Checkpoint 156-315.81 Practice Test - Questions Answers, Page 49

Security Gateway Clusters in Load Sharing mode are not supported by the Central Deployment feature in R81.20 SmartConsole.According to the Check Point R81.20 Known Limitations article1, Central Deployment in SmartConsole does not support:

Connection from SmartConsole Client to the Management Server through a proxy server. In this case, use the applicable API command

ClusterXL in Load Sharing mode

VRRP Cluster

Installation of a package on a VSX VSLS Cluster that contains more than 3 members.

On Multi-Domain Servers: Global Domain, or the MDS context

Standalone server

Standby Security Management Server or Multi-Domain Security Management

Scalable Platforms 40000 / 60000

SMB Appliances

The other options are supported by the Central Deployment feature in R81.20 SmartConsole. Dedicated Log Server, Dedicated SmartEvent Server, and Security Gateways/Clusters in ClusterXL HA new mode can be selected as targets for installing packages using the Central Deployment wizard.

Starting R81, the Access Control Policy installation process is accelerated thereby reducing the duration of the process significantly.According to the Check Point R81 Security Management Administration Guide1, Accelerated Install Policy is a new feature in R81 that optimizes common use-cases and drastically speeds up the installation with up to 90% improvement. Policy installation is accelerated depending on the changes that were made to the Access Control policy since the last installation. When the policy installation is accelerated, the icon will appear under the ''Install Policy Acceleration'' column in the Install Policy window.

Accelerated Install Policy - Check Point Software, section ''Accelerated Install Policy''

Dynamic Balancing is a feature that uses a daemon to balance the required number of firewall instances and SNDs based on the current load. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage. It monitors the system and makes changes as needed to optimize the performance of the Security Gateway. It is supported on Check Point Appliances with R80.40 and higher versions.

Reference:Dynamic Balancing for CoreXL - Check Point Software,Dynamic Balancing available on R80.40 - Check Point CheckMates,CLI R81.20 Reference Guide - Check Point Software,Performance Tuning R81.20 Administration Guide - Check Point Software

Establishing SIC between gateways and the management server is a prerequisite for Central Deployment usage, as the CDT tool will not take care of this automatically1.The administrator must have write permission on SmartUpdate, the Security Gateway must have the latest CPUSE Deployment Agent, and the Security Gateway must have a policy installed2.These are the basic requirements for using the Central Deployment Tool (CDT), which is a utility that lets you manage a deployment of software packages from your Management Server to the multiple managed Security gateways and cluster members at the same time2.The CDT can perform various actions, such as installation of software packages, taking snapshots, running shell scripts, pushing/pulling files, and automating the RMA backup and restore process2.The CDT is supported on Check Point Appliances with R80.40 and higher versions2.

Reference:How to keep your Security Gateways up to date - Check Point Software,Central Deployment Tool (CDT) - Check Point CheckMates.

Main Mode in IKEv1 usessix packetsfor negotiation1. Main Mode is the default mode for IKE phase I, which establishes a secure channel between the peers.Main Mode performs the following steps2:

The peers exchange their security policies and agree on a common set of parameters.

The peers generate a shared secret key using the Diffie-Hellman algorithm.

The peers authenticate each other using pre-shared keys, digital signatures, or public key encryption. Main Mode is partially encrypted, from the point at which the shared DH key is known to both peers2.Main Mode provides more security than Aggressive Mode, which uses only three packets for negotiation, but is faster and simpler2.

Reference:Check Point gateways always send main IP address as IKE Main Mode ID - Check Point Software,IPsec and IKE - Check Point Software

The component of Management that is used for indexing isSOLR1.SOLR is an open source enterprise search platform that provides indexing and searching capabilities for various types of data2.Check Point uses SOLR to index logs, objects, policies, and other data that are stored in the Security Management Server or the Multi-Domain Security Management Server3.SOLR enables fast and efficient searches in SmartConsole, SmartLog, SmartView, and other applications3.SOLR also supports advanced features such as full-text search, faceted search, highlighting, spell checking, and geospatial search2.

Reference:Check Point R81.20 Known Limitations - Check Point Software,SOLR - The Enterprise Search Platform,Check Point R81.20 Logging and Monitoring Administration Guide - Check Point Software

The mechanism that can ensure that the Security Gateway can communicate with the Management Server with ease in situations with overwhelmed network resources is calledManagement Data Plane Separation (MDPS)1. MDPS is a feature that allows a Security Gateway to have isolated Management and Data networks. The network system of each domain (plane) is independent and includes interfaces, routes, sockets, and processes. The Management Plane is a domain that accesses, provisions, and monitors the Security Gateway.The Data Plane is a domain that handles all other traffic1.MDPS has the following benefits2:

It improves the performance and stability of the Security Gateway by separating the management traffic from the data traffic.

It enhances the security of the Security Gateway by preventing any packet from crossing between the planes.

It simplifies the network configuration and troubleshooting by having separate routing tables for each plane. MDPS is supported on Check Point Appliances with R80.40 and higher versions1.It is also supported on Quantum Maestro and Quantum Scalable Chassis with R81.20 and higher versions3.MDPS can be configured using Gaia Clish commands or Gaia Portal1.

Reference:Management Data Plane Separation (MDPS) - Check Point Software,Tip of the Week: Management Data Plane Separation - Check Point CheckMates,Management Data Plane Separation (MDPS) on Maestro R81.20 - Check Point Software

The valid SecureXL paths in R81.20 areF2F (Slow path), Accelerated Path, Medium Path and F2V1.SecureXL is a technology that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2.SecureXL uses different paths to process packets, depending on the type and state of the connection3.The SecureXL paths are3:

F2F (Slow path): This path handles packets that require a full inspection by the Firewall kernel. It is the slowest path, but it supports all features and blades. Examples of packets that use this path are packets that belong to a new connection, packets that match a rule with UTM blades, or packets that require address translation.

Accelerated Path: This path handles packets that belong to an established connection that does not require any further inspection by the Firewall kernel. It is the fastest path, but it supports only a limited set of features and blades. Examples of packets that use this path are packets that match an accept rule with no UTM blades, or packets that match a rule with SecureXL acceleration enabled.

Medium Path: This path handles packets that belong to an established connection that requires some inspection by the Firewall kernel, but not a full inspection. It is faster than the F2F path, but slower than the Accelerated path. It supports more features and blades than the Accelerated path, but less than the F2F path. Examples of packets that use this path are packets that match a rule with IPS or Anti-Bot blades, or packets that require NAT templates.

F2V: This path handles packets that are encapsulated or decapsulated by the VPN kernel. It is faster than the F2F path, but slower than the Accelerated path. It supports VPN features such as encryption, decryption, encapsulation, and decapsulation.

Reference:R81.x Security Gateway Architecture (Logical Packet Flow) - Check Point CheckMates,SecureXL Mechanism in R80.10 and above - Check Point Software,SecureXL - Check Point Software

The correct way to check if the web service is enabled, running and which port is used is to use option C. In dish, runshow web ssl-portto see if the web daemon is enabled and which port is in use.In expert mode, runnetstat -anp | grep httpd2to see if the httpd2 is up1.The httpd2 service is responsible for the Gaia Web Management Interface2.If the web daemon is disabled, you can enable it by runningset web daemon-enable onin dish3.If the httpd2 service is down, you can start it by runningservice httpd2 startin expert mode4.

Reference:Gaia WebUI and CLI - Check Point CheckMates,Gaia R81.20 Administration Guide - Check Point Software,Gaia R81 Administration Guide - Check Point Software,How to restart Gaia Portal (WebUI) process - Check Point Software