Question No. 1

What is required for a certificate-based VPN tunnel between two gateways with separate management systems?

AShared Secret Passwords

BUnique Passwords

CShared User Certificates

DMutually Trusted Certificate Authorities

Show Answer

Correct Answer: D

This answer is correct because for a certificate-based VPN tunnel, both gateways need to have a certificate issued by a certificate authority (CA) that they trust1.A CA is a trusted entity that verifies the identity of the gateways and signs their certificates2.The gateways can either use the same CA or different CAs, as long as they trust each other's CA3. This way, the gateways can authenticate each other using their certificates and establish a secure VPN tunnel.

The other answers are not correct because they are either irrelevant or incompatible with certificate-based VPN tunnel.Shared secret passwords and unique passwords are used for pre-shared key (PSK) authentication, which is a different method than certificate authentication4. PSK authentication is less secure and more vulnerable to brute force attacks than certificate authentication. Shared user certificates are not used for gateway authentication, but for user authentication, which is a different level of authentication than gateway authentication. User authentication is optional and can be used in addition to gateway authentication to provide more granular access control.

Configure server settings for P2S VPN Gateway connections - certificate authentication

VPN certificates and how they work

Create Certificate Based Site to Site VPN between 2 Check Point Gateways

HowTo Set Up Certificate Based VPNs with Check Point Appliances

Question No. 2

You want to set up a VPN tunnel to a external gateway. You had to make sure that the IKE P2 SA will only be established between two subnets and not all subnets defined in the default VPN domain of your gateway.

AIn the SmartConsole create a dedicated VPN Community for both Gateways. On the Management add the following line to the $FWDIR/conf/user.def.FWI file subnet_for_range_and_peer = { );

BIn the SmartConsole create a dedicated VPN Community for both Gateways. Selecting the local gateway in the Community you can set the VPN Domain to 'User defined' and put in the local network.

CIn the SmartConsole create a dedicated VPN Community for both Gateways. On the Gateway add the following line to the $FWDlR/cont/user.def.FW1 file subnet_for_range_and_peer = { };

DIn the SmartConsole create a dedicated VPN Community for both Gateways. Go to Security Policies / Access Control and create an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA. Put the name of the Community in the VPN column.

Show Answer

Correct Answer: B

This answer is correct because this is the recommended way to configure a VPN tunnel between two subnets and not all subnets defined in the default VPN domain of your gateway1.By creating a dedicated VPN Community, you can specify the VPN peers and the encryption settings for the VPN tunnel2.By selecting the local gateway in the Community, you can set the VPN Domain to 'User defined' and put in the local network that you want to include in the VPN tunnel1. This way, you can limit the VPN traffic to the subnets that you want and avoid unnecessary encryption and decryption of other traffic.

The other answers are not correct because they are either outdated or incorrect ways to configure a VPN tunnel between two subnets.Answer A and C are outdated methods that involve editing the user.def file, which is not recommended and can cause problems with the VPN configuration3.Answer D is incorrect because creating an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA will not affect the VPN tunnel establishment, but only the access control policy4.The VPN column in the rule is used to specify the VPN direction, not the VPN Community name4.

How to configure a Site-to-Site VPN with a universal tunnel

Site to Site VPN R81 Administration Guide - Check Point Software

How to configure a Site-to-Site VPN with a 3rd-party remote gateway

Access Control Policy R81 Administration Guide - Check Point Software

Question No. 3

In the Check Point three-tiered architecture, which of the following is NOT a function of the Security Management Server?

ADisplay policies and logs on the administrator's workstation.

BProcessing and sending alerts such as SNMP traps and email notifications.

CVerify and compile Security Policies.

DStore firewall logs to hard drive storage.

Show Answer

Correct Answer: A

The Security Management Server does not display policies and logs on the administrator's workstation. That is the function of the SmartConsole, which is a separate component that connects to the Security Management Server.Reference:Certified Security Administrator (CCSA) R81.20 Course Overview, page 4.

Question No. 4

Fill in the blank: The_____is used to obtain identification and security information about network users.

AUser index

BUserCheck

CUser Directory

DUser server

Show Answer

Correct Answer: C

The User Directory is used to obtain identification and security information about network users. It can be integrated with external user databases such as LDAP, RADIUS, or TACACS+.Reference:Certified Security Administrator (CCSA) R81.20 Course Overview, page 9.

Question No. 5

Which Security Blade needs to be enabled in order to sanitize and remove potentially malicious content from files, before those files enter the network?

AThreat Emulation

BAnti-Malware

CAnti-Virus

DThreat Extraction

Show Answer

Correct Answer: D

Threat Extraction is the Security Blade that needs to be enabled in order to sanitize and remove potentially malicious content from files, before those files enter the network. It can strip out active content, embedded objects, and other risky elements from documents and deliver a safe version of the file to the user.Reference:Remote Access VPN R81.20 Administration Guide, page 18.

CheckPoint 156-215.81 Exam Actual Questions

The questions for 156-215.81 were last updated on Oct 1, 2024.

Unlock All Questions for CheckPoint 156-215.81 Exam