Question 401 - 156-215.81 discussion

This answer is correct because for a certificate-based VPN tunnel, both gateways need to have a certificate issued by a certificate authority (CA) that they trust1.A CA is a trusted entity that verifies the identity of the gateways and signs their certificates2.The gateways can either use the same CA or different CAs, as long as they trust each other's CA3. This way, the gateways can authenticate each other using their certificates and establish a secure VPN tunnel.

The other answers are not correct because they are either irrelevant or incompatible with certificate-based VPN tunnel.Shared secret passwords and unique passwords are used for pre-shared key (PSK) authentication, which is a different method than certificate authentication4. PSK authentication is less secure and more vulnerable to brute force attacks than certificate authentication. Shared user certificates are not used for gateway authentication, but for user authentication, which is a different level of authentication than gateway authentication. User authentication is optional and can be used in addition to gateway authentication to provide more granular access control.

Configure server settings for P2S VPN Gateway connections - certificate authentication

VPN certificates and how they work

Create Certificate Based Site to Site VPN between 2 Check Point Gateways

HowTo Set Up Certificate Based VPNs with Check Point Appliances