Checkpoint 156-215.81 Practice Test - Questions Answers, Page 40

To increase security, the administrator has modified the Core protection 'Host Port Scan' from 'Medium' to 'High' Predefined Sensitivity.The administrator should install theThreat Prevention Policyafter Publishing the changes3.The Threat Prevention Policy defines how the Security Gateway inspects and protects against threats such as port scans, bot attacks, and zero-day exploits4.

Reference:Check Point R81 Firewall Administration Guide,Check Point R81 Threat Prevention Administration Guide

When changes are made to a Rule base, it is important toPublish databaseto enforce changes5. Publishing database saves the changes to the database and makes them available to other administrators. Installing policy applies the changes to the Security Gateways.

Reference:Check Point R81 Security Management Administration Guide, [Check Point R81 SmartConsole R81 Resolved Issues], [Check Point R81 Firewall Administration Guide]

The Online Activation method is available for Check Point manufactured appliances. The administrator uses the Online Activation method by using the Gaia First Time Configuration Wizard, the appliance connects to the Check Point User Center and downloads all necessary licenses and contracts. This method requires internet access and a valid User Center account.

Reference: [Check Point Licensing and Contract Operations User Guide], [Check Point R81 Gaia Installation and Upgrade Guide]

Manual NAT can offer more flexibility than Automatic NAT because it allows the administrator to define the NAT rules in any order and position1.Automatic NAT creates the NAT rules automatically and places them at the top or bottom of the NAT Rule Base2.

Reference:Check Point R81 Firewall Administration Guide,Check Point R81 Security Management Administration Guide

This answer is correct because these are the software components that are used by the pre-defined Autonomous Threat Prevention Profiles in R81.20 and higher1.These profiles provide zero-maintenance protection from zero-day threats and continuously and autonomously ensure that your protection is up-to-date with the latest cyber threats and prevention technologies2.

The other answers are not correct because they either include software components that are not part of the Autonomous Threat Prevention Profiles, such as Sandbox, ThreatCloud, Zero Phishing, Sanitization, C&C Protection, JPS, File and URL Reputation, or they omit some of the software components that are part of the Autonomous Threat Prevention Profiles, such as Anti-Bot, Anti-Virus, and Macro Extraction.

Autonomous Threat Prevention Management - Check Point Software

Check Point Quantum R81.20 (Titan) Release

Threat Prevention R81.20 Best Practices - Check Point Software

Check Point R81

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other's identity using a shared secret or a public key certificate1.A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2.A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3.The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication.PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4.Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4.PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

What is mutual authentication? | Two-way authentication

Mutual authentication - AWS Client VPN

VPN authentication options - Windows Security

Mutual Authentication | Top 3 Methods of Mutual Authentication

Authentication methods and features - Microsoft Entra

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other's identity using a shared secret or a public key certificate1.A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2.A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3.The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication.PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4.Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4.PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

What is mutual authentication? | Two-way authentication

Mutual authentication - AWS Client VPN

VPN authentication options - Windows Security

Mutual Authentication | Top 3 Methods of Mutual Authentication

Authentication methods and features - Microsoft Entra

This answer is correct because a standalone deployment is a valid option for installing a Check Point Security Gateway and a Security Management Server on the same machine1.This option is suitable for small or medium-sized networks that do not require high availability or load balancing1.

The other answers are not correct because they are either invalid or irrelevant options for deployment.CloudSec deployment is not a valid option, but it might be confused with CloudGuard, which is a Check Point solution for securing cloud environments2.Disliked deployment is not a valid option, but it might be a typo for Distributed deployment, which is a valid option for installing a Check Point Security Gateway and a Security Management Server on separate machines1.Router only deployment is not a valid option, but it might be confused with Router mode, which is a configuration option for a Check Point Security Gateway that enables it to act as a router and forward packets between interfaces3.

Gaia R81.20 Administration Guide

CloudGuard Network Security

Configuring Router Mode in Gaia Clish

This answer is correct because DES (Data Encryption Standard) is the least secured encryption algorithm among the options given.DES uses a 56-bit key, which is too short and can be easily cracked by brute force attacks1.DES also suffers from other weaknesses, such as weak keys, complementation property, and linear cryptanalysis2.

The other answers are not correct because they are more secured encryption algorithms than DES.3DES (Triple DES) is an improvement over DES that applies DES three times with different keys, resulting in a 168-bit key3. AES-128 and AES-256 are variants of AES (Advanced Encryption Standard) that use 128-bit and 256-bit keys respectively. AES is considered to be the most secure symmetric encryption algorithm and is widely used for data protection.

What is DES encryption, and why was it replaced?

Data Encryption Standard - Wikipedia

What is 3DES encryption?

[What is AES encryption and how does it work?]