Checkpoint 156-315.81 Practice Test - Questions Answers, Page 30

After trust has been established between the Check Point components, the Security Gateway IP address cannot be changed without re-establishing the trust. This is because the trust is based on the Secure Internal Communication (SIC) mechanism, which uses certificates to authenticate and encrypt the communication. The certificates are issued by the Internal Certificate Authority (ICA) of the Security Management Server / Domain Management Server, and contain the name and IP address of the component. Therefore, if the IP address of a component is changed, the certificate will become invalid and the trust will be lost.To restore the trust, the certificate must be renewed or reissued by the ICA12.

However, there are some exceptions to this rule. The Security Gateway name can be changed in command line without re-establishing trust, as long as the IP address remains the same. This is because the SIC mechanism does not rely on the hostname, but on the IP address and the SIC name (which is usually derived from the hostname, but can be manually changed). The Security Management Server name can be changed in SmartConsole without re-establishing trust, as long as the IP address remains the same. This is because SmartConsole uses a different mechanism to connect to the Security Management Server, which does not depend on the SIC certificate. The Security Management Server IP address can be changed without re-establishing trust, as long as some steps are followed to update the Check Point Registry file on the managed Security Gateways / Cluster Members / VSX Virtual Devices. This is because the Registry file contains the IP address of the ICA, which is used for certificate renewal.If the Registry file is not updated, then the certificate renewal will fail and the trust will be lost3.

The order of NAT priorities is determined by the type of NAT rule that is applied to the traffic.There are three types of NAT rules in Check Point: static NAT, IP pool NAT, and hide NAT12.

Static NAT: This type of NAT rule maps a single IP address to another single IP address. It is usually used to allow external hosts to access internal servers or devices.Static NAT has the highest priority among the NAT rules, and it is applied before the security policy is enforced12.

IP pool NAT: This type of NAT rule maps a range of IP addresses to another range of IP addresses. It is usually used to balance the load among multiple servers or devices.IP pool NAT has the second highest priority among the NAT rules, and it is applied after the security policy is enforced12.

Hide NAT: This type of NAT rule hides a group of IP addresses behind a single IP address or an interface. It is usually used to allow internal hosts to access external resources.Hide NAT has the lowest priority among the NAT rules, and it is applied after the security policy is enforced12.

Therefore, the order of NAT priorities is: static NAT, IP pool NAT, hide NAT.

AppWiki is the Check Point feature that enables application scanning and the detection.AppWiki is an easy to use tool that lets you search and filter Check Point's Web 2.0 Applications Database to find out information about internet applications, including social network widgets; filter by a category, tag, or risk level; and search for a keyword or application1.AppWiki helps you to identify and control the applications on your network, and to apply granular policies based on the application type, risk, and characteristics1.AppWiki is integrated with the Check Point Application Control Software Blade, which provides the industry's strongest application security and identity control to organizations of all sizes1.

The Logs and Monitor tab is used to monitor network and security performance in SmartConsole. The Logs and Monitor tab lets you view and analyze logs, events, reports, and alerts from various sources, such as Security Gateways, Security Management Servers, Endpoint Security Servers, and SmartEvent Servers.You can also use the Logs and Monitor tab to create custom views, filters, queries, and charts to display the data that is relevant to your needs12.

The R81 SmartConsole, SmartEvent GUI client, and SmartView Web Application consolidate billions of logs and show them as prioritized security events. The SmartView Web Application is a web-based interface that allows you to access the SmartEvent Server from any browser.You can use the SmartView Web Application to view and analyze security events, generate reports, and configure SmartEvent settings12.

Office mode is a feature that allows a security gateway to assign a remote client an IP address from a network that is protected by the security gateway. This way, the remote client can access resources on the internal network as if it was physically connected to it. The IP address is assigned to the remote client after the user authenticates for a tunnel, and it is routable, meaning that it can be reached by other hosts on the network.Office mode is useful for scenarios where the remote client needs to use applications that rely on IP addresses, such as VoIP or file sharing12.

The error ''no proposal chosen'' indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime.If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error ''no proposal chosen''1.

To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:

The same pre-shared secret or certificate

The same encryption algorithm (e.g., AES-256)

The same hash algorithm (e.g., SHA-256)

The same Diffie-Hellman group (e.g., Group 14)

The same lifetime (e.g., 86400 seconds)

One can use the commandvpn tuon the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer.Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings2.

Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user's Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

1, Training & Certification | Check Point Software, section ''Security Expert R81.20 (CCSE) Core Training''

2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1

3, Check Point Certified Security Expert R81, page 5

5, Identity Awareness Administration Guide R81, section ''How Identity Awareness Collects Identities''

Browser-based Authentication is a method of acquiring identities from unidentified users by sending them to a web page where they can log in and authenticate.Browser-based Authentication uses two techniques to acquire identities: Captive Portal and Transparent Kerberos Authentication1.

Captive Portal is a simple method that attempts authentication through a web interface before granting a user access to Intranet resources. When a user tries to access a protected resource, they are redirected to a web page where they have to enter their credentials. The credentials are verified by the Identity Awareness Security Gateway or an external authentication server.If the authentication is successful, the user's identity is associated with their IP address and they are allowed to access the resource12.

Transparent Kerberos Authentication is a more seamless method that leverages the existing Kerberos infrastructure in the network. When a user tries to access a protected resource, the Identity Awareness Security Gateway intercepts the Kerberos ticket request and extracts the user's identity from it. The user's identity is then associated with their IP address and they are allowed to access the resource without any additional prompts.This method requires that the Identity Awareness Security Gateway is configured as a trusted proxy in the Active Directory domain12.

Therefore, the correct answer is B) Browser-based Authentication sends users to a web page to acquire identities using Captive Portal and Transparent Kerberos Authentication.

1, THE IMPORTANCE OF ACCESS ROLES - Check Point Software, page 2

2, Browser-based Authentication Check Point - Bing

3, How to Configure Client Authentication - Check Point Software, page 1

4, Identity Sources - Check Point Software

5, Configuring Browser-Based Authentication - Check Point Software

6, Two Factor Authentication - Check Point Software