Checkpoint 156-315.81 Practice Test - Questions Answers, Page 51

The best log filter to see only the IKE Phase 2 agreed networks for both gateways is B.action:''Key Install'' AND 1.1.1.1 AND Quick Mode1.This filter will show you the logs that indicate the successful establishment of IKE Phase 2, which is also known as Quick Mode2.In this phase, the Security Gateway and the remote gateway negotiate the IPSec Security Associations (SAs) and exchange the encryption keys for the VPN tunnel2.The action:''Key Install'' field shows that the SAs were installed successfully3.The 1.1.1.1 field shows that the logs are related to the remote gateway with that IP address3.The Quick Mode field shows that the logs are related to IKE Phase 2, as opposed to Main Mode, which is IKE Phase 13.To use this filter, you need to go to SmartConsole, open SmartLog, and enter the filter expression in the search box3.

Tcpdump is a tool that captures and analyzes network traffic on a given interface2.It can be used to troubleshoot connectivity or performance issues, or to inspect the content of the packets2.To use tcpdump, you need to access the Security Gateway in expert mode and runtcpdump -i <interface> [options] [filter]2.You can specify various options and filters to customize the output, such as source or destination IP address, port number, protocol, packet size, etc2.You can also save the captured packets to a file for later analysis by using the-woption2.For more information about tcpdump, you can runman tcpdumpor visit the official website3.

SandBlast Threat Emulation is a technology that protects against zero-day and unknown malware by inspecting files in a secure sandbox environment and emulating their behavior.SandBlast Threat Emulation can be deployed in three modes: Cloud, Appliance and Hybrid1.

Cloud mode: The files are sent to the Check Point cloud service for emulation. This mode does not require any additional hardware or software installation. It is the easiest and most cost-effective way to deploy SandBlast Threat Emulation.

Appliance mode: The files are sent to a dedicated appliance (TE1000X, TE2500X, or TE100X) for emulation. This mode provides the highest level of performance and scalability, as well as data privacy and compliance. It is suitable for large organizations with high security and throughput requirements.

Hybrid mode: The files are first sent to the Check Point cloud service for emulation, and if the cloud service cannot determine the verdict, they are then sent to a dedicated appliance for further analysis. This mode combines the benefits of both cloud and appliance modes, offering fast response time and high accuracy.

The command that lists firewall chain isfw ctl chain1.This command displays the list of chain modules that are registered on the Security Gateway2.Chain modules are components of the Firewall kernel that inspect and process packets according to the security policy and other features3.The order of the chain modules determines the order of the packet inspection and processing3.Thefw ctl chaincommand can help you troubleshoot connectivity or performance issues, or to verify that a feature is enabled or disabled on the Security Gateway2.To run this command, you need to access the Security Gateway in expert mode and runfw ctl chain1.

The Priority Queue is a feature that allows the firewall to prioritize certain types of traffic over others, such as control and routing traffic, when the CPU load is high.The Priority Queue has four levels of priority: Control, Routing, High Priority and Heavy Data Queue1. The Control level has the highest priority and is reserved for firewall control traffic, such as policy installation and synchronization. The Routing level has the second highest priority and is used for routing protocols, such as OSPF and BGP. The High Priority level has the third highest priority and is used for user-defined traffic that needs to be prioritized, such as VoIP or video conferencing.The Heavy Data Queue level has the lowest priority and is used for bulk data transfer, such as FTP or HTTP2. Therefore, the correct answer is C.

The command ''ps aux | grep twd'' is used to check the process ID and the processing time of the twd process on the Security Gateway. The ps command displays information about the active processes on the system. The aux option shows all processes for all users, including those without a controlling terminal.The grep command filters the output of the ps command by searching for the pattern ''twd'', which is the name of the process that handles VPN traffic encryption and decryption1.The output of the command shows the process ID, CPU usage, memory usage, start time, and other details of the twd process2. Therefore, the correct answer is A.

CoreXL is a technology that improves the performance of the Security Gateway by utilizing multiple CPU cores for processing traffic. CoreXL creates multiple instances of the firewall kernel (fwk) that run in parallel on different CPU cores.The number of kernel instances can be configured using the cpconfig command on the Security Gateway3.The minimum number of CPU cores required to enable CoreXL is 2, as one core is reserved for SND (Secure Network Distributor) and one core is used for running a kernel instance4. If the Security Gateway has only one CPU core, CoreXL cannot be enabled. Therefore, the correct answer is C.

SandBlast Mobile Protect is an application that provides comprehensive protection for mobile devices against cyber threats. SandBlast Mobile Protect is a lightweight app that does not affect the device performance or battery life.It monitors network traffic, device behavior, and installed apps to detect and prevent attacks such as phishing, malware, ransomware, botnets, and man-in-the-middle5.SandBlast Mobile Protect also integrates with Check Point's ThreatCloud intelligence network to provide real-time threat information and updates6. Therefore, the correct answer is B)

Secure Configuration Verification (SCV) is a feature that allows the Mobile Access Gateway to check the compliance of remote access clients with the enterprise security policy before granting them access to internal resources.SCV checks can be defined in a file named local.scv, which is located in the $FWDIR/conf directory on the Mobile Access Gateway1.The file can be edited manually or using the SCV Editor tool2. Therefore, the correct answer is D)