This PDF contains a set of carefully selected practice questions for the 156-215.81.20 exam. These questions are designed to reflect the structure, difficulty, and topics covered in the actual exam, helping you reinforce your understanding and identify areas for improvement. What's Inside: 1. Topic-focused questions based on the latest exam objectives 2. Accurate answer keys to support self-review 3. Designed to simulate the real test environment 4. Ideal for final review or daily practice Important Note: This material is for personal study purposes only. Please do not redistribute or use for commercial purposes without permission. For full access to the complete question bank and topic-wise explanations, visit: CertQuestionsBank.com Our YouTube: https://www.youtube.com/@CertQuestionsBank FB page: https://www.facebook.com/certquestionsbank Share some 156-215.81.20 exam online questions below. 1.True or False: In R80, more than one administrator can login to the Security Management Server with write permission at the same time. A. False, this feature has to be enabled in the Global Properties. B. True, every administrator works in a session that is independent of the other administrators. C. True, every administrator works on a different database that is independent of the other administrators. D. False, only one administrator can login with write permission. Answer: B Explanation: The answer is B because in R80 and above, more than one administrator can login to the Security Management Server with write permission at the same time. Every administrator works in a session that is independent of the other administrators. This is called concurrent administration and it allows multiple administrators to work on the same policy package simultaneously34 Reference: Check Point R80.10 Concurrent Administration, Check Point R80.40 Security Management Administration Guide 2.You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. How can you enable them? A. fw ctl multik dynamic_dispatching on B. fw ctl multik dynamic_dispatching set_mode 9 C. fw ctl multik set_mode 9 D. fw ctl miltik pq enable Answer: C Explanation: To optimize drops, you can use Priority Queues and fully enable Dynamic Dispatcher on the Security Gateway23. Priority Queues are a mechanism that prioritizes part of the traffic when the Security Gateway is stressed and needs to drop packets. Dynamic Dispatcher is a feature that dynamically assigns new connections to a CoreXL FW instance based on the utilization of CPU cores. To enable both features, you need to run the command fw ctl multik set_mode 9 on the Security Gateway4. Therefore, the correct answer is C. fw ctl multik set_mode 9. Reference: CoreXL Dynamic Dispatcher - Check Point Software, Firewall Priority Queues in R80.x / R81.x - Check Point Software, Separate Config for Dynamic Dispatcher and Priority Queues 3.Fill in the blank: In order to install a license, it must first be added to the ____________. A. User Center B. Package repository C. Download Center Web site D. License and Contract repository Answer: D Explanation: In order to install a license, it must first be added to the License and Contract repository. The License and Contract repository is a centralized database that stores all the licenses and contracts for Check Point products. It allows you to manage, activate, and attach licenses to your Check Point products. Reference: Check Point Security Management Administration Guide R81, p. 19-20 4.URL Filtering employs a technology, which educates users on web usage policy in real time. What is the name of that technology? A. WebCheck B. UserCheck C. Harmony Endpoint D. URL categorization Answer: B Explanation: URL Filtering employs a technology called UserCheck, which educates users on web usage policy in real time. UserCheck is a feature that allows the firewall to interact with the users and inform them about the web usage policy and its violations. UserCheck can also allow users to request access to blocked websites or report false positives. UserCheck helps users understand and comply with the web usage policy and reduces the workload of the administrators. 5.Due to high CPU workload on the Security Gateway, the security administrator decided to purchase a new multicore CPU to replace the existing single core CPU. After installation, is the administrator required to perform any additional tasks? A. Go to clash-Run cpstop | Run cpstart B. Go to clash-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot Security Gateway C. Administrator does not need to perform any task. Check Point will make use of the newly installed CPU and Cores D. Go to clash-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig | Reboot Security Gateway | Install Security Policy Answer: B Explanation: The correct answer is B because after installing a new multicore CPU, the administrator needs to configure CoreXL to make use of the additional cores and reboot the Security Gateway. Installing the Security Policy is not necessary because it does not affect the CoreXL configuration1. Reference: Check Point R81 Security Management Administration Guide 6.What are valid authentication methods for mutual authenticating the VPN gateways? A. Pre-shared Secret and PKI Certificates B. PKI Certificates and Kerberos Tickets C. Pre-Shared Secrets and Kerberos Ticket D. PKI Certificates and DynamiciD OTP Answer: A Explanation: This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate1. A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2. A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3. The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3. The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication. PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4. Pre- shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4. PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5. What is mutual authentication? | Two-way authentication Mutual authentication - AWS Client VPN VPN authentication options - Windows Security Mutual Authentication | Top 3 Methods of Mutual Authentication Authentication methods and features - Microsoft Entra 7.Which information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option? A. file attributes B. application information C. destination port D. data type information Answer: B Explanation: Application information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option4. The “Extended Log” option provides additional information about the application, such as name, category, risk, and technology4. Reference: LOGGINGAND MONITORING R80 8.In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. Which of the following options can you add to each Log, Detailed Log and Extended Log? A. Accounting B. Suppression C. Accounting/Suppression D. Accounting/Extended Answer: C Explanation: In Logging and Monitoring, the tracking options are Log, Detailed Log and Extended Log. You can add Accounting and/or Suppression to each of these options1. Accounting enables you to track the amount of data that is sent or received by a specific rule. Suppression enables you to reduce the number of logs that are generated by a specific rule. Therefore, the correct answer is C. Accounting/Suppression. Reference: Logging and Monitoring Administration Guide R80 - Check Point Software 9.Which of the following is NOT an advantage to using multiple LDAP servers? A. You achieve a faster access time by placing LDAP servers containing the database at remote sites B. You achieve compartmentalization by allowing a large number of users to be distributed across several servers C. Information on a user is hidden, yet distributed across several servers. D. You gain High Availability by replicating the same information on several servers Answer: C Explanation: The statement that information on a user is hidden, yet distributed across several servers is not an advantage to using multiple LDAP servers. LDAP (Lightweight Directory Access Protocol) is a protocol that allows access to a centralized directory service that stores information about users, groups, devices, etc. Using multiple LDAP servers can provide advantages such as faster access time, compartmentalization, and high availability, but not hiding information. Information on a user is not hidden by using multiple LDAP servers, but rather replicated or partitioned across them. Replication means that the same information is copied to all LDAP servers, while partitioning means that different information is stored on different LDAP servers. Both methods aim to improve performance and reliability, not security or privacy. Reference: [LDAP Integration], [LDAP] 10.Which type of Check Point license ties the package license to the IP address of the Security Management Server? A. Central B. Corporate C. Local D. Formal Answer: A Explanation: The type of Check Point license that ties the package license to the IP address of the Security Management Server is Central license. A Central license is a license that is installed on the Security Management Server and applies to all the Security Gateways that are managed by it. The Central license is based on the IP address of the Security Management Server and cannot be transferred to another Security Management Server with a different IP address. Reference: [Check Point R81 Licensing Guide], [Managing and Installing license via SmartUpdate] 11.Fill in the blank: When tunnel test packets no longer invoke a response, SmartView Monitor displays _____________ for the given VPN tunnel. A. Down B. No Response C. Inactive D. Failed Answer: A Explanation: When tunnel test packets no longer invoke a response, SmartView Monitor displays Down for the given VPN tunnel1. This means that the VPN tunnel is not operational and there is no IKE or IPsec traffic passing through it. No Response, Inactive, and Failed are not valid statuses for VPN tunnels in SmartView Monitor. Reference: Smart View Monitor displays status for all S2S VPN tunnels - Phase1 UP 12.What kind of NAT enables Source Port Address Translation by default? A. Automatic Static NAT B. Manual Hide NAT C. Automatic Hide NAT D. Manual Static NAT Answer: C Explanation: Automatic Hide NAT enables Source Port Address Translation by default1. This means that the source IP address and port number are translated to a different IP address and port number. This allows multiple hosts to share a single IP address for outbound connections. Reference: Check Point R81 Firewall Administration Guide 13.Check Point licenses come in two forms. What are those forms? A. Central and Local. B. Access Control and Threat Prevention. C. On-premise and Public Cloud. D. Security Gateway and Security Management. Answer: A Explanation: Check Point licenses come in two forms: central and local. Central licenses are attached to the Security Management Server and are distributed to managed Security Gateways. Local licenses are attached directly to a specific Security Gateway. 14.A SAM rule Is implemented to provide what function or benefit? A. Allow security audits. B. Handle traffic as defined in the policy. C. Monitor sequence activity. D. Block suspicious activity. Answer: D Explanation: A SAM (Suspicious Activity Monitoring) rule is implemented to provide the function or benefit of blocking suspicious activity. A SAM rule is a rule that defines an action to be taken by the firewall when it detects a suspicious activity, such as an attack, a scan, or a policy violation. The action can be blocking, dropping, rejecting, or logging the traffic that triggered the suspicious activity. A SAM rule can be created manually or automatically by other security features, such as IPS, Anti-Bot, or SmartEvent. Reference: [SAM Rules], [Suspicious Activity Rules] 15.Fill in the blank: Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or__________. A. On all satellite gateway to satellite gateway tunnels B. On specific tunnels for specific gateways C. On specific tunnels in the community D. On specific satellite gateway to central gateway tunnels Answer: C Explanation: Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. This option allows the administrator to select which tunnels should be permanent and which should be established on demand. The other options are not valid, as they do not match the available choices in the VPN community settings. Reference: [VPN Administration Guide], [Check Point R81.10] 16.When using Monitored circuit VRRP, what is a priority delta? A. When an interface fails the priority changes to the priority delta B. When an interface fails the delta claims the priority C. When an interface fails the priority delta is subtracted from the priority D. When an interface fails the priority delta decides if the other interfaces takes over Answer: C Explanation: When using Monitored circuit VRRP, the priority delta is the value that is subtracted from the priority of a cluster member when one of its monitored interfaces fails2. For example, if the priority of a cluster member is 100 and the priority delta is 10, then when one of its monitored interfaces fails, its priority becomes 90. Reference: Check Point R81 ClusterXL Administration Guide 17.What is NOT an advantage of Stateful Inspection? A. High Performance B. Good Security C. No Screening above Network layer D. Transparency Answer: C Explanation: The option that is NOT an advantage of Stateful Inspection is No Screening above Network layer. Stateful Inspection is a firewall technology that inspects packets at all layers of the OSI model, from layer 3 (Network) to layer 7 (Application). Stateful Inspection provides screening above Network layer, such as checking TCP flags, sequence numbers, ports, and application protocols. The other options are advantages of Stateful Inspection, as it provides high performance, good security, and transparency for legitimate traffic. Reference: Stateful Inspection Technology, Firewall Administration Guide 18.Can multiple administrators connect to a Security Management Server at the same time? A. No, only one can be connected B. Yes, all administrators can modify a network object at the same time C. Yes, every administrator has their own username, and works in a session that is independent of other administrators D. Yes, but only one has the right to write Answer: C Explanation: Multiple administrators can connect to a Security Management Server at the same time, and each administrator has their own username and works in a session that is independent of other administrators1. This allows concurrent administration and prevents conflicts between different administrators. The other options are incorrect. Only one administrator can be connected is false. All administrators can modify a network object at the same time is false, as only one administrator can lock and edit an object at a time. Only one has the right to write is false, as all administrators have write permissions unless they are restricted by roles or permissions. Reference: Security Management Server - Check Point Software 19.Fill in the blank: ____________ is the Gaia command that turns the server off. A. sysdown B. exit C. halt D. shut-down Answer: C Explanation: halt is the Gaia command that turns the server off. This command shuts down the operating system and powers off the machine. Other commands that can be used to shut down the server are shutdown and poweroff. Reference: [Gaia Administration Guide R80.40] 20.Which type of attack can a firewall NOT prevent? A. Network Bandwidth Saturation B. Buffer Overflow C. SYN Flood D. SQL Injection Answer: A Explanation: A firewall can NOT prevent a network bandwidth saturation attack, which is a type of denial-of-service (DoS) attack that aims to consume all the available bandwidth of a target network or device1, p. 9. A firewall can prevent other types of attacks, such as buffer overflow, SYN flood, and SQL injection, by inspecting packets and applying security rules2, p. 11-12. Reference: Check Point CCSA - R81: Practice Test & Explanation, 156-315.81 Checkpoint Exam Info and Free Practice Test 21.Which of the following licenses are considered temporary? A. Plug-and-play (Trial) and Evaluation B. Perpetual and Trial C. Evaluation and Subscription D. Subscription and Perpetual Answer: A Explanation: Plug-and-play (Trial) and Evaluation licenses are considered temporary because they expire after a certain period of time3. Plug-and-play licenses are valid for 15 days, while Evaluation licenses are valid for 30 days. Reference: Check Point Licensing and Contract Operations User Guide 22.When dealing with rule base layers, what two layer types can be utilized? A. Ordered Layers and Inline Layers B. Inbound Layers and Outbound Layers C. R81.10 does not support Layers D. Structured Layers and Overlap Layers Answer: A Explanation: When dealing with rule base layers, two layer types can be utilized: Ordered Layers and Inline Layers5. Ordered Layers are executed sequentially according to their order in the policy. Inline Layers are embedded in a parent layer and are executed only if the parent rule matches. Reference: Check Point R81 Firewall Administration Guide, [Check Point R81 Security Management Administration Guide] 23.Both major kinds of NAT support Hide and Static NAT. However, one offers more flexibility. Which statement is true? A. Manual NAT can offer more flexibility than Automatic NAT. B. Dynamic Network Address Translation (NAT) Overloading can offer more flexibility than Port Address Translation. C. Dynamic NAT with Port Address Translation can offer more flexibility than Network Address Translation (NAT) Overloading. D. Automatic NAT can offer more flexibility than Manual NAT. Answer: A Explanation: Manual NAT can offer more flexibility than Automatic NAT because it allows the administrator to define the NAT rules in any order and position1. Automatic NAT creates the NAT rules automatically and places them at the top or bottom of the NAT Rule Base2. Reference: Check Point R81 Firewall Administration Guide, Check Point R81 Security Management Administration Guide 24.Which is NOT an encryption algorithm that can be used in an IPSEC Security Association (Phase 2)? A. AES-GCM-256 B. AES-CBC-256 C. AES-GCM-128 Answer: B Explanation: The answer is B because AES-CBC-256 is not a supported encryption algorithm for IPsec Security Associations (Phase 2) in R81. The supported encryption algorithms are AES-GCM-128, AES- GCM-256, AES-CBC-128, 3DES, and NULL3 Reference: Check Point R81 VPN Administration Guide 25.What are the types of Software Containers? A. Smart Console, Security Management, and Security Gateway B. Security Management, Security Gateway, and Endpoint Security C. Security Management, Log & Monitoring, and Security Policy D. Security Management, Standalone, and Security Gateway Answer: B Explanation: The types of Software Containers are Security Management, Security Gateway, and Endpoint Security. Software Containers are virtual environments that run on top of Gaia OS and allow multiple instances of Check Point products to coexist on the same physical machine. The other options are not valid types of Software Containers. 26.Which of the following is NOT a role of the SmartCenter: A. Status monitoring B. Policy configuration C. Certificate authority D. Address translation Answer: D Explanation: Address translation is not a role of the SmartCenter, as it is performed by the Security Gateway based on the NAT policy configured in the SmartConsole5. The other options are roles of the SmartCenter, as it is responsible for status monitoring, policy configuration, and certificate authority for the Security Gateways5. Reference: Gaia R81.10 Administration Guide, QUANTUM SECURITY MANAGEMENT R81, Remote Access VPN R81 Administration Guide 27.Which one of the following is a way that the objects can be manipulated using the new API integration in R80 Management? A. Microsoft Publisher B. JSON C. Microsoft Word D. RC4 Encryption Answer: B Explanation: The way that the objects can be manipulated using the new API integration in R80 Management is JSON. JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans and machines to read and write. The R80 Management API uses JSON as the primary data format for requests and responses. Therefore, the correct answer is B. JSON. 28.John is the administrator of a R80 Security Management server managing r R77.30 Check Point Security Gateway. John is currently updating the network objects and amending the rules using SmartConsole. To make John’s changes available to other administrators, and to save the database before installing a policy, what must John do? A. Logout of the session B. File > Save C. Install database D. Publish the session Answer: D Explanation: To make John’s changes available to other administrators, and to save the database before installing a policy, John must publish the session. Publishing the session saves the changes to the database and makes them visible to other administrators1. The other options do not achieve this goal. Reference: Publishing a Session 29.Fill in the blanks: In _____ NAT, Only the ________ is translated. A. Static; source B. Simple; source C. Hide; destination D. Hide; source Answer: D Explanation: In Hide NAT, only the source IP address is translated to a different IP address4. This is used to hide a group of hosts behind a single IP address, usually the external interface of the Security Gateway. Reference: Check Point R81 Firewall Administration Guide 30.Which of the completed statements is NOT true? The WebUI can be used to manage Operating System user accounts and A. add users to your Gaia system. B. assign privileges to users. C. assign user rights to their home directory in the Security Management Server. D. edit the home directory of the user. Answer: C Explanation: The WebUI can be used to manage Operating System user accounts and add users to your Gaia system, assign privileges to users, and edit the home directory of the user. However, it cannot assign user rights to their home directory in the Security Management Server. This is done by the SmartConsole1. Reference: 1: Check Point R81 Security Management Administration Guide, page 11. 31.You have enabled "Extended Log" as a tracking option to a security rule. However, you are still not seeing any data type information. What is the MOST likely reason? A. Identity Awareness is not enabled. B. Log Trimming is enabled. C. Logging has disk space issues D. Content Awareness is not enabled. Answer: D Explanation: Extended Log is a tracking option that enables administrators to see additional information about the traffic that matches a security rule, such as data type, file name, file size, etc. However, to see any data type information, Content Awareness must be enabled on the Security Gateway. Content Awareness is a blade that inspects files based on their type, size, name, and data. Content Awareness is required for Extended Log to work properly3. Reference: Check Point R81 Content Awareness Administration Guide 32.In which deployment is the security management server and Security Gateway installed on the same appliance? A. Standalone B. Remote C. Distributed D. Bridge Mode Answer: A Explanation: A standalone deployment is when the security management server and Security Gateway are installed on the same appliance. This is suitable for small or branch office environments1 33.You can see the following graphic: What is presented on it? A. Properties of personal. p12 certificate file issued for user John. B. Shared secret properties of John’s password. C. VPN certificate properties of the John’s gateway. D. Expired. p12 certificate properties for user John. Answer: A Explanation: The answer is A because the graphic shows the properties of a personal .p12 certificate file issued for user John. A .p12 file is a file format that contains a user’s private key and public key certificate. The graphic shows that the certificate file is valid and has an expiration date of 07-Apr-2018. The graphic also shows that the certificate file is issued by an internal CA, which is a Check Point component that manages certificates for users and gateways. Reference: Check Point R81 Certificate Management, Check Point R81 Internal CA 34.Using AD Query, the security gateway connections to the Active Directory Domain Controllers using what protocol? A. Windows Management Instrumentation (WMI) B. Hypertext Transfer Protocol Secure (HTTPS) C. Lightweight Directory Access Protocol (LDAP) D. Remote Desktop Protocol (RDP) Answer: C Explanation: Using AD Query, the security gateway connections to the Active Directory Domain Controllers using LDAP (Lightweight Directory Access Protocol). The other protocols are not used for this purpose. Reference: [Check Point R81 Identity Awareness Administration Guide], page 14. 35.Which tool allows you to monitor the top bandwidth on smart console? A. Logs & Monitoring B. Smart Event C. Gateways & Severs Tab D. SmartView Monitor Answer: D Explanation: SmartView Monitor is the tool that allows you to monitor the top bandwidth on SmartConsole. SmartView Monitor is a graphical tool that displays real-time network and security performance data, such as traffic, throughput, connections, CPU usage, memory usage, etc. You can use SmartView Monitor to identify the top bandwidth consumers and optimize your network performance. Reference: [SmartView Monitor], [Monitoring Network Traffic] 36.Fill in the blank: An identity server uses a ___________ for user authentication. A. Shared secret B. Certificate C. One-time password D. Token Answer: A Explanation: The answer is A because an identity server uses a shared secret for user authentication. A shared secret is a passphrase that is known by both the identity server and the user. The identity server sends a challenge to the user, who encrypts it with the shared secret and sends it back. The identity server then verifies the response and authenticates the user12 Reference: Check Point R81 Identity Awareness Administration Guide, Check Point R81 Identity Server 37.Fill in the bank: In Office mode, a Security Gateway assigns a remote client to an IP address once___________. A. the user connects and authenticates B. office mode is initiated C. the user requests a connection D. the user connects Answer: A Explanation: In Office mode, a Security Gateway assigns a remote client to an IP address once the user connects and authenticates. Office mode allows a remote client to get an IP address from the internal network of the organization. The IP address is assigned during the IKE negotiation, after the user has successfully authenticated with the Security Gateway3. The other options are not correct timings for assigning an IP address in Office mode. Reference: Office Mode 38.What is the purpose of the Stealth Rule? A. To prevent users from directly connecting to a Security Gateway. B. To reduce the number of rules in the database. C. To reduce the amount of logs for performance issues. D. To hide the gateway from the Internet. Answer: A Explanation: The Stealth Rule is used to prevent users from directly connecting to a Security Gateway. It is usually placed at the top of the rule base, before any other rule that allows traffic to the Security Gateway1, p. 32. Reference: Check Point CCSA - R81: Practice Test & Explanation 39.After a new Log Server is added to the environment and the SIC trust has been established with the SMS what will the gateways do? A. The gateways can only send logs to an SMS and cannot send logs to a Log Server. Log Servers are proprietary log archive servers. B. Gateways will send new firewall logs to the new Log Server as soon as the SIC trust is set up between the SMS and the new Log Server. C. The firewalls will detect the new Log Server after the next policy install and redirect the new logs to the new Log Server. D. Logs are not automatically forwarded to a new Log Server. SmartConsole must be used to manually configure each gateway to send its logs to the server. Answer: D Explanation: Logs are not automatically forwarded to a new Log Server. SmartConsole must be used to manually configure each gateway to send its logs to the server. After adding a new Log Server and establishing the SIC trust with the SMS, the administrator must use SmartConsole to assign the Log Server to each gateway in the Logs and Masters section of the gateway properties2. The other options are not correct, as gateways can send logs to both SMS and Log Server, Log Servers are not proprietary log archive servers, and gateways will not detect the new Log Server after the next policy install. 40.What are the three main components of Check Point security management architecture? A. SmartConsole, Security Management, and Security Gateway B. Smart Console, Standalone, and Security Management C. SmartConsole, Security policy, and Logs & Monitoring D. GUI-Client, Security Management, and Security Gateway Answer: A Explanation: The three main components of Check Point security management architecture are SmartConsole, Security Management, and Security Gateway5. SmartConsole is the graphical user interface that allows administrators to manage and monitor Check Point products. Security Management is the server that stores the security policy and configuration data. Security Gateway is the device that enforces the security policy on the network traffic. Reference: Check Point R81 Security Management Administration Guide 41.You want to verify if there are unsaved changes in GAiA that will be lost with a reboot. What command can be used? A. show unsaved B. show save-state C. show configuration diff D. show config-state Answer: D Explanation: The command show config-state can be used to verify if there are unsaved changes in GAiA that will be lost with a reboot. The other commands are not valid in GAiA. Reference: [Check Point GAiA Administration Guide], [Check Point CCSA - R81: Practice Test & Explanation] 42.Which statement is TRUE of anti-spoofing? A. Anti-spoofing is not needed when IPS software blade is enabled B. It is more secure to create anti-spoofing groups manually C. It is BEST Practice to have anti-spoofing groups in sync with the routing table D. With dynamic routing enabled, anti-spoofing groups are updated automatically whenever there is a routing change Answer: C Explanation: The statement that is TRUE of anti-spoofing is that it is BEST Practice to have anti-spoofing groups in sync with the routing table. Anti-spoofing prevents attackers from sending packets with a false source IP address. Anti-spoofing groups define which IP addresses are expected on each interface of the Security Gateway. If the routing table changes, the anti-spoofing groups should be updated accordingly34. Reference: Check Point R81 ClusterXL Administration Guide, Network Defined by Routes: Anti- Spoofing 43.Under which file is the proxy arp configuration stored? A. $FWDIR/state/proxy_arp.conf on the management server B. $FWDIR/conf/local.arp on the management server C. $FWDIR/state/_tmp/proxy.arp on the security gateway D. $FWDIR/conf/local.arp on the gateway Answer: D Explanation: The file that stores the proxy arp configuration is $FWDIR/conf/local.arp on the gateway3. The other files are not related to proxy arp configuration. Reference: How to configure Proxy ARP for Manual NAT on Security Gateway, [Check Point CCSA - R81: Practice Test & Explanation] 44.Which of the following situations would not require a new license to be generated and installed? A. The Security Gateway is upgraded. B. The existing license expires. C. The license is upgraded. D. The IP address of the Security Management or Security Gateway has changed. Answer: A Explanation: Upgrading the Security Gateway does not require a new license to be generated and installed. The license is tied to the IP address or hostname of the Security Gateway, not the software version. However, if the IP address or hostname changes, the existing license expires, or the license is upgraded, a new license must be generated and installed12 Reference: Check Point R81, Managing and Installing license via SmartUpdate 45.What is required for a certificate-based VPN tunnel between two gateways with separate management systems? A. Shared Secret Passwords B. Unique Passwords C. Shared User Certificates D. Mutually Trusted Certificate Authorities Answer: D Explanation: This answer is correct because for a certificate-based VPN tunnel, both gateways need to have a certificate issued by a certificate authority (CA) that they trust1. A CA is a trusted entity that verifies the identity of the gateways and signs their certificates2. The gateways can either use the same CA or different CAs, as long as they trust each other’s CA3. This way, the gateways can authenticate each other using their certificates and establish a secure VPN tunnel. The other answers are not correct because they are either irrelevant or incompatible with certificate- based VPN tunnel. Shared secret passwords and unique passwords are used for pre-shared key (PSK) authentication, which is a different method than certificate authentication4. PSK authentication is less secure and more vulnerable to brute force attacks than certificate authentication. Shared user certificates are not used for gateway authentication, but for user authentication, which is a different level of authentication than gateway authentication. User authentication is optional and can be used in addition to gateway authentication to provide more granular access control. Configure server settings for P2S VPN Gateway connections - certificate authentication VPN certificates and how they work Create Certificate Based Site to Site VPN between 2 Check Point Gateways HowTo Set Up Certificate Based VPNs with Check Point Appliances 46.Traffic from source 192.168.1.1 is going to www.google.com. The Application Control Blade on the gateway is inspecting the traffic. Assuming acceleration is enable which path is handling the traffic? A. Slow Path B. Medium Path C. Fast Path D. Accelerated Path Answer: A Explanation: The correct answer is A because the traffic from source 192.168.1.1 to www.google.com is handled by the Slow Path if the Application Control Blade on the gateway is inspecting the traffic2. The Slow Path is used when traffic requires inspection by one or more Software Blades2. The other paths are used for different scenarios2. Reference: Check Point R81 Performance Tuning Administration Guide 47.Name the pre-defined Roles included in Gaia OS. A. AdminRole, and MonitorRole B. ReadWriteRole, and ReadyOnly Role C. AdminRole, cloningAdminRole, and Monitor Role D. AdminRole Answer: A Explanation: The pre-defined Roles included in Gaia OS are AdminRole and MonitorRole. AdminRole is the role that has full access to all Gaia features and commands. MonitorRole is the role that has read-only access to Gaia features and commands1. The other options are not valid pre-defined Roles in Gaia OS. 48.What is the main objective when using Application Control? A. To filter out specific content. B. To assist the firewall blade with handling traffic. C. To see what users are doing. D. Ensure security and privacy of information. Answer: D Explanation: The main objective when using Application Control is to ensure security and privacy of information4. Application Control enables administrators to control access to web applications and web sites based on risk level, user identity, and other criteria. It also provides visibility into web usage and application activity. Reference: Check Point R81 Application Control Administration Guide 49.A network administrator has informed you that they have identified a malicious host on the network, and instructed you to block it. Corporate policy dictates that firewall policy changes cannot be made at this time. What tool can you use to block this traffic? A. Anti-Bot protection B. Anti-Malware protection C. Policy-based routing D. Suspicious Activity Monitoring (SAM) rules Answer: D Explanation: If a network administrator has identified a malicious host on the network and instructed you to block it, but you cannot make any firewall policy changes at this time, you can use Suspicious Activity Monitoring (SAM) rules to block this traffic. SAM rules are temporary rules that allow you to block or limit traffic from specific sources or destinations without modifying the security policy. SAM rules are created and managed by SmartView Monitor and are enforced by the security gateway for a specified duration. Anti-Bot protection, Anti-Malware protection, and Policy-based routing are not tools that can be used to block traffic without changing the firewall policy. Reference: [Check Point R81 SmartView Monitor Administration Guide] 50.Which of the following is an identity acquisition method that allows a Security Gateway to identify Active Directory users and computers? A. Active Directory Query B. User Directory Query C. Account Unit Query D. UserCheck Answer: A Explanation: Active Directory Query is an identity acquisition method that allows a Security Gateway to identify Active Directory users and computers. Active Directory Query enables the Security Gateway to query the Active Directory Domain Controllers for user and computer information, such as IP addresses, group memberships, and login events. Reference: Check Point R81 Identity Awareness Administration Guide, page 14. 51.Which of the following is a valid deployment option? A. CloudSec deployment B. Disliked deployment C. Router only deployment D. Standalone deployment Answer: D Explanation: This answer is correct because a standalone deployment is a valid option for installing a Check Point Security Gateway and a Security Management Server on the same machine1. This option is suitable for small or medium-sized networks that do not require high availability or load balancing1. The other answers are not correct because they are either invalid or irrelevant options for deployment. CloudSec deployment is not a valid option, but it might be confused with CloudGuard, which is a Check Point solution for securing cloud environments2. Disliked deployment is not a valid option, but it might be a typo for Distributed deployment, which is a valid option for installing a Check Point Security Gateway and a Security Management Server on separate machines1. Router only deployment is not a valid option, but it might be confused with Router mode, which is a configuration option f