Checkpoint 156-315.81 Practice Test - Questions Answers, Page 17

The SmartView web application is a web-based interface that allows you to view and analyze logs and events from your Security Gateways and Management Servers1. To access the SmartView web application, you need to use the following link: https://<Security Management Server IP Address>/smartview/. This link will prompt you to enter your credentials and then take you to the SmartView dashboard. The other options are not correct because:

A) The link https://<Security Management Server host name>/smartviewweb/ is missing a slash (/) between the host name and smartviewweb.

C) The link https://<Security Management Server host name>smartviewweb is missing a slash (/) after the host name and before smartviewweb.

D) The link https://<Security Management Server IP Address>/smartview is missing a slash (/) at the end.

The directory /opt/CPsuite-R81/fw1/log contains the log files for the Security Gateway, such as firewall, VPN, IPS, and anti-virus logs1.These log files can be viewed and analyzed using SmartConsole or SmartView2. The other directories are not correct because:

A)The directory /opt/CPSmartlog-R81/log contains the log files for the SmartLog server, which is a separate component that indexes and searches the logs from multiple Security Gateways3.

B)The directory /opt/CPshrd-R81/log contains the log files for the shared components of the Check Point suite, such as cpwd, cpca, cpd, and cpwatchdog4.

D) The directory /opt/CPsuite-R81/log does not exist by default and is not used for logging purposes.

SmartView Monitor is a GUI client that is supported in R81.It allows you to monitor the network and security performance of your Security Gateways and devices5.You can use it to view real-time statistics, alerts, logs, reports, and graphs6. The other GUI clients are not supported in R81 because:

A)SmartProvisioning was replaced by SmartLSM in R80.20 and later versions7.SmartLSM is a unified solution for managing large-scale deployments of Security Gateways8.

B)SmartView Tracker was replaced by SmartLog in R80 and later versions9.SmartLog is a powerful log analysis tool that enables fast and easy access to log data from multiple Security Gateways10.

D)SmartLog is not a GUI client, but a web-based application that runs on the Security Management Server or Log Server10. You can access it from any web browser or from SmartConsole.

SecureXL is a technology that improves the performance of Security Gateway by offloading the processing of some packets from the Firewall kernel to the SecureXL device driver1.SecureXL can handle packets in three different paths, depending on the type and state of the packet2:

Firewall Path: This is the slowest path, where packets are processed by the Firewall kernel and all the inspection blades. This path is used for packets that require full inspection, such as the first packet of a connection, packets that match a rule with a UTM blade, or packets that are not eligible for acceleration.

Accelerated Path: This is the fastest path, where packets are processed by the SecureXL device driver and bypass the Firewall kernel. This path is used for packets that belong to an established connection that is marked for acceleration, and do not require any further inspection by the Firewall or other blades.

Medium Path: This is a hybrid path, where packets are processed by both the SecureXL device driver and the Firewall kernel, but skip some inspection steps. This path is used for packets that belong to an established connection that is not marked for acceleration, but do not require full inspection by all the blades.

The other options are not correct because:

A) Initial Path; Medium Path; Accelerated Path: There is no such thing as Initial Path in SecureXL terminology. The initial packet of a connection is always handled by the Firewall Path.

B) Layer Path; Blade Path; Rule Path: These are not paths of traffic flow, but components of the unified policy in R80 and above versions.The Layer Path refers to the order of layers in the policy, the Blade Path refers to the order of blades within a layer, and the Rule Path refers to the order of rules within a blade3.

C) Firewall Path; Accept Path; Drop Path: These are not paths of traffic flow, but possible actions that the Firewall can take on a packet. The Firewall Path is one of the paths of traffic flow, but the Accept Path and Drop Path are not.The Accept Path means that the packet is allowed to pass through the Firewall, and the Drop Path means that the packet is blocked by the Firewall4.

Dynamic Dispatch is a feature that enhances CoreXL performance by dynamically assigning new connections to CoreXL FW instances based on their CPU utilization1.To enable Dynamic Dispatch on Security Gateway without enabling Firewall Priority Queues (FPQ), you need to run the commandfw ctl multik set_mode 4in Expert mode and reboot2. This command will set the CoreXL mode to Dynamic Dispatcher without FPQ. The other options are not correct because:

A) fw ctl Dyn_Dispatch on: This command does not exist and will return an error message.

B) fw ctl Dyn_Dispatch enable: This command does not exist and will return an error message.

D)fw ctl multik set_mode 1: This command will set the CoreXL mode to Static Dispatcher without FPQ, which is the default mode2. This mode will use a static hash function to assign new connections to CoreXL FW instances based on their IP addresses and protocol.

ClusterXL is a clustering technology that provides high availability and load sharing for Security Gateways. ClusterXL uses a proprietary protocol called Check Point Cluster Protocol (CCP) to communicate between cluster members. CCP has two main functions: Health Check and State Synchronization. Health Check is the mechanism that monitors the status and availability of each cluster member and determines which member is the active one. State Synchronization is the mechanism that synchronizes the connection and NAT tables between cluster members to ensure a smooth failover in case of a member failure. CCP uses UDP port 8116 for both Health Check and State Synchronization messages. The other options are not correct because:

A) CCP and 18190: This option is incorrect because CCP does not use port 18190. Port 18190 is used by Secure Internal Communication (SIC) between Security Gateways and Management Servers.

B) CCP and 257: This option is incorrect because CCP does not use port 257. Port 257 is used by Check Point Security Management Protocol (CPM) for communication between SmartConsole and Management Servers.

D) CPC and 8116: This option is incorrect because there is no such protocol as CPC in ClusterXL.

CoreXL is a performance-enhancing technology that enables the processing CPU cores to concurrently perform multiple tasks on Security Gateways with multiple CPU cores. CoreXL replicates the Firewall kernel multiple times, creating multiple Firewall instances that run on different CPU cores. These Firewall instances handle traffic concurrently, and each Firewall instance is a complete and independent Firewall inspection kernel. To show the current connections distributed by CoreXL FW instances, you can use the commandfw ctl multik staton the Security Gateway. This command will display information such as the number of connections, packets, bytes, drops, and errors handled by each CoreXL FW instance, as well as the CPU utilization and affinity of each instance. The other options are not correct because:

B) fw ctl affinity -l: This command will show the CPU affinity of all processes and IRQs on the Security Gateway. It will not show the current connections distributed by CoreXL FW instances.

C) fw ctl instances -v: This command will show the details of all CoreXL FW instances on the Security Gateway, such as their ID, type, state, priority, and interfaces. It will not show the current connections distributed by CoreXL FW instances.

D) fw ctl iflist: This command will show the list of all interfaces on the Security Gateway, along with their names

The extended master key extension/session hash is a feature introduced in TLS 1.3 to prevent a Man-in-the-Middle attack/disclosure of the client-server communication. It works by generating a unique session hash for each connection, which is derived from the master key and other parameters. This session hash is then used to authenticate the application data and the end-of-handshake messages, ensuring that no one can tamper with or eavesdrop on the communication.

Reference:Check Point Security Expert R81 Course, TLS 1.3 RFC

In the Check Point Firewall Kernel Module, each kernel is associated with a key, which specifies the type of traffic applicable to the chain module. For Wire Mode configuration, chain modules marked with 1 will not apply, as they are related to NAT, VPN, or other features that are not supported in Wire Mode. Wire Mode is a mode of operation that allows transparent traffic forwarding without any inspection or modification by the firewall.

Reference:Check Point Security Expert R81 Course, Wire Mode Configuration Guide