156 915.80 Premium

CCSE Update R80
Checkpoint 156-915.80
Total Questions: 260
https://dumpsarena.com
sales@dumpsarena.com
QUESTION NO: 1
The Firewall Administrator is required to create 100 new host objects with different IP addresses. What
API command can he use in the script to achieve the requirement?
A. add host name <New HostName> ip-address <ip address>
B. add hostname <New HostName> ip-address <ip address>
C. set host name <New HostName> ip-address <ip address>
D. set hostname <New HostName> ip-address <ip address>
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 2
What are the minimum open server hardware requirements for a Security Management
Server/Standalone in R80.10?
A. 2 CPU cores, 4GB of RAM and 15GB of disk space
B. 8 CPU cores, 16GB of RAM and 500 GB of disk space
C. 4 CPU cores, 8GB of RAM and 500GB of disk space
D. 8 CPU cores, 32GB of RAM and 1 TB of disk space
Correct Answer: C
Section: (none)
Explanation:
Reference:
http://dl3.checkpoint.com/paid/db/dbf0aa7672f1dd6031e6096b40510674/CP_R80.10_ReleaseNotes.pd
f? HashKey=1522175073_c4e7fc63c894ad28b3fbe49f9430c023&xtn=.pdf page 16
QUESTION NO: 3
What is the command to check the status of the SmartEvent Correlation Unit?
A. fw ctl get int cpsead_stat
B. cpstat cpsead
C. fw ctl stat cpsemd
D. cp_conf get_stat cpsemd
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 4
Which packet info is ignored with Session Rate Acceleration?

A. source port ranges
B. source ip
C. source port
D. same info from Packet Acceleration is used
Correct Answer: C
Section: (none)
Explanation:
Reference: http://trlj.blogspot.com/2015/10/check-point-acceleration.html
QUESTION NO: 5
From SecureXL perspective, what are the tree paths of traffic flow:
A. Initial Path; Medium Path; Accelerated Path
B. Layer Path; Blade Path; Rule Path
C. Firewall Path, Accept Path; Drop Path
D. Firewall Path; Accelerated Path; Medium Path
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 6
In R80.10, how do you manage your Mobile Access Policy?

A. Through the Unified Policy
B. Through the Mobile Console
DumpsArena - Pass Your Next Certification Exam Fast!

dumpsarena.com - Page 3 of 108
C. From SmartDashboard
D. From the Dedicated Mobility Tab
Correct Answer: C
Section: (none)
Explanation:
Reference:
http://dl3.checkpoint.com/paid/f7/f78b067c6838c747e1568f139b6e6e8d/CP_R80.10_MobileAccess_Ad
minGuide.pdf? HashKey=1522170407_805ae0a295fd6664fa23700cc1482686&xtn=.pdf
QUESTION NO: 7
Which command will reset the kernel debug options to default settings?
A. fw ctl dbg –a 0
B. fw ctl dbg resetall
C. fw ctl debug 0
D. fw ctl debug set 0
Correct Answer: C
Section: (none)
Explanation:
Reset the debugs to the default.

In case someone changed the setting in the past and since then the firewall was not rebooted we
should set all back to the defaults.
Reference: https://itsecworks.com/2011/08/09/checkpoint-firewall-debugging-basics/
QUESTION NO: 8
Return oriented programming (ROP) exploits are detected by which security blade?
A. Check Point Anti-Virus / Threat Emulation
B. Intrusion Prevention Software
C. Application control
D. Data Loss Prevention

Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 9
How can you see historical data with cpview?

A. cpview -d <timestamp>
B. cpview -t <timestamp>
C. cpview -f <timestamp>
D. cpview -e <timestamp>
Correct Answer: B
Section: (none)
Explanation:
Reference: https://www.youtube.com/watch?v=OjsvuT2YxKs
QUESTION NO: 10
How many interfaces can you configure to use the Multi-Queue feature?
A. 10 interfaces
B. 3 interfaces
C. 4 interfaces
D. 5 interfaces
Correct Answer: D
Section: (none)
Explanation:
Reference: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-x-Performance-
Tuning-Tip-Multi-Queue/td-p/41608
QUESTION NO: 11
When Dynamic Dispatcher is enabled, connections are assigned dynamically with the exception of

A. Threat Emulation
B. HTTPS
C. QOS
D. VolP
Correct Answer: D
Section: (none)
Explanation:
The following types of traffic are not load-balanced by the CoreXL Dynamic Dispatcher (this traffic will
always be handled by the same CoreXL FW instance): VoIP
VPN encrypted packets
Reference:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk105261
QUESTION NO: 12
Which statement is correct about the Sticky Decision Function?

A. It is not supported with either the Performance pack or a hardware based accelerator card
B. Does not support SPI’s when configured for Load Sharing
C. It is automatically disabled if the Mobile Access Software Blade is enabled on the cluster
D. It is not required L2TP traffic
Correct Answer: A
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7290.htm
QUESTION NO: 13
How long may verification of one file take for Sandblast Threat Emulation?
A. up to 1 minutes
B. within seconds cleaned file will be provided
C. up to 5 minutes
D. up to 3 minutes
Correct Answer: B

Section: (none)
Explanation:
QUESTION NO: 14
Which TCP-port does CPM process listen to?

A. 18191
B. 18190
C. 8983
D. 19009
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 15
Check Point security components are divided into the following components:
A. GUI Client, Security Gateway, WebUI interface
B. GUI Client, Security Management, Security Gateway
C. Security Gateway, WebUI interface, Consolidated Security Logs
D. Security Management, Security Gateway, Consolidate Security Logs
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 16
Which of the following statements is TRUE about R80 management plug-ins? A. The plug-in is a
package installed on the Security Gateway.
B. Installing a management plug-in requires a Snapshot, just like any upgrade process.
C. A management plug-in interacts with a Security Management Server to provide new features and
support for new products.

D. Using a plug-in offers full central management only if special licensing is applied to specific
features of the plug-in.
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 17
Which is NOT an example of a Check Point API?

A. Gateway API
B. Management API
C. OPSEC SDK
D. Threat Prevention API
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 18
For Management High Availability, which of the following is NOT a valid synchronization status?
A. Collision
B. Down
C. Lagging
D. Never been synchronized
Correct Answer: B
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?topic=do
cuments/R76/CP_R76_SecMan_WebAdmin/13132
QUESTION NO: 19

In what way in Secure Network Distributor (SND) a relevant feature of the Security Gateway?
A. SND is a feature to accelerate multiple SSL VPN connections
B. SND is an alternative to IPSec Main Mode, using only 3 packets
C. SND is used to distribute packets among Firewall instances
D. SND is a feature of fw monitor to capture accelerated packets
Correct Answer: C
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm
QUESTION NO: 20
Check Point APIs allow system engineers and developers to make changes to their organization’s
security policy with CLI tools and Web Services for all of the following except?
A. Create new dashboards to manage 3rd party task
B. Create products that use and enhance 3rd party solutions.
C. Execute automated scripts to perform common tasks.
D. Create products that use and enhance the Check Point Solution.
Correct Answer: A
Section: (none)
Explanation:
Check Point APIs let system administrators and developers make changes to the security policy with
CLI tools and web-services. You can use an API to: Use an automated script to perform common
tasks
Integrate Check Point products with 3rd party solutions
Create products that use and enhance the Check Point solution
Reference:
http://dl3.checkpoint.com/paid/29/29532b9eec50d0a947719ae631f640d0/CP_R80_CheckPoint_API_R
eferenceGuide.pdf? HashKey=1522190468_125d63ea5296b7dadd3e4fd81c708cc5&xtn=.pdf
QUESTION NO: 21
What is true about the IPS-Blade?

A. in R80, IPS is managed by the Threat Prevention Policy
B. in R80, in the IPS Layer, the only three possible actions are Basic, Optimized and Strict
C. in R80, IPS Exceptions cannot be attached to “all rules”
D. in R80, the GeoPolicy Exceptions and the Threat Prevention Exceptions are the same
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 22
Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a
new multicore CPU to replace the existing single core CPU. After installation, is the administrator
required to perform any additional tasks?
A. Go to clish-Run cpstop | Run cpstart
B. Go to clish-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig
|Reboot Security Gateway
C. Administrator does not need to perform any task. Check Point will make use of the newly
installed CPU and Cores.
D. Go to clish-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig
|Reboot Security Gateway | Install Security Policy.
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 23
Check Point recommends configuring Disk Space Management parameters to delete old log entities
when available disk space is less than or equal to?
A. 50%
B. 75%
C. 80%
D. 15%
Correct Answer: D
Section: (none)
Explanation:

QUESTION NO: 24
On R80.10 when configuring Third-Party devices to read the logs using the LEA (Log Export API) the
default Log Server uses port:
A. 18210
B. 18184
C. 257
D. 18191
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 25
To find records in the logs that shows log records from the Application & URL Filtering Software Blade
where traffic was blocked, what would be the query syntax?
A. blade: application control AND action:block
B. blade; “application control” AND action;block
C. (blade: application control AND action;block)
D. blade: “application control” AND action:block
Correct Answer: D
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?topic=
documents/R80/ CP_R80_LoggingAndMonitoring/131914
QUESTION NO: 26
When Configuring Endpoint Compliance Settings for Applications and Gateways within Mobile Access,
which of the three approaches will allow you to configure individual policies for each application?
A. Basic Approach
B. Strong Approach

C. Advanced Approach
D. Medium Approach
Correct Answer: C
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_Mobile_Access_WebAdmin/23030.htm
QUESTION NO: 27
Which of the following is NOT an option to calculate the traffic direction?

A. Incoming
B. Internal
C. External
D. Outgoing
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 28
Choose the ClusterXL process that is defined by default as a critical device?

A. cpp
B. fwm
C. assld
D. fwd
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 29

Which statement is true regarding redundancy?
A. System Administrator know when their cluster has failed over and can also see why it failed over
by using the cphaprob f it command.
B. ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
C. Machines in a Cluster XL High Availability configuration must be synchronized.
D. Both Cluster XL and VRRP are fully supported by Gaia and available to all Check Point
appliances, open servers, and virtualized environments.
Correct Answer: D
Section: (none)
Explanation:
Reference: https://www.checkpoint.com/download/public-files/gaia-technical-brief.pdf page 5
QUESTION NO: 30
The concept of layers was introduced in R80. What is the biggest benefit of layers?
A. To break one policy into several virtual policies.
B. Policy Layers and Sub-Policies enable flexible control over the security policy.
C. To include Threat Prevention as a sub policy for the firewall policy
D. They improve the performance on OS kernel version 3.0
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 31
What is the purpose of a SmartEvent Correlation Unit?

A. The SmartEvent Correlation Unit is designed to check the connection reliability from
SmartConsole to the SmartEvent Server
B. The SmartEvent Correlation Unit’s task it to assign severity levels to the identified events.
C. The Correlation unit role is to evaluate logs from the log server component to identify
patterns/threats and convert them to events.
D. The SmartEvent Correlation Unit is designed to check the availability of the SmartReporter
Server
Correct Answer: C

Section: (none)
Explanation:
QUESTION NO: 32
What’s true about Troubleshooting option in the IPS profile properties?

A. Temporarily change the active protection profile to “Default_Protection”
B. Temporarily set all protections to track (log) in SmartView Tracker
C. Temporarily will disable IPS kernel engine
D. Temporarily set all active protections to Detect
Correct Answer: B
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/52512.htm
QUESTION NO: 33
The Regulatory Compliance pane shows compliance statistics for selected regulatory standards, based
on the Security Best Practice scan. Which of the following does NOT show in this pane?
A. The total number of Regulatory Requirements that are monitored
B. The Average compliance score for each regulation shown
C. The average number of Regulatory Requirements that are monitored
D. The Number of Regulatory Requirements for each Regulation
Correct Answer: C
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_Compliance_WebAdminGuide/96026.htm
QUESTION NO: 34

Which process is available on any management product and on products that require direct GUI
access, such as SmartEvent and provides GUI client communications, database manipulation, policy
compilation and Management HA synchronization?
A. cpwd
B. fwd
C. cpd
D. fwm
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 35
Which of the following commands shows the status of processes?

A. cpwd_admin –l
B. cpwd –l
C. cpwd admin_list
D. cpwd_admin list
Correct Answer: D
Section: (none)
Explanation:
Reference: https://community.checkpoint.com/thread/8054-cpwdadmin-list-overview-sms
QUESTION NO: 36
You want to gather data and analyze threats to your mobile device. It has to be a lightweight app. Which
application would you use?
A. SmartEvent Client Info
B. SecuRemote
C. Check Point Protect
D. Check Point Capsule Cloud
Correct Answer: C
Section: (none)
Explanation:

QUESTION NO: 37
What Factors preclude Secure XL Templating?

A. Source Port Ranges/Encrypted Connections
B. IPS
C. ClusterXL in load sharing Mode
D. CoreXL
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 38
Which is a suitable command to check whether Drop Templates are activated or not?
A. fw ctl get int activate _drop_ templates
B. fwaccel stat
C. fwaccel stats
D. fw ctl templates –d
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 39
The WebUI offers several methods for downloading hotfixes via CPUSE except:
A. Automatic
B. Force override
C. Manually
D. Scheduled
Correct Answer: B

Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_Gaia_AdminWebAdminGuide/html_frameset.htm?
topic=documents/R77/ CP_R77_Gaia_AdminWebAdminGuide/112109
QUESTION NO: 40
Check Point Management (cpm) is the main management process in that it provides the architecture for
a consolidated management console. CPM allows the GUI client and management server to
communicate via web service using ______.
A. TCP port 19009
B. TCP Port 18190
C. TCP Port 18191
D. TCP Port 18209
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 41
Where you can see and search records of action done by R80 SmartConsole administrators?
A. In SmartView Tracker, open active log
B. In the Logs & Monitor view, select “Open Audit Log View”
C. In SmartAudit Log View
D. In SmartLog, all logs
Correct Answer: B
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitorin
g_AdminGuide/html_frameset.htm?topic=documents/
R80.10/WebAdminGuides/EN/CP_R80.10_LoggingAndMonitoring_AdminGuide/188029

QUESTION NO: 42
Which command gives us a perspective of the number of kernel tables?

A. fw tab -t
B. fw tab -s
C. fw tab -n
D. fw tab -k
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 43
To ensure that VMAC mode is enabled, which CLI command you should run on all cluster members?
A. fw ctl set int fwha vmac global param enabled
B. fw ctl get int fwha vmac global param enabled; result of command should return value 1 C.
cphaprob –a if
D. fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 44
SandBlast appliances can be deployed in the following modes:

A. using a SPAN port to receive a copy of the traffic only
B. detect only
C. inline/prevent or detect
D. as a Mail Transfer Agent and as part of the we traffic flow only
Correct Answer: C

Section: (none)
Explanation:
QUESTION NO: 45
What is the purpose of Priority Delta in VRRP?

A. When a box is up, Effective Priority = Priority + Priority Delta
B. When an Interface is up, Effective Priority = Priority + Priority Delta
C. When an Interface fail, Effective Priority = Priority – Priority Delta
D. When a box fail, Effective Priority = Priority – Priority Delta
Correct Answer: C
Section: (none)
Explanation:
Each instance of VRRP running on a supported interface may monitor the link state of other interfaces.
The monitored interfaces do not have to be running VRRP. If a monitored interface loses its link state,
then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a
new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has,
then the backup platform will beging to send out its own HELLO packet. Once the master sees this
packet with a priority greater than its own, then it releases the VIP.
Reference:
utionid=sk38524
QUESTION NO: 46
What information is NOT collected from a Security Gateway in a Cpinfo?

A. Firewall logs
B. Configuration and database files
C. System message logs
D. OS and network statistics
Correct Answer: A
Section: (none)
Explanation:

Reference:
utionid=sk92739
QUESTION NO: 47
CPM process stores objects, policies, users, administrators, licenses and management data in a
database. This database is:
A. MySQL
B. Postgres SQL
C. MarisDB
D. SOLR
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 48
Which of the following is a new R80.10 Gateway feature that had not been available in R77.X and
older?
A. The rule base can be built of layers, each containing a set of the security rules. Layers are
inspected in the order in which they are defined, allowing control over the rule base flow and which
security functionalities take precedence.
B. Limits the upload and download throughout for streaming media in the company to 1 Gbps.
C. Time object to a rule to make the rule active only during specified times.
D. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is
matched, inspection will continue in the sub policy attached to it rather than in the next rule
Correct Answer: A
Section: (none)
Explanation:
Reference: http://slideplayer.com/slide/12183998/
QUESTION NO: 49

Which Check Point ClusterXL mode is used to synchronize the physical interface IP and MAC
addresses on all clustered interfaces?
A. Legacy Mode HA
B. Pivot Mode Load Sharing
C. New Mode HA
D. Multicast Mode Load Sharing
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 50
Which one of the following is true about Threat Emulation?

A. Takes less than a second to complete
B. Works on MS Office and PDF files only
C. Always delivers a file
D. Takes minutes to complete (less than 3 minutes)
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 51
Which command shows the current connections distributed by CoreXL FW instances?

A. fw ctl multik stat
B. fw ctl affinity –l
C. fw ctl instances –v
D. fw ctl iflist
Correct Answer: A
Section: (none)
Explanation:

The fw ctl multik stat and fw6ctl multik stat (multi-kernel statistics) commands show information for each
kernel instance. The state and processing core number of each instance is displayed, along with:
The number of connections currently being handled.
The peak number of concurrent connections the instance has handled since its inception.
Reference:
QUESTION NO: 52
In a ClusterXL high-availability environment, what MAC address will answer for Virtual IP in the default
configuration?
A. MAC address of Active Member
B. Virtual MAC Address
C. MAC Address of Standby Member
D. MAC Address of Management Server
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 53
What is the SOLR database for?

A. Used for full text search and enables powerful matching capabilities
B. Writes data to the database and full text search
C. Serves GUI responsible to transfer request to the DLEserver
D. Enables powerful matching capabilities and writes data to the database
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 54
What are the methods of SandBlast Threat Emulation deployment?

A. Cloud, Appliance and Private
B. Cloud, Appliance and Hybrid
C. Cloud, Smart-1 and Hybrid
D. Cloud, OpenServer and Vmware
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 55
What are the main stages of a policy installation?

A. Verification & Compilation, Transfer and Commit
B. Verification & Compilation, Transfer and Installation
C. Verification, Commit, Installation
D. Verification, Compilation & Transfer, Installation
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 56
What has to be taken into consideration when configuring Management HA?

A. The Database revisions will not be synchronized between the management servers.
B. SmartConsole must be closed prior to synchronize changes in the objects database.
C. If you wanted to use Full Connectivity Upgrade, you must change the Implied Rules to allow
FW1_cpredundant to pass before the Firewall Control Connections.
D. For Management Server synchronization, only External Virtual Switches are supported. So, if you
wanted to employ Virtual Routers instead, you have to reconsider your design.
Correct Answer: A
Section: (none)
Explanation:

QUESTION NO: 57
What is the difference between an event and a log?

A. Events are generated at gateway according to Event Policy
B. A log entry becomes an event when it matches any rule defined in Event Policy
C. Events are collected with SmartWorkflow from Trouble Ticket systems
D. Logs and Events are synonyms
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 58
What CLI command will reset the IPS pattern matcher statistics?
A. ips reset pmstat
B. ips pstats reset
C. ips pmstats refresh
D. ips pmstats reset
Correct Answer: D
Section: (none)
Explanation:
ips pmstats reset

Description - Resets the data that is collected to calculate the pmstat statistics. Usage - ips pmstats
reset
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_CLI_WebAdmin/84627.htm#o84635
QUESTION NO: 59
Which one of these features is NOT associated with the Check Point URL Filtering and Application
Control Blade?
A. Detects and blocks malware by correlating multiple detection engines before users are affected.
B. Configure rules to limit the available network bandwidth for specified users or groups.
C. Use UserCheck to help users understand that certain websites are against the company’s
security policy.

D. Make rules to allow or block applications and Internet sites for individual applications, categories,
and risk levels.
Correct Answer: A
Section: (none)
Explanation:
Use the URL Filtering and Application Control Software Blades to:
Create a Granular Policy - Make rules to allow or block applications and Internet sites for individual
applications, categories, and risk levels. You can also create an HTTPS policy that enables Security
Gateways to inspect HTTPS traffic and prevent security risks related to the SSL protocol.
Manage Bandwidth Consumption - Configure rules to limit the available network bandwidth for
specified users or groups. You can define separate limits for uploading and downloading.
Keep Your Policies Updated - The Application Database is updated regularly, which helps you makes
sure that your Internet security policy has the newest applications and website categories. Security
Gateways connect to the Check Point Online Web Service to identify new social networking widgets
and website categories.
Communicate with Users - UserCheck objects add flexibility to URL Filtering and Application Control
and let the Security Gateways communicate with users. UserCheck helps users understand that certain
websites are against the company's security policy. It also tells users about the changes in Internet
policy related to websites and applications.
Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/
R80/CP_R80_SecMGMT/126197
QUESTION NO: 60
You have successfully backed up your Check Point configurations without the OS information. What
command would you use to restore this backup?
A. restore_backup
B. import backup
C. cp_merge
D. migrate import
Correct Answer: D
Section: (none)
Explanation:

QUESTION NO: 61
What does the command vpn crl__zap do?

A. Nothing, it is not a valid command
B. Erases all CRL’s from the gateway cache
C. Erases VPN certificates from cache
D. Erases CRL’s from the management server cache
Correct Answer: B
Section: (none)
Explanation:
Reference: https://indeni.com/check-point-firewalls-certification-revocation-list-crl-check-mechanism-on-
a-check-point-gateway/
QUESTION NO: 62
To fully enable Dynamic Dispatcher with Firewall Priority Queues on a Security Gateway, run the
following command in Expert mode then reboot:
A. fw ctl multik set_mode 1
B. fw ctl Dynamic_Priority_Queue on
C. fw ctl Dynamic_Priority_Queue enable
D. fw ctl multik set_mode 9
Correct Answer: D
Section: (none)
Explanation:
Reference:
utionid=sk105762
QUESTION NO: 63
What is the limitation of employing Sticky Decision Function?

A. With SDF enabled, the involved VPN Gateways only supports IKEv1
B. Acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF
C. With SDF enabled, only ClusterXL in legacy mode is supported

D. With SDF enabled, you can only have three Sync interfaces at most
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 64
As a valid Mobile Access Method, what feature provides Capsule Connect/VPN?

A. that is used to deploy the mobile device as a generator of one-time passwords for authenticating
to an RSA Authentication Manager
B. Full Layer4 VPN –SSL VPN that gives users network access to all mobile applications
C. Full layer3 VPN –IPSec VPN that gives users network access to all mobile applications
D. You can make sure that documents are sent to the intended recipients only
Correct Answer: C
Section: (none)
Explanation:
Reference:
QUESTION NO: 65
Fred is troubleshooting a NAT issue and wants to check to see if the inbound connection from his
internal network is being translated across the interface in the firewall correctly. He decides to use the
fw monitor to capture the traffic from the source 192.168.3.5 or the destination of 10.1.1.25 on his
Security Gateway, Green that has an IP of 192.168.4.5. What command captures this traffic in a file that
he can download and review with WireShark?
A. Expert@Green# fwmonitor –e “accept src=192.168.3.5 and dst=10.1.1.25;” –o monitor.out
B. Expert@Green# fw monitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out C.
Expert@Green# fwmonitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out
D. Expert@Green# fw monitor –e “accept src=192.168.4.5 or dst=10.1.1.25;” –o monitor.out
Correct Answer: D
Section: (none)
Explanation:

QUESTION NO: 66
What GUI client would you use to view an IPS packet capture?
A. SmartView Monitor
B. SmartView Tracker
C. Smart Update
D. Smart Reporter
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 67
In which case is a Sticky Decision Function relevant?

A. Load Sharing – Multicast
B. Load Balancing – Forward
C. High Availability
D. Load Sharing – Unicast
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 68
Check Point Management (cpm) is the main management process in that it provides the architecture for
the consolidated management console. It empowers the migration from legacy Client side logic to
Server side-logic. The cpm process:
A. Allow GUI Client and management server to communicate via TCP Port 19001
B. Allow GUI Client and management server to communicate via TCP Port 18191
C. Performs database tasks such as creating, deleting, and modifying objects and compiling policy.

D. Performs database tasks such as creating, deleting, and modifying objects and compiling as well
as policy code generation.
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 69
Mobile Access supports all of the following methods of Link Translation EXCEPT:
A. Hostname Translation (HT)
B. Path Translation (PT)
C. URL Translation (UT)
D. Identity Translation (IT)
Correct Answer: D
Section: (none)
Explanation:
Reference:
QUESTION NO: 70
Customer’s R80 management server needs to be upgraded to R80.10. What is the best upgrade
method when the management server is not connected to the Internet?
A. Export R80 configuration, clean install R80.10 and import the configuration
B. CPUSE online upgrade
C. CPUSE offline upgrade
D. SmartUpdate upgrade
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 71

You find one of your cluster gateways showing “Down” when you run the “cphaprob stat” command.
You then run the “clusterXL_admin up” on the down member but unfortunately the member continues to
show down. What command do you run to determine the case?
A. cphaprob –f register
B. cphaprob –d–s report
C. cpstat–f-all
D. cphaprob –a list
Correct Answer: D
Section: (none)
Explanation:
Reference:
http://dl3.checkpoint.com/paid/63/6357d81e3b75b5a09a422d715c3b3d79/CP_R80.10_ClusterXL_Admi
nGuide.pdf? HashKey=1522170580_c51bd784a86600b5f6141c0f1a6322fd&xtn=.pdf
QUESTION NO: 72
When simulating a problem on CLusterXL cluster with cphaprob –d STOP –s problem –t 0 register, to
initiate a failover on an active cluster member, what command allows you remove the problematic
state?
A. cphaprob –d STOP unregister
B. cphaprob STOP unregister
C. cphaprob unregister STOP
D. cphaprob –d unregister STOP
Correct Answer: A
Section: (none)
Explanation:
esting a failover in a controlled manner using following command;

# cphaprob -d STOP -s problem -t 0 register
This will register a problem state on the cluster member this was entered on; If you then run; #
cphaprob list this will show an entry named STOP.
to remove this problematic register run following; # cphaprob -d STOP unregister
Reference: https://fwknowledge.wordpress.com/2013/04/04/manual-failover-of-the-fw-cluster/
QUESTION NO: 73

By default, the R80 web API uses which content-type in its response?
A. Java Script
B. XML
C. Text
D. JSON
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 74
What is the port used for SmartConsole to connect to the Security Management Server:
A. CPMI port 18191/TCP
B. CPM port / TCP port 19009
C. SIC port 18191/TCP
D. https port 4434/TCP
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 75
If the Active Security Management Server fails or if it becomes necessary to change the Active to
Standby, the following steps must be taken to prevent data loss.
Providing the Active Security Management Server is responsive, which of these steps should NOT be
performed:
A. Rename the hostname of the Standby member to match exactly the hostname of the Active
member.
B. Change the Standby Security Management Server to Active.
C. Change the Active Security Management Server to Standby.
D. Manually synchronize the Active and Standby Security Management Servers.
Correct Answer: A

Section: (none)
Explanation:
QUESTION NO: 76
Which method below is NOT one of the ways to communicate using the Management API’s?
A. Typing API commands using the “mgmt._cli” command
B. Typing API commands from a dialog box inside the SmartConsole GUI application
C. Typing API commands using Gaia’s secure shell (clash)19+
D. Sending API commands over an http connection using web-services
Correct Answer: D
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R80/APIs/#introduction%20
QUESTION NO: 77
Which of the following is NOT a type of Check Point API available in R80.10?
A. Identity Awareness Web Services
B. OPSEC SDK
C. Mobile Access
D. Management
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 78
Which components allow you to reset a VPN tunnel?

A. vpn tu command or SmartView monitor
B. delete vpn ike sa or vpn she11 command
C. vpn tunnelutil or delete vpn ike sa command

D. SmartView monitor only
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 79
After successfully exporting a policy package, how would you import that package into another SMS
database in R80.10?
A. import_package.py
B. upgrade_import
C. migrate
D. cp_merge
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 80
When using Monitored circuit VRRP, what is a priority delta?

A. When an interface fails the priority changes to the priority delta
B. When an interface fails the delta claims the priority
C. When an interface fails the priority delta is subtracted from the priority
D. When an interface fails the priority delta decides if the other interfaces takes over
Correct Answer: C
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/87911.htm
QUESTION NO: 81
What is the command to see cluster status in cli expert mode?

A. fw ctl stat
B. clusterXL stat
C. clusterXL status
D. cphaprob stat
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 82
SmartEvent provides a convenient way to run common command line executables that can assist in
investigating events. Right-clicking the IP address, source or destination, in a event provides a list of
default and customized commands. They appear only on cells that refer to IP addresses because the IP
address of the active cell is used as the destination of the command when run. The default commands
are:
A. ping, traceroute, netstat, and route
B. ping, nslookup, Telnet, and route
C. ping, whois, nslookup, and Telnet
D. ping, traceroute, netstat, and nslookup
Correct Answer: C
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_SmartEventIntro_AdminGuide/17468.htm
QUESTION NO: 83
Why would you not see a CoreXL configuration option in cpconfig?

A. The gateway only has one processor
B. CoreXL is not licensed
C. CoreXL is disabled via policy
D. CoreXL is not enabled in the gateway object
Correct Answer: A

Section: (none)
Explanation:
QUESTION NO: 84
Daisy need to review how the Security Gateway Cluster, Jonas, behaves when a cluster member
comes back on line. Where would she review the behavior of cluster member recovery in the
Dashboard?
A. Open SmartDashboard, select and open the Cluster Object Jonas, Select ClusterXL and review
the High Availability recovery options.
B. Open SmartDashboard, select and open the Cluster Object Jonas, Select Cluster Members and
review the High Availability recovery options.
C. Open SmartDashboard, select and open the Cluster Object Jonas, Select Topology – Advanced
Options and review the High Availability recovery options.
D. Open SmartDashboard, select and open the Cluster Object Jonas, Select ClusterXL – Advanced
Options and review the High Availability recovery options.
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 85
What utility would you use to configure route-based VPNs?

A. vpn shell
B. vpn tu
C. vpn sw_topology
D. vpn set_slim_server
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 86

What is correct statement about Security Gateway and Security Management Server failover in Check
Point R80.X in terms of Check Point Redundancy driven solutions?
A. Security Gateway failover is an automatic procedure but Security Management Server failover is a
manual procedure. B. Security Gateway failover as well as Security Management Server failover is a
manual procedure
C. Security Gateway failover is a manual procedure but Security Management Server failover is an
automatic procedure.
D. Security Gateway failover as well as Security Management Server failover is an automatic
procedure.
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 87
What is the proper CLISH syntax to configure a default route via 192.168.255.1 in Gaia?
A. set static-route default nexthop gateway address 192.168.255.1 priority 1 on
B. set static-route 192.168.255.0/24 nexthop gateway logical eth1 on
C. set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on
D. set static-route nexthop default gateway logical 192.168.255.1 priority 1 on
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 88
You need to change the number of firewall instances used by CoreXL. How can you achieve this goal?
A. edit fwaffinity.conf; reboot required
B. cpconfig; reboot required
C. edit fwaffinity.conf; reboot not required
D. cpconfig: reboot not required
Correct Answer: B
Section: (none)
Explanation:

Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm#o9453
0
QUESTION NO: 89
What is the SandBlast Agent designed to do?

A. Performs OS-level sandboxing for SandBlast Cloud architecture
B. Ensure the Check Point SandBlast services is running on the end user’s system
C. If malware enters an end user’s system, the SandBlast Agent prevents the malware form
spreading with the network
D. Clean up email sent with malicious attachments.
Correct Answer: C
Section: (none)
Explanation:
Reference: https://www.checkpoint.com/downloads/product-related/datasheets/ds-sandblast-agent.pdf
QUESTION NO: 90
Which command shows the connection table in human readable format?

A. fw tab -t connections -s
B. fw tab -t connections -u
C. fw tab -t connections -h
D. fw tab -t connections -f
Correct Answer: D
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGat
eway_Guide/html_frameset.htm?topic=documents/
R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide/208178
QUESTION NO: 91

Which statement is most correct regarding about “CorrectXL Dynamic Dispatcher”?
A. The CoreXL FW instances assignment mechanism is based on Source MAC addresses,
Destination MAC addresses.
B. The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores.
C. The CoreXL FW instances assignment mechanism is based on IP Protocol type.
D. The CoreXL FW instances assignment mechanism is based on Source IP addresses,
Destination IP addresses, and the IP ‘Protocol’ type.
Correct Answer: B
Section: (none)
Explanation:
Reference:
utionid=sk105261
QUESTION NO: 92
Which statement is NOT TRUE about Delta synchronization?

A. Using UDP Multicast or Broadcast on port 8161
B. Using UDP Multicast or Broadcast on port 8116
C. Quicker than Full Sync
D. Transfers changes in the Kernel labels between cluster members
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 93
What can you do to see the current number of kernel instances in a system with CoreXL enabled?
A. Browse to Secure Platform Web GUI
B. Only Check Point support personnel can access that information
C. Execute SmarDashboard client
D. Execute command cpconfig
Correct Answer: D

Section: (none)
Explanation:
Reference:
QUESTION NO: 94
The SmartEvent R80 Web application for real-time event monitoring is called:
A. SmartView Monitor
B. SmartEventWeb
C. There is no Web application for SmartEvent
D. SmartView
Correct Answer: A
Section: (none)
Explanation:
Reference:
QUESTION NO: 95
Which command would you use to determine the current Cluster Global ID?
A. fw ctl show global_cluster_id
B. fw ctl get int global_cluster_id
C. Expert -> cphaconf cluster_id get
D. Cish -> cphaconf cluster_id get
Correct Answer: C
Section: (none)
Explanation:
Reference:
utionid=sk25977

QUESTION NO: 96
There are 4 ways to use the Management API for creating host object with R80 Management API.
Which one is NOT correct?
A. Using Web Services
B. Using Mgmt_cli tool
C. Using CLISH
D. Using SmartConsole GUI console
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 97
Jack needs to configure CoreXL on his Red Security Gateway. What are the correct steps to enable
CoreXL?
A. SSH to Red Security Gateway, run cpconfig> select Configure Check Point CoreXL > enable
CoreXL > exit cpconfig> reboot the Security Gateway
B. SSH to Red Security Gateway, run cpconfig> select Configure Check Point CoreXL > exit
cpconfig> reboot the Security Gateway
C. Open the SmartDashboard, Open the Red Check Point Object, select ClusterXL, check the
CoreXL box, and push policy
D. Open the SmartDashboard, Open the Red Check Point Object, select Optimizations, check the
CoreXL box, and push policy
Correct Answer: A
Section: (none)
Explanation:
Reference:
QUESTION NO: 98
For best practices, what is the recommended time for automatic unlocking of locked admin accounts?
A. 20 minutes
B. 15 minutes
C. Admin account cannot be unlocked automatically

D. 30 minutes at least
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 99
Identify the API that is not supported by Check Point currently.

A. R80 Management API-
B. Identify Awareness Web Services API
C. Open REST API
D. OPSEC SDK
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 100
What are the methods of SandBlast Threat Emulation deployment?

A. Cloud, Appliance and Private
B. Cloud, Appliance and Hybrid
C. Cloud, Smart-1 and Hybrid
D. Cloud, OpenServer and VMware
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 101
What is considered Hybrid Emulation Mode?

A. Manual configuration of file types on emulation location
B. Load sharing of emulation between an on premise appliance and the cloud

C. Load sharing between OS behavior and CPU Level emulation
D. High availability between the local SandBlast appliance and the cloud
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 102
What is a feature that enables VPN connections to successfully maintain a private and secure VPN
session without employing Stateful Inspection?
A. Stateful Mode
B. VPN Routing Mode
C. Wire Mode
D. Stateless Mode
Correct Answer: C
Section: (none)
Explanation:
Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing
Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted
source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private
and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer
takes place, dynamic-routing protocols that do not survive state verification in non-Wire Mode
configurations can now be deployed. The VPN connection is no different from any other connections
along a dedicated wire, thus the meaning of "Wire Mode". Reference:
utionid=sk30974
QUESTION NO: 103
On R80.10 the IPS Blade is managed by:

A. Threat Protection policy
B. Anti-Bot Blade
C. Threat Prevention policy
D. Layers on Firewall policy
Correct Answer: C

Section: (none)
Explanation:
QUESTION NO: 104
How can SmartView Web application be accessed?

A. https://<Security <Management IP Address>/smartview
B. https://<Security <Management IP Address>:4434/smartview/
C. https://<Security < Management host name>/smartview/
D. https://<Security <Management host name>:4434/smartview/
Correct Answer: A
Section: (none)
Explanation:
Reference: https://community.checkpoint.com/t5/Logging-and-Reporting/SmartView-Accessing-Check-
Point-Logs-from-Web/td-p/3710
QUESTION NO: 105
When doing a Stand-Alone Installation, you would install the Security Management Server with which
other Check Point architecture component?
A. None, Security Management Server would be installed by itself
B. SmartConsole
C. SecureClient
D. SmartEvent
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 106
What are the steps to configure the HTTPS Inspection Policy?

A. Go to Manage&Settings>Blades>HTTPS Inspection>Configure In SmartDashboard

B. Go to Application&url filtering blade>Advanced>Https Inspection>Policy
C. Go to Manage&Settings>Blades>HTTPS Inspection>Policy
D. Go to Application&url filtering blade>Https Inspection>Policy
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 107
What is the least amount of CPU cores required to enable CoreXL?

A. 2
B. 1
C. 4
D. 6
Correct Answer: B
Section: (none)
Explanation:
Reference:
QUESTION NO: 108
SandBlast agent extends 0 day prevention to what part of the network?

A. Web Browsers and user devices
B. DMZ server
C. Cloud
D. Email servers
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 109

You are investigating issues with two gateway cluster members that are not able to establish the first
initial cluster synchronization. What service is used by the FWD daemon to do a Full Synchronization?
A. TCP port 443
B. TCP port 257
C. TCP port 256
D. UDP port 8116
Correct Answer: C
Section: (none)
Explanation:
Synchronization works in two modes:

Full sync transfers all Security Gateway kernel table information from one cluster member to another.
It is handled by the fwd daemon using an encrypted TCP connection.
Delta sync transfers changes in the kernel tables between cluster members. Delta sync is handled by
the Security Gateway kernel using UDP multicast or broadcast on port 8116.
Full sync is used for initial transfers of state information, for many thousands of connections. If a cluster
member is brought up after being down, it will perform full sync. After all members are synchronized,
only updates are transferred via delta sync. Delta sync is quicker than full sync. Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7288.htm Port info:
https://www.cpug.org/forums/archive/index.php/t-12704.html
QUESTION NO: 110
What is the difference between an event and a log?

A. Events are generated as gateway according to Event Policy
B. A log entry becomes an event when it matches any rule defined in Event Policy
C. Events are collected with SmartWorkflow from Trouble Ticket systems
D. Logs and Events are synonyms
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 111

What are the three components for Check Point Capsule?
A. Capsule Docs, Capsule Cloud, Capsule Connect
B. Capsule Workspace, Capsule Cloud, Capsule Connect
C. Capsule Workspace, Capsule Docs, Capsule Connect
D. Capsule Workspace, Capsule Docs, Capsule Cloud
Correct Answer: D
Section: (none)
Explanation:
Reference: https://www.checkpoint.com/solutions/mobile-security/check-point-capsule/
QUESTION NO: 112
What does the command vpn crl_zap do?

A. Nothing, it is not a valid command
B. Erases all CRL’s from the gateway cache
C. Erases VPN certificates from cache
D. Erases CRL’s from the management server cache
Correct Answer: B
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/12467.htm#o12618
QUESTION NO: 113
You need to change the MAC-address on eth2 interface of the gateway. What command and what
mode will you use to achieve this goal?
A. set interface eth2 mac-addr 11:11:11:11:11:11; CLISH
B. ifconfig eth1 hw 11:11:11:11:11:11; expert
C. set interface eth2 hw-addr 11:11:11:11:11:11; CLISH
D. ethtool –i eth2 mac 11:11:11:11:11:11; expert
Correct Answer: A
Section: (none)
Explanation:

QUESTION NO: 114
Joey is preparing a plan for Security management upgrade. He wants to upgrade management to
R80.x. What is the lowest supported version of the Security Management he can upgrade from?
A. R76
B. R77.X with direct upgrade
C. Splat R75.40, he has to use an Advanced upgrade with Database Migration
D. Gaia R75.40, he has to use an Advanced upgrade with Database Migration
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 115
Which is the correct order of a log flow processed by SmartEvent components:

A. Firewall > Correlation Unit > Log Server > SmartEvent Server Database > SmartEvent Client
B. Firewall > SmartEvent Server Database > Correlation unit > Log Server > SmartEvent Client
C. Firewall > Log Server > SmartEvent Server Database > Correlation Unit > SmartEvent Client
D. Firewall > Log Server > Correlation Unit > SmartEvent Server Database > SmartEvent Client
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 116
Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an
Active-Active cluster.
A. Symmetric routing
B. Failovers
C. Asymmetric routing
D. Anti-Spoofing
Correct Answer: C

Section: (none)
Explanation:
QUESTION NO: 117
SandBlast offers flexibility in implementation based on their individual business needs. What is an
option for deployment of Check Point SandBlast Zero-Day Protection?
A. Smart Cloud Services
B. Load Sharing Mode Services
C. Threat Agent Solution
D. Public Cloud Services
Correct Answer: C
Section: (none)
Explanation:
Reference: https://www.checkpoint.com/products/threat-emulation-sandboxing/
QUESTION NO: 118
GAiA Software update packages can be imported and installed offline in situation where:
A. Security Gateway with GAiA does NOT have SFTP access to Internet
B. Security Gateway with GAiA does NOT have access to Internet.
C. Security Gateway with GAiA does NOT have SSH access to internet.
D. The desired CPUSE package is ONLY available in the Check Point CLOUD.
Correct Answer: B
Section: (none)
Explanation:
Reference:
utionid=sk92449#How%20to%20work%20with%
20CPUSE%20-%20How%20to%20download%20and%20import%20a%20CPUSE%20package%20-
%20Import%20instructions%20for%20Offline%20procedure%20-% 20Gaia%20Portal
QUESTION NO: 119

Which of these options is an implicit MEP option?
A. Primary-backup
B. Source address based
C. Round robin
D. Load Sharing
Correct Answer: A
Section: (none)
Explanation:
There are three methods to implement implicit MEP:

First to Respond, in which the first Security Gateway to reply to the peer Security Gateway is chosen.
An organization would choose this option if, for example, the organization has two Security Gateways in
a MEP configuration - one in London, the other in New York. It makes sense for VPN-1 peers located in
England to try the London Security Gateway first and the NY Security Gateway second. Being
geographically closer to VPN peers in England, the London Security Gateway is the first to respond,
and becomes the entry point to the internal network. See: First to Respond.
Primary-Backup, in which one or multiple backup Security Gateways provide "high availability" for a
primary Security Gateway. The remote peer is configured to work with the primary Security Gateway,
but switches to the backup Security Gateway if the primary goes down. An organization might decide to
use this configuration if it has two machines in a MEP environment, one of which is stronger than the
other. It makes sense to configure the stronger machine as the primary. Or perhaps both machines are
the same in terms of strength of performance, but one has a cheaper or faster connection to the
Internet. In this case, the machine with the better Internet connection should be configured as the
primary. See: Primary-Backup Security Gateways.
Load Distribution, in which the remote VPN peer randomly selects a Security Gateway with which to
open a connection. For each IP source/destination address pair, a new Security Gateway is randomly
selected. An organization might have a number of machines with equal performance abilities. In this
case, it makes sense to enable load distribution. The machines are used in a random and equal way.
See: Random Selection.
Reference: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13812.htm
QUESTION NO: 120
R80.10 management server can manage gateways with which versions installed?
A. Versions R77 and higher
B. Versions R76 and higher
C. Versions R75.20 and higher
D. Version R75 and higher

Correct Answer: C
Section: (none)
Explanation:
Reference:
http://dl3.checkpoint.com/paid/88/88e25b652f62aa6f59dc955e34f98d5c/CP_R80.10_ReleaseNotes.pdf
? HashKey=1538443232_ff63052c2c5a68c42c47eae9e15273c8&xtn=.pdf
QUESTION NO: 121
During inspection of your Threat Prevention logs you find four different computers having one event
each with a Critical Severity. Which of those hosts should you try to remediate first?
A. Host having a Critical event found by Threat Emulation
B. Host having a Critical event found by IPS
C. Host having a Critical event found by Antivirus
D. Host having a Critical event found by Anti-Bot
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 122
Which directory below contains log files?

A. /opt/CPSmartlog-R80/log
B. /opt/CPshrd-R80/log
C. /opt/CPsuite-R80/fw1/log
D. /opt/CPsuite-R80/log
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 123

You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were
dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you
decide to use Priority Queues and fully enable Dynamic Dispatcher. How can you enable them?
A. fw cti multik dynamic_dispatching on
B. fw cti multik dynamic_dispatching set_mode 9
C. fw cti multik set_mode 9
D. fw cti multik pq enable
Correct Answer: C
Section: (none)
Explanation:
To fully enable the CoreXL Dynamic Dispatcher on Security Gateway:

1. Run in Expert mode:
[Expert@HostName]# fw ctl multik set_mode 9 Example output:
[Expert@R77.30:0]# fw ctl multik set_mode 9
Please reboot the system
[Expert@R77.30:0]#
Reference:
utionid=sk105261
QUESTION NO: 124
Which is not a blade option when configuring SmartEvent?

A. Correlation Unit
B. SmartEvent Unit
C. SmartEvent Server
D. Log Server
Correct Answer: B
Section: (none)
Explanation:
On the Management tab, enable these Software Blades:

Logging & Status
SmartEvent Server

SmartEvent Correlation Unit
Reference:
QUESTION NO: 125
How many images are included with Check Point TE appliance in Recommended Mode?
A. 2 (OS) images
B. Images are chosen by administrator during installation
C. as many as licensed for
D. the most new image
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 126
Session unique identifiers are passed to the web api using which http header option?
A. X-chkp-sid
B. Accept-Charset
C. Proxy-Authorization
D. Application
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 127
In a Client to Server scenario, which represents that the packet has already been checked against the
tables and the Rule Base?
A. Big I
B. Little o
C. Little i

D. Big O
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 128
Tom has been tasked to install Check Point R80 in a distributed deployment. Before Tom installs the
systems this way, how many machines will be need if he does NOT include a SmartConsole machine in
his calculations?
A. One machine, but it needs to be installed using SecurePlatform for compatibility purposes.
B. One machine
C. Two machines
D. Three machines
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 129
Fill in the blank: The R80 utility fw monitor is used to troubleshoot __________.
A. User data base corruption
B. LDAP conflicts
C. Traffic issues
D. Phase two key negotiation
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 130
What is the mechanism behind Threat Extraction?

A. This is a new mechanism which extracts malicious files from a document to use it as a counter-
attack against its sender
B. This is a new mechanism which is able to collect malicious files out of any kind of file types to
destroy it prior to sending it to the intended recipient
C. This is a new mechanism to identify the IP address of the sender of malicious codes and to put it
into the SAM database (Suspicious Activity Monitoring).
D. Any active contents of a document, such as JavaScripts, macros and links will be removed from
the document and forwarded to the intended recipient, which makes this solution very fast.
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 131
What scenario indicates that SecureXL is enabled?

A. Dynamic objects are available in the Object Explorer
B. SecureXL can be disabled in cpconfig
C. fwaccel commands can be used in clish
D. Only one packet in a stream is seen in a fw monitor packet capture
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 132
What command can you use to have cpinfo display all installed hotfixes?
A. cpinfo –hf
B. cpinfo –y all
C. cpinfo –get hf
D. cpinfo installed_jumbo
Correct Answer: B
Section: (none)
Explanation:

QUESTION NO: 133
You want to store the GAiA configuration in a file for later reference. What command should you use?
A. write mem <filename>
B. show config –f <filename>
C. save config –o <filename>
D. save configuration <filename>
Correct Answer: D
Section: (none)
Explanation:
Reference:
utionid=sk102234
QUESTION NO: 134
What command lists all interfaces using Multi-Queue?

A. cpmq get
B. show interface all
C. cpmq set
D. show multiqueue all
Correct Answer: A
Section: (none)
Explanation:
Reference:
QUESTION NO: 135
Which file gives you a list of all security servers in use, including port number?
A. $FWDIR/conf/conf.conf

B. $FWDIR/conf/servers.conf
C. $FWDIR/conf/fwauthd.conf
D. $FWDIR/conf/serversd.conf
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 136
Security Checkup Summary can be easily conducted within:

A. Summary
B. Views
C. Reports
D. Checkups
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 137
The following command is used to verify the CPUSE version:

A. HostName:0>show installer status build
B. [Expert@HostName:0]#show installer status
C. [Expert@HostName:0]#show installer status build
D. HostName:0>show installer build
Correct Answer: A
Section: (none)
Explanation:
Reference: http://dkcheckpoint.blogspot.com/2017/11/how-to-fix-deployment-agent-issues.html
QUESTION NO: 138

After making modifications to the $CVPNDIR/conf/cvpnd.C file, how would you restart the daemon?
A. cvpnd_restart
B. cvpnd_restart
C. cvpnd restart
D. cvpnrestart
Correct Answer: D
Section: (none)
Explanation:
Reference:
utionid=sk34939
QUESTION NO: 139
To fully enable Dynamic Dispatcher on a Security Gateway:

A. run fw ctl multik set_mode 9 in Expert mode and then reboot
B. Using cpconfig, upodate the Dynamic Dispatcher value to “full” under the CoreXl menu
C. Edit /proc/interrupts to include multik set_mode 1 at the bottom of the file, save, and reboot
D. run fw ctl multik set_mode 1 in Expert mode and then reboot
Correct Answer: A
Section: (none)
Explanation:
Reference:
utionid=sk105261
QUESTION NO: 140
What is true of the API server on R80.10?

A. By default the API-server is activated and does not have hardware requirements
B. By default the API-server is not active and should be activated from the WebUI
C. By default the API server is active on management and stand-alone servers with 16GB of RAM
(or more)
D. By default, the API server is active on management servers with 4 GB of RAM (or more) and on
stand-alone servers with 8 GB of RAM (or more)

Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 141
Both ClusterXL and VRRP are fully supported by Gaia R80.10 and available to all Check Point
appliances. Which of the following command is NOT related to redundancy and functions?
A. cphaprob stat
B. cphaprob –a if
C. cphaprob –l list
D. cphaprob all show stat
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 142
When deploying multiple clustered firewalls on the same subnet, what does the firewall administrator
need to configure to prevent CCP broadcasts being sent to the wrong cluster?
A. Set the fwha_mac_magic_forward parameter in the $CPDIR/boot/modules/ha_boot. conf
B. Set the fwha_mac_magic parameter in the $FWDIR/boot/fwkern.conf file
C. Set the cluster global ID using the command “cphaconf cluster_id set <value>”
D. Set the cluster global ID using the command “fw ctt set cluster_id <value>”
Correct Answer: C
Section: (none)
Explanation:
Reference:
utionid=sk25977
QUESTION NO: 143

CPD is a core Check Point process that does all of the following EXCEPT:
A. AMON status pull from the Gateway
B. Management High Availability (HA) sync
C. SIC (Secure Internal Communication) functions
D. Policy installation
Correct Answer: B
Section: (none)
Explanation:
Reference: https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/11880/FILE/How-To-
Troubleshoot-SIC-related-Issues.pdf
QUESTION NO: 144
Which Check Point software blades could be enforced under Threat Prevention profile using Check
Point R80.10 SmartConsole application?
A. IPS, Anti-Bot, URL Filtering, Application Control, Threat Emulation
B. Firewall, IPS, Threat Emulation, Application Control
C. IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction
D. Firewall, IPS, Anti-Bot, Anti-Virus, Threat Emulation
Correct Answer: C
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_Ad
minGuide/html_frameset.htm?topic=documents/
R80.10/WebAdminGuides/EN/CP_R80.10_ThreatPrevention_AdminGuide/138383
QUESTION NO: 145
The “MAC magic” value must be modified under the following condition:
A. There is more than one cluster connected to the same VLAN
B. A firewall cluster is configured to use Multicast for CCP traffic
C. There are more than two members in a firewall cluster
D. A firewall cluster is configured to use Broadcast for CCP traffic

Correct Answer: D
Section: (none)
Explanation:
Reference:
utionid=sk25977
QUESTION NO: 146
A Threat Prevention profile is a set of configurations based on the following. (Choose all that apply.)
A. Anti-Virus settings, Anti-Bot settings, Threat Emulation settings
B. Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings
C. Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings,
HTTPS inspection settings
D. Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection
settings
Correct Answer: A
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/82209.htm
QUESTION NO: 147
The Correlation Unit performs all but which of the following actions:
A. Marks logs that individually are not events, but may be part of a larger pattern to be identified
later
B. Generates an event based on the Event policy
C. Assigns a severity level to the event
D. Takes a new log entry that is part of a group of items that together make up an event, and adds it
to an ongoing event
Correct Answer: C
Section: (none)
Explanation:

QUESTION NO: 148
Which command is used to display status information for various components?

A. show all systems
B. show system messages
C. sysmess all
D. show sysenv all
Correct Answer: D
Section: (none)
Explanation:
Reference:
QUESTION NO: 149
What SmartEvent component creates events?

A. Consolidation Policy
B. Correlation Unit
C. SmartEvent Policy
D. SmartEvent GUI
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 150
Which of the following is NOT a valid way to view interface’s IP address settings in Gaia?
A. Using the command sthtool in Expert Mode
B. Viewing the file/config/active
C. Via the Gaia WebUl
D. Via the command show configuration in CLISH

Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 151
Joey and Vanessa are firewall administrators in their company. Joey wants to run Management API
server on his Security Management server. He is logging in to a Smart Console and goes to the
Manage & Settings > Blade. In Management API section, he proceeds to Advanced Settings. He likes
to set up the Management API server to automatic run at startup. He is surprised, because this
functionality is already selected by default. What is the reason, that functionality is already enabled?
A. Joey is an administrator of Distributed Security Management with at least 4GB of RAM.
B. Vanessa is an administrator of Standalone Security Management with at least 6GB of RAM.
C. Vanessa already enabled this feature on the Security server before him, but didn’t tell Joey.
D. Joey is an administrator of StandAlone Security Management with Gateway with 6GB of RAM.
Correct Answer: A
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/
R80/CP_R80_SecMGMT/117948
QUESTION NO: 152
In R80 spoofing is defined as a method of:

A. Disguising an illegal IP address behind an authorized IP address through Port Address
Translation.
B. Hiding your firewall from unauthorized users.
C. Detecting people using false or wrong authentication logins
D. Making packets appear as if they come from an authorized IP address.
Correct Answer: D
Section: (none)
Explanation:

IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack connections to
your network. Attackers use IP spoofing to send malware and bots to your protected network, to
execute DoS attacks, or to gain unauthorized access.
Reference:
http://dl3.checkpoint.com/paid/74/74d596decb6071a4ee642fbdaae7238f/CP_R80_SecurityManagemen
t_AdminGuide.pdf? HashKey=1479584563_6f823c8ea1514609148aa4fec5425db2&xtn=.pdf
QUESTION NO: 153
What is mandatory for ClusterXL to work properly?

A. The number of cores must be the same on every participating cluster node
B. The Magic MAC number must be unique per cluster node.
C. The Sync Interface must not have an IP address configured
D. If you have “Non-monitored Private” interfaces, the number of those interfaces must be the same
on all cluster members
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 154
Automatic affinity means that is SecureXL is running, the affinity for each interface is automatically reset
every.
A. 15 sec
B. 60 sec
C. 5 sec
D. 30 sec
Correct Answer: B
Section: (none)
Explanation:
Reference:
QUESTION NO: 155

Which of the following is NOT an attribute of packet acceleration?
A. Source address B. Protocol
C. Destination port
D. Application Awareness
Correct Answer: D
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Firewall_WebAdmin/92711.htm
QUESTION NO: 156
Which configuration file contains the structure of the Security Servers showing the port numbers,
corresponding protocol name, and status?
A. $FWDIR/database/fwauthd.conf
B. $FWDIR/conf/fwauth.conf
C. $FWDIR/conf/fwauthd.conf
D. $FWDIR/state/fwauthd.conf
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 157
What command verifies that the API server is responding?

A. api stat
B. api status
C. show api_status D. api_get_status
Correct Answer: B
Section: (none)
Explanation:
Reference: https://community.checkpoint.com/thread/6524-can-anybody-let-me-know-how-can-we-
import-policyrules-via-csv-file

QUESTION NO: 158
If the first packet of an UDP session is rejected by a security policy, what does the firewall send to the
client?
A. Nothing
B. TCP FIN
C. TCP RST
D. ICMP unreachable
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 159
What is the most ideal Synchronization Status for Security Management Server High Availability
deployment?
A. Lagging
B. Synchronized
C. Never been synchronized
D. Collision
Correct Answer: B
Section: (none)
Explanation:
The possible synchronization statuses are:

Never been synchronized - immediately after the Secondary Security Management server has been
installed, it has not yet undergone the first manual synchronization that brings it up to date with the
Primary Security Management server.
Synchronized - the peer is properly synchronized and has the same database information and
installed Security Policy. Lagging - the peer SMS has not been synchronized properly.
For instance, on account of the fact that the Active SMS has undergone changes since the previous
synchronization (objects have been edited, or the Security Policy has been newly installed), the
information on the Standby SMS is lagging. Advanced - the peer SMS is more up-to-date.
For instance, in the above figure, if a system administrators logs into Security Management server B
before it has been synchronized with the Security Management server A, the status of the Security

Management server A is Advanced, since it contains more up-to-date information which the former
does not have.
In this case, manual synchronization must be initiated by the system administrator by changing the
Active SMS to a Standby SMS. Perform a synch me operation from the more advanced server to the
Standby SMS. Change the Standby SMS to the Active SMS.
Collision - the Active SMS and its peer have different installed policies and databases. The
administrator must perform manual synchronization and decide which of the SMSs to overwrite.
Reference:
QUESTION NO: 160
What command would show the API server status?

A. cpm status
B. api restart
C. api status
D. show api status
Correct Answer: C
Section: (none)
Explanation:
Reference: https://www.hurricanelabs.com/blog/check-point-api-merging-management-servers-with-r80-
10
QUESTION NO: 161
In SPLAT the command to set the timeout was idle. In order to achieve this and increase the timeout for
Gaia, what command do you use?
A. set idle <value>
B. set inactivity–timeout <value>
C. set timeout <value>
D. set inactivity <value>
Correct Answer: B
Section: (none)
Explanation:

Reference:
utionid=sk95447
QUESTION NO: 162
Firewall policies must be configured to accept VRRP packets on the GAiA platform if it runs Firewall
software. The Multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for
VRRP is:
A. 224.0.0.18
B. 224.0.0.5
C. 224.0.0.102
D. 224.0.0.22
Correct Answer: A
Section: (none)
Explanation:
Reference: https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml
QUESTION NO: 163
What happen when IPS profile is set in Detect-Only Mode for troubleshooting?
A. It will generate Geo-Protection traffic
B. Automatically uploads debugging logs to Check Point Support Center
C. It will not block malicious traffic
D. Bypass licenses requirement for Geo-Protection control
Correct Answer: C
Section: (none)
Explanation:
It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation
of IPS. This option overrides any protections that are set to Prevent so that they will not block any
traffic. During this time you can analyze the alerts that IPS generates to see how IPS will handle
network traffic, while avoiding any impact on the flow of traffic.

QUESTION NO: 164
In the Check Point Firewall Kernel Module, each Kernel is associated with a key, which specifies the
type of traffic applicable to the chain module. For Stateful Mode configuration, chain modules marked
with ___________ will not apply.
A. ffff
B. 1
C. 3
D. 2
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 165
What is the main difference between Threat Extraction and Threat Emulation?
A. Threat Emulation never delivers a file and takes more than 3minutes to complete
B. Threat Extraction always delivers a file and takes less than a second to complete
C. Threat Emulation never delivers a file that takes less than a second to complete
D. Threat Extraction never delivers a file and takes more than 3 minutes to complete
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 166
What is the command to show SecureXL status?

A. fwaccel status
B. fwaccel stats –m
C. fwaccel –s
D. fwaccel stat
Correct Answer: D
Section: (none)
Explanation:

To check overall SecureXL status:
[Expert@HostName]# fwaccel stat
Reference:
utionid=sk41397
QUESTION NO: 167
What utility would you use to configure route-based VPNs?

A. vpn shell
B. vpn tu
C. vpn sw_topology
D. vpn set_slim_server
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 168
What CLI command compiles and installs a Security Policy on the target’s Security Gateways?
A. fwm compile
B. fwm load
C. fwm fetch
D. fwm install
Correct Answer: B
Section: (none)
Explanation:
Reference:
http://dl3.checkpoint.com/paid/7e/CheckPoint_R65_CLI_AdminGuide.pdf?HashKey=1540653105_b077
51355cf424cd738b8409d23ad59c&xtn=.pdf

QUESTION NO: 169
SecureXL improves non-encrypted firewall traffic throughput and encrypted VPN traffic throughput.
A. This statement is true because SecureXL does improve all traffic
B. This statement is false because SecureXL does not improve this traffic but CoreXL does
C. This statement is true because SecureXL does improve this traffic
D. This statement is false because encrypted traffic cannot be inspected
Correct Answer: C
Section: (none)
Explanation:
SecureXL improved non-encrypted firewall traffic throughput, and encrypted VPN traffic throughput, by
nearly an order-of-magnitude- particularly for small packets flowing in long duration connections.
Reference:
https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/10001/FILE/SecureXL_and_Nokia_IPS
O_White_Paper_20080401.pdf
QUESTION NO: 170
Jack has finished building his new SMS server, Red, on new hardware. He used SCP to move over the
Red-old.tgz export of his old SMS server. What is the command he will use to import this into the new
server?
A. Expert@Red# ./upgrade import Red-old.tgz
B. Red> ./migrate import Red-old.tgz
C. Expert@Red# ./migrate import Red-old.tgz
D. Red> ./upgrade import Red-old.tgz
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 171
VPN Tunnel Sharing can be configured with any of the options below, EXCEPT One:
A. Gateway-based

B. Subnet-based
C. IP range based
D. Host-based
Correct Answer: C
Section: (none)
Explanation:
VPN Tunnel Sharing provides interoperability and scalability by controlling the number of VPN tunnels
created between peer Security Gateways. There are three available settings:
One VPN tunnel per each pair of hosts
One VPN tunnel per subnet pair
One VPN tunnel per Security Gateway pair
QUESTION NO: 172
Fill in the blank: The command _______________ provides the most complete restoration of a R80
configuration.
A. upgrade_import
B. cpconfig
C. fwm dbimport –p <export file>
D. cpinfo –recover
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 173
Full synchronization between cluster members is handled by Firewall Kernel. Which port is used for
this?
A. UDP port 265
B. TCP port 265
C. UDP port 256
D. TCP port 256
Correct Answer: D

Section: (none)
Explanation:
Synchronization works in two modes:

Full Sync transfers all Security Gateway kernel table information from one cluster member to another.
It is handled by the fwd daemon using an encrypted TCP connection on port 256.
Delta Sync transfers changes in the kernel tables between cluster members. Delta sync is handled by
the Security Gateway kernel using UDP connections on port 8116.
Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ClusterXL_AdminGui
de/html_frameset.htm?topic=documents/R80.10/
WebAdminGuides/EN/CP_R80.10_ClusterXL_AdminGuide/7288
QUESTION NO: 174
To accelerate the rate of connection establishment, SecureXL groups all connection that match a
particular service and whose sole differentiating element is the source port. The type of grouping
enables even the very first packets of a TCP handshake to be accelerated. The first packets of the first
connection on the same service will be forwarded to the Firewall kernel which will then create a
template of the connection. Which of these IS NOT a SecureXL template?
A. Accept Template
B. Deny template
C. Drop Template
D. NAT Template
Correct Answer: B
Section: (none)
Explanation:
[Expert@GW:0]# fwaccel stat

Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
NMR Templates : enabled
NMT Templates : enabled

QUESTION NO: 175
What are types of Check Point APIs available currently as part of R80.10 code?
A. Security Gateway API, Management API, Threat Prevention API and Identity Awareness Web
Services API
B. Management API, Threat Prevention API, Identity Awareness Web Services API and OPSEC
SDK API
C. OSE API, OPSEC SDK API, Threat Extraction API and Policy Editor API
D. CPMI API, Management API, Threat Prevention API and Identity Awareness Web Services API
Correct Answer: B
Section: (none)
Explanation:
Reference:
eferenceGuide.pdf? HashKey=1522171994_d7bae71a861bbc54c18c61420e586d77&xtn=.pdf
QUESTION NO: 176
Which one of the following processes below would not start if there was a licensing issue.
A. CPD
B. CPCA
C. FWM
D. CPWD
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 177
In Gaia, if one is unsure about a possible command, what command lists all possible commands.
A. show all |grep commands
B. show configuration
C. show commands
D. get all commands

Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 178
How is the processing order for overall inspection and routing of packets?
A. Firewall, NAT, Routing
B. NAT, Firewall, Routing
C. Firewall, NAT D. NAT, Firewall
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 179
NAT rules are prioritized in which order?

1. Automatic Static NAT
2. Automatic Hide NAT
3. Manual/Pre-Automatic NAT
4. Post-Automatic/Manual NAT rules
A. 1, 2, 3, 4
B. 1, 4, 2, 3
C. 3, 1, 2, 4
D. 4, 3, 1, 2
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 180

When defining QoS global properties, which option below is not valid?
A. Weight
B. Authenticated timeout
C. Schedule
D. Rate
Correct Answer: C
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_QoS_AdminGuide/14871.htm
QUESTION NO: 181
Which deployment methods can an administrator choose when deploying the Sandblast agent?
A. Manually installing the deployment agent on each workstation
B. Use GPO and SCCM to deploy the deployment agent.
C. Use both SCCM and GPO for the deployment agent and End Point Management to push the
Agent.
D. Use the Configure SandBlast Agent to push the Agent.
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 182
The Firewall kernel is replicated multiple times, therefore:

A. The Firewall kernel only touches the packet if the connection is accelerated
B. The Firewall can run different policies per core
C. The Firewall kernel is replicated only with new connections and deletes itself once the connection
times out
D. The Firewall can run the same policy on all cores
Correct Answer: D
Section: (none)
Explanation:

On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each
replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently,
and each instance is a complete and independent inspection kernel. When CoreXL is enabled, all the
kernel instances in the Security Gateway process traffic through the same interfaces and apply the
same security policy.
Reference:
QUESTION NO: 183
SandBlast has several functional components that work together to ensure that attacks are prevented in
real-time. Which the following is NOT part of the SandBlast component?
A. Threat Emulation
B. Mobile Access
C. Mail Transfer Agent
D. Threat Cloud
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 184
Automation and Orchestration differ in that:

A. Automation relates to codifying tasks, whereas orchestration relates to codifying processes.
B. Automation involves the process of coordinating and exchange of information through web
service interactions such as XML and JSON, but orchestration does not involve processes.
C. Orchestration is concerned with executing a single task, whereas automation takes a series of
tasks and puts them all together into a process workflow.
D. Orchestration relates to codifying tasks, whereas automation relates to codifying processes.
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 185

Which of the following is NOT an internal/native Check Point command?
A. fwaccel on
B. fw ct1 debug
C. tcpdump
D. cphaprob
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 186
Which command will allow you to see the interface status?

A. cphaprob interface
B. cphaprob –l interface
C. cphaprob –a if
D. cphaprob stat
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 187
The fwd process on the Security Gateway sends logs to the fwd process on the Management Server via
which 2 processes?
A. fwd via cpm
B. fwm via fwd
C. cpm via cpd
D. fwd via cpd
Correct Answer: AB
Section: (none)
Explanation:

QUESTION NO: 188
Which file is not in the $FWDIR directory collected by the CPInfo utility from the server?
A. fwauthd.conf
B. asm.C
C. classes.C
D. cpd.elg
Correct Answer: D
Section: (none)
Explanation:
Reference: http://sachingarg-checkpoint.blogspot.com/2011/06/viewing-and-analyzing-cpinfo-
output.html
QUESTION NO: 189
Jack is using SmartEvent and does not see the identities of the users on the events. As an
administrator with full access, what does he need to do to fix his issue?
A. Open SmartDashboard and toggle the Show or Hide Identities Icon, then re-open SmartEvent
B. Open SmartEvent, Click on Query Properties and select the User column
C. Open SmartEvent, go to the Policy Tab, select General Settings from the left column > User
Identities and check the box Show Identities
D. Open SmartEvent and toggle the Show or Hide Identities icon
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 190
What is the protocol and port used for Health Check and State Synchronization in ClusterXL?
A. CCP and 18190
B. CCP and 257
C. CCP and 8116
D. CPC and 8116

Correct Answer: C
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/index.html
QUESTION NO: 191
In Threat Prevention, you can create new or clone profiles but you CANNOT change the out-of-the-box
profiles of:
A. Basic, Optimized, Strict
B. Basic, Optimized, Severe
C. General, Escalation, Severe
D. General, purposed, Strict
Correct Answer: A
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80/CP_R80BC_ThreatPrevention/html_frameset.htm?topic=do
cuments/R80/CP_R80BC_ThreatPrevention/136486
QUESTION NO: 192
Selecting an event displays its configurable properties in the Detail pane and a description of the event
in the Description pane. Which is NOT an option to adjust or configure?
A. Severity
B. Automatic reactions
C. Policy
D. Threshold
Correct Answer: C
Section: (none)
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_SmartEvent_AdminGuide/17401.htm

QUESTION NO: 193
When using Monitored circuit VRRP, what is a priority delta?

A. When an interface fails the priority changes to the priority delta
B. When an interface fails the delta claims the priority
C. When an interface fails the priority delta is subtracted from the priority
D. When an interface fails the priority delta decides if the other interfaces takes over
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 194
If an administrator wants to add manual NAT for addresses not owned by the Check Point firewall, what
else is necessary to be completed for it to function properly?
A. Nothing – the proxy ARP is automatically handled in the R80 version
B. Add the proxy ARP configuration in a file called /etc/conf/local.arp
C. Add the proxy ARP configuration in a file called $FWDIR/conf/local.arp
D. Add the proxy ARP configurations in a file called $CPDIR/config/local.arp
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 195
To help SmartEvent determine whether events originated internally or externally you must define using
the initial settings under General Settings in the Policy Tab. How many options are available to
calculate the traffic direction?
A. 5 Network, Host, Objects, Services, API
B. 3 Incoming; Outgoing; Network
C. 2 Internal; External
D. 4. Incoming; Outgoing; Internal; Other

Correct Answer: D
Section: (none)
Explanation:
Reference:
QUESTION NO: 196
What are the available options for downloading Check Point hotfixes in Gaia WebUI (CPUSE)?
A. Manually, Scheduled, Automatic
B. Update Now, Scheduled Update, Offline Update
C. Update Automatically, Update Now, Disable Update
D. Manual Update, Disable Update, Automatic Update
Correct Answer: A
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_Gaia_AdminGuide/ht
ml_frameset.htm?topic=documents/R80.10/
WebAdminGuides/EN/CP_R80.10_Gaia_AdminGuide/84387
QUESTION NO: 197
Which one of the following is true about Threat Extraction?

A. Always delivers a file to user
B. Works on all MS Office, Executables, and PDF files
C. Can take up to 3 minutes to complete
D. Delivers file only if no threats found
Correct Answer: D
Section: (none)
Explanation:

QUESTION NO: 198
UserCheck objects in the Application Control and URL Filtering rules allow the gateway to communicate
with the users. Which action is not supported in UserCheck objects?
A. Ask
B. Drop
C. Inform D. Reject
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 199
What is the least ideal Synchronization Status for Security Management Server High Availability
deployment?
A. Lagging
B. Synchronized
C. Never been synchronized
D. Collision
Correct Answer: A
Section: (none)
Explanation:
The possible synchronization statuses are:

Never been synchronized - immediately after the Secondary Security Management server has been
installed, it has not yet undergone the first manual synchronization that brings it up to date with the
Primary Security Management server.
Synchronized - the peer is properly synchronized and has the same database information and
installed Security Policy. Lagging - the peer SMS has not been synchronized properly.
For instance, on account of the fact that the Active SMS has undergone changes since the previous
synchronization (objects have been edited, or the Security Policy has been newly installed), the
information on the Standby SMS is lagging. Advanced - the peer SMS is more up-to-date.
For instance, in the above figure, if a system administrators logs into Security Management server B
before it has been synchronized with the Security Management server A, the status of the Security
Management server A is Advanced, since it contains more up-to-date information which the former
does not have.

In this case, manual synchronization must be initiated by the system administrator by changing the
Active SMS to a Standby SMS. Perform a synch me operation from the more advanced server to the
Standby SMS. Change the Standby SMS to the Active SMS.
Collision - the Active SMS and its peer have different installed policies and databases. The
administrator must perform manual synchronization and decide which of the SMSs to overwrite.
Reference:
QUESTION NO: 200
Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a
new multicore CPU to replace the existing single core CPU. After installation, is the administrator
required to perform any additional tasks?
A. Go to clash-Run cpstop|Run cpstart
B. Go to clash-Run cpconfig|Configure CoreXL to make use of the additional Cores|Exit
cpconfig|Reboot Security Gateway
C. Administrator does not need to perform any task. Check Point will make use of the newly
installed CPU and Cores
D. Go to clash-Run cpconfig|Configure CoreXL to make use of the additional Cores|Exit
cpconfig|Reboot Security Gateway|Install Security Policy
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 201
Which of the following process pulls applications monitoring status?

A. fwd
B. fwm
C. cpwd
D. cpd
Correct Answer: C
Section: (none)
Explanation:

Reference:
utionid=sk97638
QUESTION NO: 202
What are the main stages of a policy installation?

A. Verification & Compilation, Transfer and Commit
B. Verification & Compilation, Transfer and Installation
C. Verification, Commit, Installation
D. Verification, Compilation & Transfer, Installation
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 203
Which command collects diagnostic data for analyzing customer setup remotely?
A. cpinfo
B. migrate export
C. sysinfo
D. cpview
Correct Answer: A
Section: (none)
Explanation:
CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of
execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for
uploading files to Check Point servers).
The CPInfo output file allows analyzing customer setups from a remote location. Check Point support
engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies
and Objects. This allows the in-depth analysis of customer's configuration and environment settings.
Reference:
utionid=sk92739

QUESTION NO: 204
Events can be categorized and assigned to System Administrators to track their path through the
workflow. Which of the following is NOT an option?
A. Under Investigation
B. Pending Investigation
C. False Positive
D. Open
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 205
Select the right answer to export IPS profiles to copy to another management server?
A. IPS profile export is not allowed
B. fwm dbexport –p <profile-name>
C. SmartDashboard – IPS tab – Profiles – select profile + right click and select “export profile”
D. ips_export_import export <profile-name>
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 206
Aaron is a Cyber Security Engineer working for Global Law Firm with large scale deployment of Check
Point Enterprise Appliances using GAiA/R80.10. Company’s
Network Security Developer Team is having issue testing new API with newly deployed R80.10 Security
Management Server and blames Check Point Security Management Server as root cause. The ticket
has been created and issue is at Aaron’s desk for an investigation. What do you recommend as the
best suggestion for Aaron to make sure API testing works as expected?
A. Aaron should check API Server status from expert CLI by “fwm api status” and if it’s stopped he
should start using command “fwm api start” on Security Management Server.

B. Aaron should check API Server5 status from expert CLI by “cpapi status” and if it’s stopped he
should start using command “cpapi start” on Security Management Server.
C. Aaron should check API Server status from expert CLI by “api status” and if it’s stopped he
should start using command “api start” on Security Management Server.
D. Aaron should check API Server status from expert CLI by “cpm api status” and if it’s stopped he
should start using command “cpm api start” on Security Management Server.
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 207
What tool exports the Management Configuration into a single file?

A. CPConfig_Export
B. Backup
C. Upgrade_Export
D. migrate export
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 208
What’s true about Troubleshooting option in the IPS profile properties?

A. Temporarily change the active protection profile to “Default_Protection”
B. Temporarily set all protections to track (log) in SmartView Tracker
C. Temporarily will disable IPS kernel engine
D. Temporarily set all active protections to Detect
Correct Answer: B
Section: (none)
Explanation:

QUESTION NO: 209
What is the default size of NAT table fwx_alloc?

A. 20000
B. 35000
C. 25000
D. 10000
Correct Answer: C
Section: (none)
Explanation:
Reference:
utionid=sk32224
QUESTION NO: 210
You have a Gateway is running with 2 cores. You plan to add a second gateway to build a cluster and
used a device with 4 cores. How many cores can be used in a Cluster for Firewall-kernel on the new
device?
A. 3
B. 2
C. 1
D. 4
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 211
Advanced Security Checkups can be easily conducted within:

A. Reports
B. Advanced
C. Checkups
D. Views

Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 212
The Security Gateway is installed on GAiA R80. The default port for the Web User Interface is _______.
A. TCP 18211
B. TCP 257
C. TCP 4433
D. TCP 443
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 213
In SmartEvent, what are the different types of automatic reactions that the administrator can configure?
A. Mail, Block Source, Block Event Activity, External Script, SNMP Trap
B. Mail, Block Source, Block Destination, Block Services, SNMP Trap
C. Mail, Block Source, Block Destination, External Script, SNMP Trap
D. Mail, Block Source, Block Event Activity, Packet Capture, SNMP Trap
Correct Answer: A
Section: (none)
Explanation:
These are the types of Automatic Reactions:

Mail - tell an administrator by email that the event occurred. See Create a Mail Reaction.
Block Source - instruct the Security Gateway to block the source IP address from which this event was
detected for a configurable period of time . Select a period of time from one minute to more than three
weeks. See Create a Block Source Reaction

Block Event activity - instruct the Security Gateway to block a distributed attack that emanates from
multiple sources, or attacks multiple destinations for a configurable period of time. Select a period of
time from one minute to more than three weeks). See Create a Block Event Activity Reaction.
External Script - run a script that you provide. See Creating an External Script Automatic Reaction to
write a script that can exploit SmartEvent data. SNMP Trap - generate an SNMP Trap. See Create an
SNMP Trap Reaction.
Reference:
QUESTION NO: 214
What is the responsibility of SOLR process on R80.10 management server?

A. Validating all data before it’s written into the database
B. It generates indexes of data written to the database
C. Communication between SmartConsole applications and the Security Management Server
D. Writing all information into the database
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 215
With SecureXL enabled, accelerated packets will pass through the following:
A. Network Interface Card, OSI Network Layer, OS IP Stack, and the Acceleration Device
B. Network Interface Card, Check Point Firewall Kernel, and the Acceleration Device
C. Network Interface Card and the Acceleration Device
D. Network Interface Card, OSI Network Layer, and the Acceleration Device
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 216

Vanessa is expecting a very important Security Report. The Document should be sent as an attachment
via e-mail. An e-mail with Security_ report.pdf file was delivered to her e-mail inbox. When she opened
the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is
missing some graphs, tables and links. Which component of SandBlast protection is her company using
on a Gateway?
A. SandBlast Threat Emulation
B. SandBlast Agent
C. Check Point Protect
D. SandBlast Threat Extraction
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 217
In order to get info about assignment (FW, SND) of all CPUs in your SGW, what is the most accurate
CLI command?
A. fw ctl sdstat
B. fw ctl affinity -l -a -r -v
C. fw ctl multik stat
D. cpinfo
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 218
When synchronizing clusters, which of the following statements is FALSE?

A. The state of connections using resources is maintained in a Security Server, so their connections
cannot be synchronized.
B. Only cluster members running on the same OS platform can be synchronized.
C. In the case of a failover, accounting information on the failed member may be lost despite a
properly working synchronization.
D. Client Authentication or Session Authentication connections through a cluster member will be lost
if the cluster member fails.
Correct Answer: D

Section: (none)
Explanation:
QUESTION NO: 219
GAiA greatly increases operational efficiency by offering an advanced and intuitive software update
agent, commonly referred to as the:
A. Check Point Upgrade Service Engine.
B. Check Point Software Update Agent
C. Check Point Remote Installation Daemon (CPRID)
D. Check Point Software Update Daemon
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 220
As an administrator, you may be required to add the company logo to reports. To do this, you would
save the logo as a PNG file with the name ‘cover-company-logo.png’ and then copy that image file to
which directory on the SmartEvent server?
A. $FWDIR/smartevent/conf
B. $RTDIR/smartevent/conf
C. $RTDIR/smartview/conf
D. $FWDIR/smartview/conf
Correct Answer: C
Section: (none)
Explanation:
Reference:

QUESTION NO: 221
SmartEvent has several components that function together to track security threats. What is the function
of the Correlation Unit as a component of this architecture?
A. Analyzes this log entry as it arrives at the log server according to the Event Policy. When a threat
pattern is identified, an event is forwarded to the SmartEvent Server.
B. Correlates all the identified threats with the consolidation policy.
C. Collects syslog data from third party devices and saves them to the database.
D. Connects with the SmartEvent Client when generating threat reports.
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 222
The Check Point installation history feature in R80 provides the following:
A. View install changes and install specific version.
B. View install changes
C. Policy Installation Date, view install changes and install specific version
D. Policy Installation Date only
Correct Answer: C
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManagement
_AdminGuide/html_frameset.htm?topic=documents/
R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManagement_AdminGuide/159917
QUESTION NO: 223
Which of the SecureXL templates are enabled by default on Security Gateway?

A. Accept
B. Drop
C. NAT
D. None

Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 224
Fill in the blank: The R80 feature ________ permits blocking specific IP addresses for a specified time
period.
A. Block Port Overflow
B. Local Interface Spoofing
C. Suspicious Activity Monitoring
D. Adaptive Threat Prevention
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 225
What is not a component of Check Point SandBlast?

A. Threat Emulation
B. Threat Simulation
C. Threat Extraction
D. Threat Cloud
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 226
You are working with multiple Security Gateways enforcing an extensive number of rules. To simplify
security administration, which action would you choose?
A. Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
B. Create a separate Security Policy package for each remote Security Gateway.

C. Create network objects that restrict all applicable rules to only certain networks.
D. Run separate SmartConsole instances to login and configure each Security Gateway directly.
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 227
SmartConsole R80 requires the following ports to be open for SmartEvent R80 management:
A. 19090, 22
B. 19190, 22
C. 18190, 80
D. 19009, 443
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 228
You want to verify if your management server is ready to upgrade to R80.10. What tool could you use in
this process?
A. migrate export
B. upgrade_tools verify
C. pre_upgrade_verifier
D. migrate import
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 229
What processes does CPM control?

A. Object-Store, Database changes, CPM Process and web-services
B. web-services, CPMI process, DLEserver, CPM process
C. DLEServer, Object-Store, CP Process and database changes
D. web_services, dle_server and object_Store
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 230
Which NAT rules are prioritized first?

A. Post-Automatic/Manual NAT rules
B. Manual/Pre-Automatic NAT
C. Automatic Hide NAT
D. Automatic Static NAT
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 231
Fill in the blank: The tool ___________ generates a R80 Security Gateway configuration report.
A. infoCP
B. infoview
C. cpinfo
D. fw cpinfo
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 232

What is the valid range for VRID value in VRRP configuration?
A. 1 – 254
B. 1 – 255
C. 0 – 254
D. 0 – 255
Correct Answer: B
Section: (none)
Explanation:
Virtual Router ID - Enter a unique ID number for this virtual router. The range of valid values is 1 to 255.
QUESTION NO: 233
The CDT utility supports which of the following?

A. Major version upgrades to R77.30
B. Only Jumbo HFA’s and hotfixes
C. Only major version upgrades to R80.10
D. All upgrades
Correct Answer: D
Section: (none)
Explanation:
The Central Deployment Tool (CDT) is a utility that runs on an R77 / R77.X / R80 / R80.10 Security
Management Server / Multi-Domain Security Management Server (running Gaia OS).
It allows the administrator to automatically install CPUSE Offline packages (Hotfixes, Jumbo Hotfix
Accumulators (Bundles), Upgrade to a Minor Version, Upgrade to a Major Version) on multiple
managed Security Gateways and Cluster Members at the same time. Reference:
https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands
QUESTION NO: 234
When an encrypted packet is decrypted, where does this happen?

A. Security policy

B. Inbound chain
C. Outbound chain
D. Decryption is not supported
Correct Answer: A
Section: (none)
Explanation:
QUESTION NO: 235
When installing a dedicated R80 SmartEvent server, what is the recommended size of the root
partition?
A. Any size
B. Less than 20GB
C. More than 10 GB and less than 20GB
D. At least 20 GB
Correct Answer: D
Section: (none)
Explanation:
Reference:
QUESTION NO: 236
Which is NOT a SmartEvent component?

A. SmartEvent Server
B. Correlation Unit
C. Log Consolidator
D. Log Server
Correct Answer: C
Section: (none)
Explanation:

QUESTION NO: 237
What is the correct command to observe the Sync traffic in a VRRP environment?
A. fw monitor -e “accept [12:4,b]=224.0.0.18;”
B. fw monitor -e “accept port(6118;”
C. fw monitor -e “accept proto=mcVRRP;”
D. fw monitor -e “accept dst=224.0.0.18;”
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 238
Using mgmt_cli, what is the correct syntax to import a host object called Server_1 from the CLI?
A. mgmt_cli add-host “Server_1” ip_address “10.15.123.10” –format txt
B. mgmt_cli add host name “Server_1” ip-address “10.15.123.10” –format json
C. mgmt_cli add object-host “Server_1” ip-address “10.15.123.10” –format json
D. mgmt_cli add object “Server_1” ip-address “10.15.123.10” –format json
Correct Answer: B
Section: (none)
Explanation:
Example:
mgmt_cli add host name "New Host 1" ip-address "192.0.2.1" --format json
• "--format json" is optional. By default the output is presented in plain text.
Reference: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-host~v1.1%20
QUESTION NO: 239
How many confidence levels are there for IPS?

A. four
B. two
C. five
D. three

Correct Answer: C
Section: (none)
Explanation:
Reference:
utionid=sk116254
QUESTION NO: 240
Which features are only supported with R80.10 Gateways but not R77.x?
A. Access Control policy unifies the Firewall, Application Control & URL Filtering, Data Awareness,
and Mobile Access Software Blade policies.
B. Limits the upload and download throughput for streaming media in the company to 1 Gbps.
C. The rule base can be built of layers, each containing a set of the security rules. Layers are
inspected in the order in which they are defined, allowing control over the rule base flow and which
security functionalities take precedence.
D. Time object to a rule to make the rule active only during specified times.
Correct Answer: C
Section: (none)
Explanation:
Reference: http://slideplayer.com/slide/12183998/
QUESTION NO: 241
Which one of these is NOT a firewall chain?

A. RTM packet in (rtm)
B. VPN node add (vpnad)
C. IP Options restore (in) (ipopt_res)
D. Fw SCV inbound (scv)
Correct Answer: B
Section: (none)
Explanation:
Reference: http://dkcheckpoint.blogspot.com/2016/07/chapter-2-chain-module.html

QUESTION NO: 242
Please choose correct command syntax to add an “emailserver1” host with IP address 10.50.23.90
using GAiA management CLI?
A. host name myHost12 ip-address 10.50.23.90
B. mgmt. add host name ip-address 10.50.23.90
C. add host name emailserver1 ip-address 10.50.23.90
D. mgmt. add host name emailserver1 ip-address 10.50.23.90
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 243
You have existing dbedit scripts from R77. Can you use them with R80.10?
A. dbedit is not supported in R80.10
B. dbedit is fully supported in R80.10
C. You can use dbedit to modify threat prevention or access policies, but not create or modify layers
D. dbedit scripts are being replaced by mgmt._cli in R80.10
Correct Answer: D
Section: (none)
Explanation:
dbedit (or GuiDbEdit) uses the cpmi protocol which is gradually being replaced by the new R80.10
automation architecture. cpmi clients are still supported in R80.10, but there are some functionalities
that cannot be managed by cpmi anymore. For example, the Access and Threat policies do not have a
cpmi representation. They can be managed only by the new mgmt_cli and not by cpmi clients. There
are still many tables that have an inner cpmi representation (for example, network objects, services,
servers, and global properties) and can still be managed using cpmi.
Reference: https://www.checkpoint.com/downloads/product-related/r80.10-mgmt-architecture-
overview.pdf
QUESTION NO: 244
The Event List within the Events tab contains:

A. a list of options available for running a query.
B. the top events, destinations, sources, and users of the query results, either as a chart or in a
tallied list.
C. events generated by a query.
D. the details of a selected event.
Correct Answer: C
Section: (none)
Explanation:
These are the components of the Events tab:
Reference:
QUESTION NO: 245
SmartEvent does NOT use which of the following procedures to identify events?
A. Matching a log against each event definition
B. Create an event candidate
C. Matching a log against local exclusions
D. Matching a log against global exclusions
Correct Answer: C
Section: (none)
Explanation:
Events are detected by the SmartEvent Correlation Unit. The Correlation Unit task is to scan logs for
criteria that match an Event Definition. SmartEvent uses these procedures to identify events:

Matching a Log Against Global Exclusions
Matching a Log Against Each Event Definition
Creating an Event Candidate
When a Candidate Becomes an Event
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_SmartEvent_AdminGuide/17401.htm
QUESTION NO: 246
What makes Anti-Bot unique compared to other Threat Prevention mechanisms, such as URL Filtering,
Anti-Virus, IPS, and Threat Emulation?
A. Anti-Bot is the only countermeasure against unknown malware
B. Anti-Bot is the only protection mechanism which starts a counter-attack against known Command
& Control Centers
C. Anti-Bot is the only signature-based method of malware protection
D. Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection to
a Command & Control Center
Correct Answer: D
Section: (none)
Explanation:
Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_AntiBotAntiVirus_AdminGuide/index.html
QUESTION NO: 247
An administrator would like to troubleshoot why templating is not working for some traffic. How can he
determine at which rule templating id disabled?
A. He can use the fw accel command on the gateway
B. He can use the fw accel statistics command on the gateway
C. He can use the fwaccel stat command on the Security Management Server
D. He can use the fwaccel stat command on the gateway
Correct Answer: D
Section: (none)
Explanation:

QUESTION NO: 248
Using Threat Emulation technologies, what is the best way to block .exe and .bat file types?
A. Enable DLP and select .exe and .bat file type
B. enable .exe & .bat protection in IPS Policy
C. create FW rule for particular protocol
D. tecli advanced attributes set prohibited_file_types exe,bat
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 249
What are the different command sources that allow you to communicate with the API server?
A. SmartView Monitor, API_cli Tool, Gaia CLI, Web Services
B. SmartConsole GUI Console, mgmt_cli Tool, Gaia CLI, Web Services
C. SmartConsole GUI Console, API_cli Tool, Gaia CLI, Web Services
D. API_cli Tool, Gaia CLI, Web Services
Correct Answer: B
Section: (none)
Explanation:
QUESTION NO: 250
John detected high load on sync interface. Which is most recommended solution?
A. For short connections like http service – delay sync for 2 seconds
B. Add a second interface to handle sync traffic
C. For short connections like http service – do not sync
D. For short connections like icmp service – delay sync for 2 seconds
Correct Answer: A
Section: (none)
Explanation:

QUESTION NO: 251
Where do you create and modify the Mobile Access policy in R80?
A. SmartConsole
B. SmartMonitor
C. SmartEndpoint
D. SmartDashboard
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 252
What Shell is required in Gaia to use WinSCP?

A. UNIX
B. CPShell
C. CLISH
D. Bash
Correct Answer: D
Section: (none)
Explanation:
Reference: https://winscp.net/eng/docs/ui_login_scp
QUESTION NO: 253
Which web services protocol is used to communicate to the Check Point R80 identity Awareness Web
APi?
A. SOAP
B. REST
C. XLANG
D. XML-RPC
Correct Answer: B

Section: (none)
Explanation:
The Identity Web API uses the REST protocol over SSL. The requests and responses are HTTP and in
JSON format.
Reference:
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_A
dminGuide/html_frameset.htm?topic=documents/
R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide/148699
QUESTION NO: 254
The system administrator of a company is trying to find out why acceleration is not working for the
traffic. The traffic is allowed according to the rule base and checked for viruses. But it is not
accelerated. What is the most likely reason that the traffic is not accelerated?
A. There is a virus found. Traffic is still allowed but not accelerated.
B. The connection required a Security server.
C. Acceleration is not enabled.
D. The traffic is originating from the gateway itself.
Correct Answer: D
Section: (none)
Explanation:
QUESTION NO: 255
You plan to automate creating new objects using new R80 Management API. You decide to use GAIA
CLI for this task. What is the first step to run management API commands on GAIA’s shell?
A. mgmt. admin@teabag>id.txt
B. mgmt. login
C. login user admin password teabag
D. mgmt_cli login user “admin” password “teabag”>id.txt
Correct Answer: B
Section: (none)
Explanation:

QUESTION NO: 256
What API command below creates a new host with the name “New Host” and IP address of
“192.168.0.10”?
A. new host name “New Host” ip-address “192.168.0.10”
B. set host name “New Host” ip-address “192.168.0.10”
C. create host name “New Host” ip-address “192.168.0.10”
D. add host name “New Host” ip-address “192.168.0.10”
Correct Answer: D
Section: (none)
Explanation:
Sample Command with SmartConsole CLI You can use the add host command to create a new host
and then publish the changes. > add host name "Sample_Host" ipaddress "192.0.2.3" > publish
Reference:
eferenceGuide.pdf? HashKey=1522171823_f53d2a32a77bde441b88d53824dcb893&xtn=.pdf
QUESTION NO: 257
What is true about VRRP implementations?

A. VRRP membership is enabled in cpconfig
B. VRRP can be used together with ClusterXL, but with degraded performance
C. You cannot have a standalone deployment
D. You cannot have different VRIDs in the same physical network
Correct Answer: C
Section: (none)
Explanation:
Reference:
QUESTION NO: 258

Which command can you use to enable or disable multi-queue per interface?
A. cpmq set
B. Cpmqueue set
C. Cpmq config
D. Set cpmq enable
Correct Answer: A
Section: (none)
Explanation:
Reference:
QUESTION NO: 259
How would you deploy TE250X Check Point appliance just for email traffic and in-line mode without a
Check Point Security Gateway?
A. Install appliance TE250X on SpanPort on LAN switch in MTA mode
B. Install appliance TE250X in standalone mode and setup MTA
C. You can utilize only Check Point Cloud Services for this scenario
D. It is not possible, always Check Point SGW is needed to forward emails to SandBlast appliance
Correct Answer: C
Section: (none)
Explanation:
QUESTION NO: 260
In order to optimize performance of a Security Gateway you plan to use SecureXL technology. Your
company uses different types of applications. Identify application traffic that will NOT be accelerated
A. Corporate relational database TCP traffic
B. Custom application multicast traffic
C. Transactions to the external application server using UDP
D. TCP connections to the corporate Web-server
Correct Answer: B
Section: (none)
Explanation:


156 915.80 Premium

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

156 915.80 Premium

Uploaded by

Copyright:

Available Formats

CCSE Update R80

Which packet info is ignored with Session Rate Acceleration?

In R80.10, how do you manage your Mobile Access Policy?

DumpsArena - Pass Your Next Certification Exam Fast!

Reset the debugs to the default.

DumpsArena - Pass Your Next Certification Exam Fast!

How can you see historical data with cpview?

DumpsArena - Pass Your Next Certification Exam Fast!

Which statement is correct about the Sticky Decision Function?

DumpsArena - Pass Your Next Certification Exam Fast!

Which TCP-port does CPM process listen to?

DumpsArena - Pass Your Next Certification Exam Fast!

Which is NOT an example of a Check Point API?

DumpsArena - Pass Your Next Certification Exam Fast!

What is true about the IPS-Blade?

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

Which of the following is NOT an option to calculate the traffic direction?

Choose the ClusterXL process that is defined by default as a critical device?

DumpsArena - Pass Your Next Certification Exam Fast!

Reference: https://www.checkpoint.com/download/public-files/gaia-technical-brief.pdf page 5

What is the purpose of a SmartEvent Correlation Unit?

DumpsArena - Pass Your Next Certification Exam Fast!

What’s true about Troubleshooting option in the IPS profile properties?

DumpsArena - Pass Your Next Certification Exam Fast!

Which of the following commands shows the status of processes?

DumpsArena - Pass Your Next Certification Exam Fast!

What Factors preclude Secure XL Templating?

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

Which command gives us a perspective of the number of kernel tables?

SandBlast appliances can be deployed in the following modes:

DumpsArena - Pass Your Next Certification Exam Fast!

What is the purpose of Priority Delta in VRRP?

What information is NOT collected from a Security Gateway in a Cpinfo?

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

Which one of the following is true about Threat Emulation?

Which command shows the current connections distributed by CoreXL FW instances?

DumpsArena - Pass Your Next Certification Exam Fast!

What is the SOLR database for?

What are the methods of SandBlast Threat Emulation deployment?

DumpsArena - Pass Your Next Certification Exam Fast!

What are the main stages of a policy installation?

What has to be taken into consideration when configuring Management HA?

DumpsArena - Pass Your Next Certification Exam Fast!

What is the difference between an event and a log?

ips pmstats reset

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

What does the command vpn crl__zap do?

What is the limitation of employing Sticky Decision Function?

DumpsArena - Pass Your Next Certification Exam Fast!

As a valid Mobile Access Method, what feature provides Capsule Connect/VPN?

DumpsArena - Pass Your Next Certification Exam Fast!

In which case is a Sticky Decision Function relevant?

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!

esting a failover in a controlled manner using following command;

DumpsArena - Pass Your Next Certification Exam Fast!

DumpsArena - Pass Your Next Certification Exam Fast!