B. fwd
C. fwm
D. cpd
Answer: B

NO.197 The following command is used to verify the CPUSE version:

A. HostName:0>show installer status build
B. [Expert@HostName:0]#show installer status

41
 IT Certification Guaranteed, The Easy Way!

C. [Expert@HostName:0]#show installer status build

D. HostName:0>show installer build
Answer: A

NO.198 If you needed the Multicast MAC address of a cluster, what command would you run?
A. cphaprob -a if
B. cphaconf ccp multicast
C. cphaconf debug data
D. cphaprob igmp
Answer: D

NO.199 Which command gives us a perspective of the number of kernel tables?

A. fw tab -t
B. fw tab -s
C. fw tab -n
D. fw tab -k
Answer: B

NO.200 What is the recommended number of physical network interfaces in a Mobile Access cluster
deployment?
A. 4 Interfaces - an interface leading to the organization, a second interface leading to the internet, a
third
interface for synchronization, a fourth interface leading to the Security Management Server.
B. 3 Interfaces - an interface leading to the organization, a second interface leading to the Internet, a
third
interface for synchronization.
C. 1 Interface - an interface leading to the organization and the Internet, and configure for
synchronization.
D. 2 Interfaces - a data interface leading to the organization and the Internet, a second interface for
synchronization.
Answer: B

NO.201 Full synchronization between cluster members is handled by Firewall Kernel. Which port is
used for this?
A. UDP port 265
B. TCP port 265
C. UDP port 256
D. TCP port 256
Answer: D
Explanation
Synchronization works in two modes:
Full Sync transfers all Security Gateway kernel table information from one cluster member to
another. It is
handled by the fwd daemon using an encrypted TCP connection on port 256.

42
 IT Certification Guaranteed, The Easy Way!

Delta Sync transfers changes in the kernel tables between cluster members. Delta sync is handled by
the
Security Gateway kernel using UDP connections on port 8116.

NO.202 Check Point Management (cpm) is the main management process in that it provides the
architecture for a
consolidates management console. CPM allows the GUI client and management server to
communicate via
web services using ___________.
A. TCP port 19009
B. TCP Port 18190
C. TCP Port 18191
D. TCP Port 18209
Answer: A

NO.203 Which one of the following is true about Threat Extraction?

A. Always delivers a file to user
B. Works on all MS Office, Executables, and PDF files
C. Can take up to 3 minutes to complete
D. Delivers file only if no threats found
Answer: A

NO.204 From SecureXL perspective, what are the tree paths of traffic flow:
A. Initial Path; Medium Path; Accelerated Path
B. Layer Path; Blade Path; Rule Path
C. Firewall Path; Accept Path; Drop Path
D. Firewall Path; Accelerated Path; Medium Path
Answer: D

NO.205 NAT rules are prioritized in which order?

1. Automatic Static NAT
2. Automatic Hide NAT
3. Manual/Pre-Automatic NAT
4. Post-Automatic/Manual NAT rules
A. 1, 2, 3, 4
B. 1, 4, 2, 3
C. 3, 1, 2, 4
D. 4, 3, 1, 2
Answer: A

NO.206 Which Check Point daemon monitors the other daemons?

A. fwm
B. cpd
C. cpwd

43
 IT Certification Guaranteed, The Easy Way!

D. fwssd
Answer: C

NO.207 When Dynamic Dispatcher is enabled, connections are assigned dynamically with the
exception of:
A. Threat Emulation
B. HTTPS
C. QOS
D. VoIP
Answer: D

NO.208 How can SmartView application accessed?

A. http://<Security Management IP Address>/smartview
B. http://<Security Management IP Address>:4434/smartview
C. https://<Security Management IP Address>/smartview/
D. https://<Security Management host name>:4434/smartview
Answer: C

NO.209 You have successfully backed up Check Point configurations without the OS information.
What command
would you use to restore this backup?
A. restore_backup
B. import backup
C. cp_merge
D. migrate import
Answer: D

NO.210 Which of these statements describes the Check Point ThreatCloud?

A. Blocks or limits usage of web applications
B. Prevents or controls access to web sites based on category
C. Prevents Cloud vulnerability exploits
D. A worldwide collaborative security network
Answer: D

NO.211 Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set
up an
Active-Active cluster.
A. Symmetric routing
B. Failovers
C. Asymmetric routing
D. Anti-Spoofing
Answer: C

44
 IT Certification Guaranteed, The Easy Way!

NO.212 When SecureXL is enabled, all packets should be accelerated, except packets that match the
following
conditions:
A. All UDP packets
B. All IPv6 Traffic
C. All packets that match a rule whose source or destination is the Outside Corporate Network
D. CIFS packets
Answer: D

NO.213 There are 4 ways to use the Management API for creating host object with R80
Management API. Which one
is NOT correct?
A. Using Web Services
B. Using Mgmt_cli tool
C. Using CLISH
D. Using SmartConsole GUI console
E. Events are collected with SmartWorkflow from Trouble Ticket systems
Answer: E

NO.214 What are the blades of Threat Prevention?

A. IPS, DLP, AntiVirus, AntiBot, Sandblast Threat Emulation/Extraction
B. DLP, AntiVirus, QoS, AntiBot, Sandblast Threat Emulation/Extraction
C. IPS, AntiVirus, AntiBot
D. IPS, AntiVirus, AntiBot, Sandblast Threat Emulation/Extraction
Answer: D

NO.215 With MTA (Mail Transfer Agent) enabled the gateways manages SMTP traffic and holds
external email with
potentially malicious attachments. What is required in order to enable MTA (Mail Transfer Agent)
functionality in the Security Gateway?
A. Threat Cloud Intelligence
B. Threat Prevention Software Blade Package
C. Endpoint Total Protection
D. Traffic on port 25
Answer: B

NO.216 In which formats can Threat Emulation forensics reports be viewed in?
A. TXT, XML and CSV
B. PDF and TXT
C. PDF, HTML, and XML
D. PDF and HTML
Answer: C

45
 IT Certification Guaranteed, The Easy Way!

NO.217 What is the valid range for VRID value in VRRP configuration?
A. 1-254
B. 1-255
C. 0-254
D. 0-255
Answer: B
Explanation
Virtual Router ID - Enter a unique ID number for this virtual router. The range of valid values is 1 to
255.

NO.218 Fill in the blank: The R80 feature ______ permits blocking specific IP addresses for a specific
time period.
A. Block Port Overflow
B. Local Interface Spoofing
C. Suspicious Activity Monitoring
D. Adaptive Threat Prevention
Answer: C
Explanation
Suspicious Activity Rules Solution
Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access
privileges upon detection of any suspicious network activity (for example, several attempts to gain
unauthorized access).
The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious
Activity
rules are Firewall rules that enable the system administrator to instantly block suspicious connections
that are
not restricted by the currently enforced security policy. These rules, once set (usually with an
expiration date),
can be applied immediately without the need to perform an Install Policy operation

NO.219 To enable Dynamic Dispatch on Security Gateway without the Firewall Priority Queues, run
the following
command in Expert mode and reboot:
A. fw ctl Dyn_Dispatch on
B. fw ctl Dyn_Dispatch enable
C. fw ctl multik set_mode 4
D. fw ctl multik set_mode 1
Answer: C

NO.220 Security Checkup Summary can be easily conducted within:

A. Summary
B. Views
C. Reports
D. Checkups

46
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.221 Which of the following type of authentication on Mobile Access can NOT be used as the first
authentication
method?
A. Dynamic ID
B. RADIUS
C. Username and Password
D. Certificate
Answer: A

NO.222 What is the command to see cluster status in cli expert mode?
A. fw ctl stat
B. clusterXL stat
C. clusterXL status
D. cphaprob stat
Answer: D

NO.223 Which of the following authentication methods ARE NOT used for Mobile Access?
A. RADIUS server
B. Username and password (internal, LDAP)
C. SecurID
D. TACACS+
Answer: D

NO.224 What is not a purpose of the deployment of Check Point API?

A. Execute an automated script to perform common tasks
B. Create a customized GUI Client for manipulating the objects database
C. Create products that use and enhance the Check Point solution
D. Integrate Check Point products with 3rd party solution
Answer: B

NO.225 Which command can you use to verify the number of active concurrent connections?
A. fw conn all
B. fw ctl pstat
C. show all connections
D. show connections
Answer: B

NO.226 Which packet info is ignored with Session Rate Acceleration?

A. source port ranges
B. source ip
C. source port

47
 IT Certification Guaranteed, The Easy Way!

D. same info from Packet Acceleration is used

Answer: C

NO.227 SandBlast has several functional components that work together to ensure that attacks are
prevented in
real-time. Which the following is NOT part of the SandBlast component?
A. Threat Emulation
B. Mobile Access
C. Mail Transfer Agent
D. Threat Cloud
Answer: C

NO.228 Traffic from source 192.168.1.1 is going to www.google.com. The Application Control Blade
on the gateway
is inspecting the traffic. Assuming acceleration is enabled which path is handling the traffic?
A. Slow Path
B. Medium Path
C. Fast Path
D. Accelerated Path
Answer: A

NO.229 What is the least amount of CPU cores required to enable CoreXL?
A. 2
B. 1
C. 4
D. 6
Answer: B

NO.230 Which view is NOT a valid CPVIEW view?

A. IDA
B. RAD
C. PDP
D. VPN
Answer: C

NO.231 Which Mobile Access Application allows a secure container on Mobile devices to give users
access to internal
website, file share and emails?
A. Check Point Remote User
B. Check Point Capsule Workspace
C. Check Point Mobile Web Portal
D. Check Point Capsule Remote
Answer: C

48
 IT Certification Guaranteed, The Easy Way!

NO.232 Which command shows actual allowed connections in state table?

A. fw tab -t StateTable
B. fw tab -t connections
C. fw tab -t connection
D. fw tab connections
Answer: B

NO.233 fwssd is a child process of which of the following Check Point daemons?
A. fwd
B. cpwd
C. fwm
D. cpd
Answer: A

NO.234 What component of R80 Management is used for indexing?

A. DBSync
B. API Server
C. fwm
D. SOLR
Answer: D

NO.235 Which statement is NOT TRUE about Delta synchronization?

A. Using UDP Multicast or Broadcast on port 8161
B. Using UDP Multicast or Broadcast on port 8116
C. Quicker than Full sync
D. Transfers changes in the Kernel tables between cluster members.
Answer: A

NO.236 Which features are only supported with R80.10 Gateways but not R77.x?
A. Access Control policy unifies the Firewall, Application Control & URL Filtering, Data Awareness,
and
Mobile Access Software Blade policies
B. Limits the upload and download throughput for streaming media in the company to 1 Gbps.
C. The rule base can be built of layers, each containing a set of the security rules. Layers are
inspected in
the order in which they are defined, allowing control over the rule base flow and which security
functionalities take precedence.
D. Time object to a rule to make the rule active only during specified times.
Answer: C

NO.237 Both ClusterXL and VRRP are fully supported by Gaia R80.10 and available to all Check Point
appliances.
Which the following command is NOT related to redundancy and functions?

49
 IT Certification Guaranteed, The Easy Way!

A. cphaprob stat
B. cphaprob -a if
C. cphaprob -l list
D. cphaprob all show stat
Answer: D

NO.238 Which of the following is NOT a type of Check Point API available in R80.10?
A. Identity Awareness Web Services
B. OPSEC SDK
C. Mobile Access
D. Management
Answer: C

NO.239 Automatic affinity means that if SecureXL is running, the affinity for each interface is
automatically reset
every
A. 15 sec
B. 60 sec
C. 5 sec
D. 30 sec
Answer: B

NO.240 To add a file to the Threat Prevention Whitelist, what two items are needed?
A. File name and Gateway
B. Object Name and MD5 signature
C. MD5 signature and Gateway
D. IP address of Management Server and Gateway
Answer: B

NO.241 What scenario indicates that SecureXL is enabled?

A. Dynamic objects are available in the Object Explorer
B. SecureXL can be disabled in cpconfig
C. fwaccel commands can be used in clish
D. Only one packet in a stream is seen in a fw monitor packet capture
Answer: C

NO.242 Which command is used to display status information for various components?
A. show all systems
B. show system messages
C. sysmess all
D. show sysenv all
Answer: D

50
 IT Certification Guaranteed, The Easy Way!

NO.243 What is the mechanism behind Threat Extraction?

A. This a new mechanism which extracts malicious files from a document to use it as a counter-attac
k
against its sender.
B. This is a new mechanism which is able to collect malicious files out of any kind of file types to
destroy
it prior to sending it to the intended recipient.
C. This is a new mechanism to identify the IP address of the sender of malicious codes and put it into
the
SAM database (Suspicious Activity Monitoring).
D. Any active contents of a document, such as JavaScripts, macros and links will be removed from the
document and forwarded to the intended recipient, which makes this solution very fast.
Answer: D

NO.244 The Correlation Unit performs all but the following actions:
A. Marks logs that individually are not events, but may be part of a larger pattern to be identified
later.
B. Generates an event based on the Event policy.
C. Assigns a severity level to the event.
D. Takes a new log entry that is part of a group of items that together make up an event, and adds it
to an
ongoing event.
Answer: C

NO.245 Which Check Point software blades could be enforced under Threat Prevention profile using
Check Point
R80.10 SmartConsole application?
A. IPS, Anti-Bot, URL Filtering, Application Control, Threat Emulation.
B. Firewall, IPS, Threat Emulation, Application Control.
C. IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction.
D. Firewall, IPS, Anti-Bot, Anti-Virus, Threat Emulation.
Answer: C

NO.246 How do you enable virtual mac (VMAC) on-the-fly on a cluster member?
A. cphaprob set int fwha_vmac_global_param_enabled 1
B. clusterXL set int fwha_vmac_global_param_enabled 1
C. fw ctl set int fwha_vmac_global_param_enabled 1
D. cphaconf set int fwha_vmac_global_param_enabled 1
Answer: C

51