CCSE Flashcards

Question

Which command collects diagnostic data for analyzing customer setup remotely?

Answer 1

Set the cluster global ID using the command "cphaconf cluster_id set "

Answer 2

Primary-backup

Answer 3

For short connections like http service - delay sync for 2 seconds

Answer 4

Used for full text search and enables powerful matching capabilities

Answer 5

Threat Prevention policy

Answer 6

source port

Answer 7

When an Interface fail, Effective Priority = Priority - Priority Delta

Answer 8

The Correlation unit role is to evaluate logs from the log server component to identify patterns/threats and convert them to events.

Answer 9

All upgrades The Central Deployment Tool (CDT)

Answer 10

The Firewall can run the same policy on all cores

Answer 11

Asymmetric routing

Answer 12

SmartEvent Unit

Answer 13

api status

Answer 14

fw cti multik set_mode 9

Answer 15

dbedit scripts are being replaced by mgmt._cli in R80.10

Answer 16

This statement is true because SecureXL does improve this traffic

Answer 17

Capsule Workspace, Capsule Docs, Capsule Cloud

Answer 18

mgmt_ cli add host name "Server_ 1" ip-address "10.15.123.10" - format json

Answer 19

Create new dashboards to manage 3rd party task

Answer 20

It will not block malicious traffic

Answer 21

cphaprob -d STOP unregister

Answer 22

TCP port 256

Answer 23

fw ctl multik stat

Answer 24

Synchronized

Answer 25

SmartView Tracker

Answer 26

Detects and blocks malware by correlating multiple detection engines before users are affected.

Answer 27

fw ctl debug 0

Answer 28

cpconfig; reboot required

Answer 29

Full layer3 VPN -IPSec VPN that gives users network access to all mobile applications

Answer 30

Erases all CRL's from the gateway cache

Answer 31

224.0.0.18

Answer 32

TCP port 256

Answer 33

Check Point Upgrade Service Engine.

Answer 34

VPN node add (vpnad)

Answer 35

fwaccel stat

Answer 36

/opt/CPsuite-R80/fw1/log

Answer 37

It generates indexes of data written to the database

Answer 38

IP range based

Answer 39

save configuration

Answer 40

Execute command cpconfig

Answer 41

VolP & VPN Encrypted Traffic

Answer 42

The gateway only has one processor

Answer 43

set inactivity-timeout

Answer 44

Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection to a Command & Control Center

Answer 45

Matching a log against local exclusions

Answer 46

show commands

Answer 47

Load Sharing - Multicast

Answer 48

SmartEvent

Answer 49

Traffic issues

Answer 50

Create a separate Security Policy package for each remote Security Gateway.

Answer 51

Two machines

Answer 52

upgrade_import

Answer 53

A management plug-in interacts with a Security Management Server to provide new features and support for new products.

Answer 54

Suspicious Activity Monitoring

Answer 55

Making packets appear as if they come from an authorized IP address.

Answer 56

The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence.

Answer 57

30 minutes at least

Answer 58

fwaccel commands can be used in clish

Answer 59

fwaccel stat

Answer 60

$FWDIR/conf/fwauthd.conf

Answer 61

ips pmstats reset

Answer 62

Security Gateway with GAiA does NOT have access to Internet.

Answer 63

events generated by a query. Query Statistics List Preview

Answer 64

The Magic MAC number must be unique per cluster node.

Answer 65

Aaron should check API Server status from expert CLI by "api status" and if it's stopped he should start using command "api start" on Security Management Server.

Answer 66

SmartDashboard

Answer 67

CPUSE offline upgrade

Answer 68

Management High Availability (HA) sync

Answer 69

web_services, dle_server and object_Store

Answer 70

mgmt. add host name emailserver1 ip-address 10.50.23.90

Answer 71

In the Logs & Monitor view, select "Open Audit Log View"

Answer 72

SmartConsole GUI Console, mgmt_cli Tool, Gaia CLI, Web Services

Answer 73

cphaprob all show stat

Answer 74

Go to Manage&Settings>Blades>HTTPS Inspection>Policy

Answer 75

blade: "application control" AND action:block

Answer 76

Go to clish-Run cpconfig | Configure CoreXL to make use of the additional Cores | Exit cpconfig |Reboot Security Gateway

Answer 77

Open REST API

Answer 78

Mobile Access

Answer 79

Acceleration technologies, such as SecureXL and CoreXL are disabled when activating SDF

Answer 80

Identity Translation (IT)

Answer 81

By default, the API server is active on management servers with 4 GB of RAM (or more) and on stand-alone servers with 8 GB of RAM (more)

Answer 82

2 (OS) images

Answer 83

Use both SCCM and GPO for the deployment agent and End Point Management to push the Agent.

Answer 84

IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction

Answer 85

Temporarily set all protections to track (log) in SmartView Tracker

Answer 86

Any active contents of a document, such as JavaScripts, macros and links will be removed from the document and forwarded to the intended recipient, which makes this solution very fast.

Answer 87

cphaprob -a if

Answer 88

Rename the hostname of the Standby member to match exactly the hostname of the Active member.

Answer 89

Host having a Critical event found by Threat Emulation

Answer 90

Security Gateway failover is an automatic procedure but Security Management Server failover is a manual procedure.

Answer 91

pre_upgrade_verifier

Answer 92

upgrade_import

Answer 93

$RTDIR/smartview/conf

Answer 94

Manual/Pre-Automatic NAT

Answer 95

cphaprob stat

Answer 96

Cloud, Appliance and Hybrid

Answer 97

show sysenv all

Answer 98

Gateway API

Answer 99

3, 1, 2, 4

Answer 100

Firewall, NAT, Routing

Answer 101

Advanced Approach

Answer 102

You cannot have a standalone deployment

Answer 103

When an interface fails the priority delta is subtracted from the priority

Answer 104

almost instantaneous

Answer 105

Open SmartDashboard, select and open the Cluster Object Jonas, Select Topology - Advanced Options and review the High Availability recovery options.

Answer 106

Load sharing of emulation between an on premise appliance and the cloud

Answer 107

Deny template

Answer 108

A log entry becomes an event when it matches any rule defined in Event Policy

Answer 109

Open SmartEvent, go to the Policy Tab, select General Settings from the left column > User Identities and check the box Show Identities

Answer 110

cpinfo -y all

Answer 111

TCP Port 18190

Answer 112

in R80, IPS is managed by the Threat Prevention Policy

Answer 113

It is not supported with either the Performance pack or a hardware based accelerator card

Answer 114

Application Awareness

Answer 115

migrate import

Answer 116

set interface eth2 mac-addr 11:11:11:11:11:11; CLISH

Answer 117

api status

Answer 118

Proxy-Authorization

Answer 119

Erases all CRL's from the gateway cache

Answer 120

Verification & Compilation, Transfer and Installation

Answer 121

Manually, Scheduled, Automatic

Answer 122

Threat Extraction always delivers a file and takes less than a second to complete

Answer 123

Policy Layers and Sub-Policies enable flexible control over the security policy.

Answer 124

Source Port Ranges/Encrypted Connections

Answer 125

Automation relates to codifying tasks, whereas orchestration relates to codifying processes.

Answer 126

Add the proxy ARP configuration in a file called $FWDIR/conf/local.arp

Answer 127

cpwd_admin list

Answer 128

The average number of Regulatory Requirements that are monitored

Answer 129

Basic, Optimized, Strict

Answer 130

add host name ip-address

Answer 131

Multicast Mode Load Sharing

Answer 132

Check Point Anti-Virus / Threat Emulation

Answer 133

CCP and 8116

Answer 134

ICMP unreachable

Answer 135

The Database revisions will not be synchronized between the management servers.

Answer 136

mgmt. login

Answer 137

Log Consolidator

Answer 138

fw ctl get int fwha_vmac_global_param_enabled; result of command should return value 1

Answer 139

Sending API commands over an http connection using web-services

Answer 140

Go to clash-Run cpconfig|Configure CoreXL to make use of the additional Cores|Exit cpconfig|Reboot Security Gateway

Answer 141

Inbound chain

Answer 142

Verification & Compilation, Transfer and Installation

Answer 143

. Expert@Red# ./migrate import Red-old.tgz

Answer 144

Cloud, Appliance and Hybrid

Answer 145

A log entry becomes an event when it matches any rule defined in Event Policy

Answer 146

Web Browsers and user devices

Answer 147

When an interface fails the priority delta is subtracted from the priority

Answer 148

Host having a Critical event found by Anti-Bot

Answer 149

Firewall Path; Accelerated Path; Medium Path

Answer 150

Joey is an administrator of Distributed Security Management with at least 4GB of RAM.

Answer 151

The traffic is originating from the gateway itself.

Answer 152

SmartDashboard - IPS tab - Profiles - select profile + right click and select "export profile"

Answer 153

Mail Transfer Agent

Answer 154

Check Point Protect

Answer 155

cvpnrestart

Answer 156

R77.X with direct upgrade

Answer 157

Postgres SQL

Answer 158

SND is used to distribute packets among Firewall instances

Answer 159

Using CLISH

Answer 160

Firewall logs

Answer 161

cpstat cpsead

Answer 162

Versions R75.20 and higher

Answer 163

The CoreXL FW instances assignment mechanism is based on the utilization of CPU cores.

Answer 164

Expert@Green# fw monitor -e "accept src=192.168.4.5 or dst=10.1.1.25;" -o monitor.out

Answer 165

19009, 443

Answer 166

Expert -> cphaconf cluster_id get

Answer 167

GUI Client, Security Management, Security Gateway

Answer 168

Temporarily set all protections to track (log) in SmartView Tracker

Answer 169

At least 20 GB

Answer 170

He can use the fwaccel stat command on the gateway

Answer 171

https://management IP address/smartview/

Answer 172

Force override

Answer 173

You can utilize only Check Point Cloud Services for this scenario

Answer 174

Network Interface Card and the Acceleration Device

Answer 175

fw tab -t connections -f

Answer 176

Custom application multicast traffic

Answer 177

tecli advanced attributes set prohibited_file_types exe,bat

Answer 178

cpm via cpd

Answer 179

4. Incoming; Outgoing; Internal; Other

Answer 180

SSH to Red Security Gateway, run cpconfig> select Configure Check Point CoreXL > enable CoreXL > exit cpconfig> reboot the Security Gateway

Answer 181

MAC address of Active Member

Answer 182

migrate export

Answer 183

inline/prevent or detect

Answer 184

Correlation Unit

Answer 185

fw ctl affinity -l -a -r -v

Answer 186

set static-route default nexthop gateway address 192.168.255.1 priority 1 on

Answer 187

fw monitor -e "accept dst=224.0.0.18;"

Answer 188

run fw ctl multik set_mode 9 in Expert mode and then reboot

Answer 189

5 interfaces

Answer 190

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings

Answer 191

Using UDP Multicast or Broadcast on port 8161

Answer 192

Analyzes this log entry as it arrives at the log server according to the Event Policy. When a threat pattern is identified, an event is forwarded to the SmartEvent Server.

Answer 193

Policy Installation Date, view install changes and install specific version

Answer 194

Threat Simulation

Answer 195

$FWDIR/conf/fwauthd.conf

Answer 196

ping, whois, nslookup, and Telnet

Answer 197

Performs database tasks such as creating, deleting, and modifying objects and compiling policy.

Answer 198

within seconds cleaned file will be provided

Answer 199

fw ctl multik set_mode 9

Answer 200

fw ctl set int fwha_vmac_global_param_enabled 1

Answer 201

migrate.conf

Answer 202

Runs Advance Upgrade with migration.

Answer 203

Analyzes compatibility of the currently installed configuration with the upgrade version. It gives a report on the actions to take before and after the upgrade.

Answer 204

* Updates released to correct an issue or provide enhancements and improvements. * HFA is a collection of stability and quality fixes. * The name of an hotfix identifies the version it is compatible with.

Answer 205

̶ Manually ̶ Scheduled ̶ Automatic

Answer 206

Automatically install CPUSE offline packages on multiple gateways and clusters members at same time

Answer 207

(Clish) and provide commands for easy configuration and routine administration

Answer 208

advanced Check Point system and underlying Linux functions

Answer 209

set clienv

Answer 210

save client

Answer 211

lock database override

Answer 212

add user "username" set "username"

Answer 213

set message banner on msgvalue “This system is private and confidential”

Answer 214

set snmp agent on

Answer 215

set core-dump [enable|disable]

Answer 216

add dhcp server netmask include-ip-pool start end exclude-ip-pool start end

Answer 217

Management process TCP 19009

Answer 218

on all management products It provides GUI client communication, database manipulation, policy compilation, and Management High Availability synchronization

Answer 219

allows other processes, including the kernel, to forward logs

Answer 220

child process of fwd | • which provide a higher level of protocol enforcement.

Answer 221

Check Point Daemon (cpd) is a core process on every Check Point product. It allows Secure Internal Communication (SIC) functionality

Answer 222

cpwd_admin utility shows the status of processes and configures cpwd

Answer 223

Data Link layer | Every packet that goes through the Firewall is inspected

Answer 224

Firewall to function more efficiently in the Application layer.

Answer 225

allow user and kernel processes to communicate

Answer 226

packet processing handlers, decide which modules will inspect the packet and, based on the inspection, may then modify, pass, or drop the packets, Inbound and outbound packets are inspected in both directions by chain modules

Answer 227

``` Initiation Database Dump Verification Conversion Fwm rexec Code Generation and Compilation ```

Answer 228

Verification & Compilation Transfer (CPTA) Commit

Answer 229

• The cpd process on the gateway will execute the following command to load the policy which was just transferred to the gateway: fw fetchlocal -d $FWDIR/state/_tmp/FW1 • The policy will then be loaded into the kernel. • If successful, the new policy will be copied to the $FWDIR/state/FW1 folder on the gateway. • If the fetchlocal process fails, cpd will get a notification regarding the failed process and will inform the fwm process that loading the policy has failed.

Answer 230

1. Manual/Pre-Automatic NAT 2. Automatic Static NAT 3. Automatic Hide NAT 4. Post-Automatic/Manual NAT rules

Answer 231

CPsuite-R80 — Manages Firewall modules CPshrd-R80 — Stores cpd database, licenses CPEdgecmp-R80 — Manages Edge devices

Answer 232

store definition files Ex. $FWDIR/conf/fwauth.NDB = user definitions Ex. $FWDIR/conf/fwauthd.conf= Security server configuration

Answer 233

command line version of the Check Point Configuration tool and configure or reconfigure a Security Gateway/Management installation

Answer 234

details of Check Point licenses

Answer 235

* i — Before the virtual machine, in the Inbound direction (pre-Inbound) * I — After the virtual machine, in the Inbound direction (post-Inbound) * o — Before the virtual machine, in the Outbound direction (pre-Outbound) * O — After the virtual machine, in the Outbound direction (post-Outbound)

Answer 236

``` Streaming based applications, such as Web security Sequence verification and translation Hide NAT Logging, accounting, and monitoring Client and server identification Data connections ```

Answer 237

GET, PUT, POST, and DELETE

Answer 238

TCP=RST | USP=ICMP Unreachable

Answer 239

1. Firewall — Inspection on the Original Packet. 2. NAT — Translate the IP and/or port number as required. 3. Routing — Forward on the resulting packet.

Answer 240

allows all cluster members to use the same Virtual MAC address and minimizes possible traffic outages during a failover

Answer 241

Full Synchronization | Delta Synchronization

Answer 242

monitor synchronization

Answer 243

same platform same software version number of cores

Answer 244

synchronizes existing connections to maintain connectivity and eliminate downtime during cluster upgrades.

Answer 245

1. Run cpconfig 2. Change the IP address of the new cluster member to reflect the correct topology. Ensure that all Check Point products are installed on the new cluster member. All Check Point software components must be identical on each member of the cluster. In the Cluster Members page of the cluster object, create a new cluster member ensure that SIC is initialized and the topology is correctly defined. Ensure that the proper interfaces on the new cluster member are configured as cluster interfaces if the cluster mode is Load Sharing or New High Availability. Install the Security Policy on the cluster. The new member is now part of the cluster.

Answer 246

avoids Asymmetric Routing, but disables acceleration technologies.

Answer 247

This transition from Standby to Active must be initiated manually.

Answer 248

Automatic or Manual For Management HA to function properly, the following data is backed up and synchronized: Network Security Management Databases (such as the Network Objects, policy settings, and the Security Policy itself) Configuration and Internal Certificate Authority (ICA) data (such as Objects and Users databases, certificate information, and the CRL, which is available to be fetched by the Check Point Security Gateways) Endpoint Security databases, if applicable

Answer 249

Never been synchronized Synchronized Lagging Advanced

Answer 250

Decide which cluster member will deal with each connection. Perform health checks Perform failover

Answer 251

VRRP is a network management protocol that is used to increase the availability of default gateway servicing hosts on the same subnet.

Answer 252

Simple Monitored Circuit VRRP | Advanced VRRP

Answer 253

set vrrp interface VALUE | show vrrp interface VALUE

Answer 254

Check Point security acceleration technology that accelerates multiple, intensive security operations, including operations carried out by Check Point’s

Answer 255

Firewall Path (Slow) — Packets and connections that are inspected by the Firewall. These packets and connections are not processed by SecureXL. This path is also referred to as the Slow Path. Accelerated Path — Packets and connections that are offloaded from the Firewall to SecureXL. These packets and connections are quickly processed. Medium Path — Packets that cannot use the accelerated path because they require deeper inspection. Although it is not necessary for the Firewall to inspect these packets, they can be offloaded by another feature. For example, packets that are examined by IPS cannot use the accelerated path and can be offloaded to the IPS Passive Streaming Library (PSL), which provides stream reassembly for TCP connections. As a result, SecureXL processes these packets quicker than packets on the slow path.

Answer 256

``` Source address Destination address Source port Destination port Protocol ```

Answer 257

To accelerate the rate of new connections, connections that do not match a specified 5-attributes are still processed by SecureXL by leveraging templates

Answer 258

Accept Templates Drop Templates NAT Templates

Answer 259

allows multiple external interfaces to be configured for tunneling the VPN packets.

Answer 260

allow the VPN domain to be determined dynamically instead of configuring a static VPN domain.

Answer 261

allows trusted traffic to pass through without Stateful Inspection.

Answer 262

The default number of kernel instances is derived from the total number of cores in the system.

Answer 263

Processing incoming traffic from the network interfaces. Accelerating authorized packets (if SecureXL is running). Distributing non accelerated packets among kernel instances

Answer 264

Helps to improve load distribution and mitigates connectivity issues during traffic peaks

Answer 265

distribution of connections across all CoreXL Firewall instances

Answer 266

Prioritizes traffic when the CPU cores are 100% utilized and packets need to be dropped. Priorities packets based on the connection type

Answer 267

CoreXL acts as a load balancer and improves Security Gateway performance in situations where much of the traffic cannot be accelerated by SecureXL or when the gateway has many IPS features enabled, which disables SecureXL functionality

Answer 268

1. The CPU load for SND is high (idle is < 20%). 2. The CPU load for CoreXL Firewall instances is low (idle is > 50%). 3. There are no CPU cores left to be assigned to the SND by changing interface affinity.

Answer 269

SmartConsole — installed as an external application SmartEvent GUI — requires client installation SmartView Web application

Answer 270

standalone=on the managment server | distributed=Seperate boxes

Answer 271

Matching a log against global exclusions Matching a log against each event definition Creating an event candidate Updating an event

Answer 272

contains a filter which is comprised of multiple criteria that must be found in any matching log

Answer 273

- Event Candidate allow SmartEvent to track logs until an event threshold is crossed and an event is generated. - Each event definition may have multiple event candidates.

Answer 274

Correlation Unit forwards the event to the Event Database.

Answer 275

A view is an interactive dashboard made up of widgets

Answer 276

``` Threshold Severity Automatic reactions Exceptions Working hours ```

Answer 277

1. Client-based — In this solution, the client application is installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer or device. The client supplies access to most types of corporate resources according to the access privileges of the user. 2. Clientless — In this solution, users connect through a web browser and use HTTPS connections instead of connecting through a managed device. Clientless solutions usually supply access to web-based corporate resources. 3. On Demand Client — This remote access solution blends the first two options. A user connects with a web browser and installs a client when necessary. The client supplies access privileges to most types of corporate resources according to the access privileges of the user.

Answer 278

In a Layer 3 VPN solution, a resident VPN client is needed, which creates the Layer 3 virtual interface that any application can use. Better for managed devices

Answer 279

only require a browser on the client side and allow mobile devices with a dedicated application to access corporate resources without establishing a VPN tunnel. Better for unmanaged devices

Answer 280

clientless SSL VPN solution,requires a Mobile Access Software Blade license on the Security Gateway. used for web-based corporate resources

Answer 281

thin SSL VPN on-demand client a browser plug-in has 2 modes: 1.Network — Users can access all native IP-based and web-based applications in the internal network. Admin needs to define apps 2. Application — Users can access most native IP-based and web-based application types in the internal network. Admin needs to define apps

Answer 282

Check Point Mobile for Windows: IPSec, requires IPSec and mobile access software blade license Check Point Mobile for iPhone and iPad: SSL required mobile access blade license Check Point Mobile for Android: SSL required mobile access blade license

Answer 283

Check Point Capsule Workspace: Provides access separate applications SecuRemote: limited fucntion IPSec VPN, requires IPSec blade license

Answer 284

Secure container with IAM control; helps control company data on personal devices Capsule Workspace Capsule Docs Capsule Cloud

Answer 285

Provide access to any application and uses IPSec vs SSL for capsule, but no data isolation

Answer 286

Capsule Connect Classify — Define a set of permissions, which may include markings such as headers, footers, and watermarks. Share — Decide with whom to share the document. Encrypt — Apply encryption (AES256 + RSA2048) to the document so that it is protected and accessed only by the authorized users and groups. Offers cloud deployment

Answer 287

Capsule Cloud utilizes Check Point Software Blade solutions as a cloud-based service. Capsule Cloud enforces the organization’s in-network Security Policy to both on- and off-premise devices. It helps the enterprise to protect employees using laptops and mobile device when they are outside the secured office environment.

Answer 288

Set up policies for URL Filtering, Threat Prevention, and HTTPS Inspection View user traffic and audit logs Manage users and offices Download Capsule Cloud applications and utilities Change client and device settings Access Capsule Cloud utilities Determine location of roaming clients (via the Location Awareness feature)

Answer 289

allows mobile and remote workers to easily and securely connect to the corporate network from any location. data is decrypted, filtered, and inspected in real-time by Check Point’s gateway security services. Can enforce security posture of the device

Answer 290

``` Certificate (Internal or External Certificate Authority) RADIUS server SecurID Username and password (internal, LDAP) Dynamic ID One-Time Password (OTP) ```

Answer 291

Server Side Security: Mobile Access uses IPS Web Intelligence to protect the network from web-related threats and attacks Client Side: can scan endpoint devices to verify their security compliance and make sure that their protections are up-to-date.

Answer 292

The Mobile Access Policy defines how remote users can securely access internal company applications and resources using mobile devices. Mobile Access Policy rules are defined and unified in the Access Control policy. This includes all rules related to the Mobile Access Portal, Capsule Workspace, and on-demand clients.

Answer 293

1. The Mobile Access Software Blade must be enabled. 2. Security Gateways with Mobile Access enabled, are automatically added to the Remote Access VPN Community. 3. Mobile Access applications must be defined. Other application objects cannot be used for Mobile Access. 4. Create access roles to give access to resources through specified remote access clients.

Answer 294

1. Place Mobile Access rules that authorize applications above rules that contain a related service. 2. Create an inline layer for Mobile Access rules. When creating rules, do not use a Security Gateway as the destination.

Answer 295

1. In the SSL VPN solution, users can connect securely to business web-based applications through a web portal, which can be accessed using a web browser. This solution does not require users to install a VPN agent or client and can be configured to enforce two-factor authentication. 2. IPSec, Layer 3 VPN requires remote workers to install a VPN client before gaining access to corporate resources. Once a user installs the client, the Layer 3 VPN provides a secured connection to both web-based and native business applications.

Answer 296

As business documents are edited and viewed on personal devices using Capsule Workspace, Capsule Docs protects business data and documents no matter where it is transmitted.

Answer 297

Protects users from malware on legitimate websites, controls network usage of selected applications, and more.

Answer 298

Threat Prevention policy

Answer 299

ips_export_import

Answer 300

1. Enforces or monitors traffic based on the source or destination country. 2. A valid IPS contract and an IPS Software Blade license is required. 3. The IP-To-Country database is downloaded to the gateway from a Check Point data center. Geo-Protection logs are aggregated by default.

Answer 301

1. Protects the network from malware attacks/ worms virus, backdoors 2. Uses threat intelligence from ThreatCloud. Scans incoming files for malicious signatures. 3. Updates ThreatCloud with any newly detected malware. 4. Blocks access to websites with known connection to malware.

Answer 302

Check Point’s Anti-Bot Software Blade identifies bot-infected machines using the ThreatSpect engine to analyze network traffic. The engine: Performs a reputation check. Reviews network signatures. Searches for suspicious activity.

Answer 303

1. Used to catch zero-day attacks and APTs. | 2. Files are hosted and executed in a secured environment and then observed for suspicious routines.

Answer 304

OS-Level | CPU-Level

Answer 305

Emulates a standard operating system in an isolated environment to execute and screen files.

Answer 306

Delaying launch of a payload. Searching for virtual machine indicators. Checking for human interaction activities that are difficult to replicate virtually. OS fingerprinting.

Answer 307

Addresses the limitations of traditional sandboxing. | by Monitoring exploits executed in CPU instruction codes.

Answer 308

1. Finding Vulnerability 2. Using an Exploit Method 3. Running a Shellcode 4. Running the Malware

Answer 309

Check Point’s solution for zero-day attacks

Answer 310

Threat Emulation Threat Extraction Threat Cloud Mail Transfer Agent

Answer 311

Performs both CPU-Level and OS-Level inspection of files.

Answer 312

Threat Extraction provides users with a sanitized, reconstructed document using only safe elements. Threat Extraction is typically used for incoming emails only; however, it can be used for outgoing emails as well. It supports widely used document file types, such as PDF and MS Word documents.

Answer 313

1.Consolidates information from sources, such as: Signature and reputation data from different Check Point systems. 2. External intelligence sources. 3. Data and research from Check Point’s Vulnerability Research and Incident Response teams. (Keeps sandblast up to date)

Answer 314

Ensures that full emulation occurs without disruption. Prevents email server timeout during emulation. Manages the emulation of SMTP traffic.

Answer 315

Inline or Prevent | Detect Only

Answer 316

Detect Mode-In Detect mode, incoming emails go straight to the inbox without interference Prevent Mode- In Prevent mode, incoming emails are directed to a temporary quarantine folder within Office 365 Hybrid Deployment- on-premise Exchange server and Cloud Office 365 can use the following options for a hybrid deployment:

Answer 317

Extends SandBlast Protection to end-users.

Answer 318

To prevent these threats, Threat Emulation performs CPU-level inspection of incoming files to look for signs of exploit methods. It runs the inspection in a sandbox environment, away from the organization’s network. If files exhibit malicious routines, Threat Emulation deletes them promptly. While Threat Emulation performs the inspection, Threat Extraction provides a clean, sanitized version of the file. This is to avoid any disruption to the company's daily operations.

Answer 319

While Firewall blocks network traffic based on source, destination, and port information, IPS analyzes its contents. This is to prevent threats such as drive by download, which are known to hide malicious codes behind hijacked, legitimate websites.