Checkpoint 156-315.81 Practice Test - Questions Answers, Page 16

Check Point API is a set of web services that enable the usage of functions and commands in a dynamic and automated fashion. Check Point API is available in different types, each serving a different purpose and functionality.According to the Check Point Resource Library1, the following are the types of Check Point API available in R81.x:

Identity Awareness Web Services: This type of API allows external applications to send identity and location information to the Security Gateway, which can then use this information for policy enforcement. Identity Awareness Web Services can be used for scenarios such as guest registration, captive portal, identity agents, etc.

OPSEC SDK: This type of API provides a framework for developing applications that interact with Check Point products using the OPSEC (Open Platform for Security) protocol. OPSEC SDK can be used for scenarios such as log export, event management, anti-virus integration, etc.

Management: This type of API allows external applications to perform management operations on the Check Point Management server using RESTful web services. Management API can be used for scenarios such as policy installation, object creation, configuration backup, etc.

Mobile Access is not a type of Check Point API, but rather a feature that provides secure remote access to corporate resources from various devices. Mobile Access uses SSL VPN technology and supports different authentication methods and access scenarios.

When an encrypted packet is received by a Check Point Security Gateway, it is decrypted according to the security policy. The security policy defines the rules and settings for encryption and decryption of traffic, such as the encryption algorithm, the encryption domain, the pre-shared secret or certificate, etc. The security policy is enforced by the Firewall kernel, which is responsible for decrypting the packets before passing them to the inbound chain for further inspection. The inbound chain consists of various inspection modules that apply security checks and actions on the decrypted packets. The outbound chain is the reverse process, where the packets are inspected and then encrypted according to the security policy before being sent out.

Management HA is a feature that allows the Security Management server to have one or more backup Standby Security Management servers that are ready to take over in case of failure1. The Active Security Management server is the one that handles all the management operations, such as policy installation, object creation, configuration backup, etc. The Standby Security Management servers are synchronized with the Active Security Management server and store the same data, such as databases, certificates, CRLs, etc.The Standby Security Management servers can also perform some operations, such as fetching a Security Policy or retrieving a CRL1.

To make changes to the system, such as editing objects or policies, the administrator needs to connect to the Active Security Management server. This is because the Active Security Management server is the only one that can modify the data and synchronize it with the Standby Security Management servers.The administrator can use SmartConsole to connect to the Active Security Management server by entering its IP address or hostname1. The administrator can also use SmartDashboard to connect to the Active Security Management server by selecting Policy > Management High Availability.This shows information about the Security Management server that includes its peers - displayed with the name, status and type of Security Management server1.

The other options are incorrect because:

A) secondary Smartcenter: This is a synonym for a Standby Security Management server, which cannot be used to make changes to the system.

C) connect virtual IP of Smartcenter HA: This is not a valid option because there is no virtual IP for Smartcenter HA. Each Security Management server has its own IP address and hostname.

D) primary Smartcenter: This is a synonym for the Active Security Management server, but it is not the correct term to use. The term primary implies that there is only one Active Security Management server, which is not true.The administrator can put the Active Security Management server on standby and promote a Standby Security Management server to active at any time1.

User-mode processes are processes that run in the user space of the operating system, as opposed to kernel-mode processes that run in the kernel space. User-mode processes are usually less privileged and have less access to system resources than kernel-mode processes. Check Point products use both user-mode and kernel-mode processes to provide various functionalities and services.

The following are some of the user-mode processes that can be seen on the management server and gateway:

fwd: This process is responsible for policy installation, logging, and communication with other Check Point components. It runs on both the management server and gateway.

cpd: This process is responsible for licensing, certificate management, and communication with SmartConsole. It runs on both the management server and gateway.

cpwd: This process is responsible for monitoring and restarting other processes. It runs on both the management server and gateway.

The following is a user-mode process that can only be seen on the management server:

fwm: This process is responsible for managing the security policy database, compiling the security policy, and generating reports. It runs only on the management server.

Therefore, the correct answer is B)

SecureXL is a technology that accelerates the performance of the Check Point Security Gateway by offloading CPU-intensive operations from the Firewall kernel to the SecureXL device. SecureXL can handle various types of traffic, such as TCP, UDP, ICMP, non-IP, VPN, NAT, etc. SecureXL can also work with various features, such as CoreXL, ClusterXL, QoS, etc.

One way to indicate that SecureXL is enabled is to use thefwaccelcommands in clish. Clish is a command-line shell that provides a user-friendly interface for configuring and managing Check Point products. Thefwaccelcommands are used to control and monitor SecureXL operations, such as enabling or disabling SecureXL, viewing SecureXL statistics, managing SecureXL templates, etc. For example, the commandfwaccel statshows the status of SecureXL, such as whether it is on or off, how many packets are accelerated or not accelerated, etc.

The other options are not valid indicators of SecureXL being enabled:

A) Dynamic objects are available in the Object Explorer: Dynamic objects are objects that represent IP addresses that change over time, such as VPN clients, DHCP clients, etc. Dynamic objects are available in the Object Explorer regardless of whether SecureXL is enabled or not.

B) SecureXL can be disabled in cpconfig: Cpconfig is a command-line tool that allows you to configure various settings of Check Point products, such as administrator password, GUI clients, SNMP extension, etc. SecureXL can be disabled in cpconfig only if it was enabled before. Therefore, this option does not indicate that SecureXL is enabled.

D) Only one packet in a stream is seen in a fw monitor packet capture: Fw monitor is a command-line tool that allows you to capture and analyze network traffic passing through the Security Gateway. Fw monitor shows the traffic at different inspection points in the Firewall kernel. If SecureXL is enabled, some packets may be accelerated by SecureXL and bypass the Firewall kernel inspection. Therefore, fw monitor may not see all packets in a stream. However, this does not mean that only one packet in a stream will be seen by fw monitor. Some packets may still go through the Firewall kernel inspection and be seen by fw monitor. Therefore, this option does not indicate that SecureXL is enabled.

Therefore, the correct answer is C.

CPM stands for Check Point Management, which is a process that runs on the Security Management server and controls the management operations, such as policy installation, object creation, configuration backup, etc. CPM also controls other processes that are related to the management functions, such as:

web_services: This process is responsible for providing web services for the communication between SmartConsole and the Security Management server. It handles requests from SmartConsole clients and forwards them to CPM or other processes.

dle_server: This process is responsible for managing the log files and indexes. It handles queries from SmartLog and SmartEvent and provides log data to CPM or other processes.

object_Store: This process is responsible for storing and retrieving objects from the database. It handles requests from CPM or other processes and provides object data.

Therefore, the correct answer is D)

The other options are incorrect because:

A) Object-Store, Database changes, CPM Process and web-services: This option includes some processes that are controlled by CPM, such as Object-Store, CPM Process, and web-services, but it also includes Database changes, which is not a process but an action performed by CPM or other processes.

B) web-services, CPMI process, DLEserver, CPM process: This option includes some processes that are controlled by CPM, such as web-services, DLEserver, and CPM process, but it also includes CPMI process, which is not a process but a protocol used by CPM or other processes to communicate with each other.

C) DLEServer, Object-Store, CP Process and database changes: This option includes some processes that are controlled by CPM, such as DLEServer and Object-Store, but it also includes CP Process and database changes, which are not processes but a generic term for any Check Point process and an action performed by CPM or other processes respectively.

DES (Data Encryption Standard) is a symmetric block cipher that uses a 56-bit key to encrypt and decrypt 64-bit blocks of data. It was developed by IBM in 1975 and adopted by the US government as a standard for encryption. However, DES has been proven to be insecure and vulnerable to various attacks, such as brute force, differential cryptanalysis, and linear cryptanalysis. A brute force attack can break DES in a matter of hours using modern hardware. Differential cryptanalysis can reduce the number of keys to be searched by a factor of four, and linear cryptanalysis can reduce it by a factor of two. Therefore, DES is the least secure encryption algorithm among the options given.

The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them.It runs on the Log Server machine or on a dedicated machine1. To check the status of the SmartEvent Correlation Unit, you can use the commandcpstat cpseadon the machine where it is installed.This command will show you information such as the number of logs processed, the number of events generated, the CPU and memory usage, and the status of the connection to the SmartEvent Server23.

The commandcpinfo --y alldisplays information about all the hotfixes that are installed on the gateway1.This command also shows the hotfix ID, description, installation date, and status for each hotfix2. The other commands are not valid options for this task.The commandcpinfo --h allshows the hardware information of the gateway3. The commandscpinfo --o hotfixandcpinfo --l hotfixdo not exist and will return an error message.