ccse r71 study
TRANSCRIPT
-
8/16/2019 Ccse r71 Study
1/88
Check Point Security Expert R70 / R71
Study Guide
Check Point Certified Security Administrator
Exam: #156-315.71
-
8/16/2019 Ccse r71 Study
2/88
-
8/16/2019 Ccse r71 Study
3/88
Copyright © Check Point Software TechnologiesLtd. All rights reserved.
Printed by Check Point Press
A Division of Check Point Software Technologies Ltd.
First Printing December 2010
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.
© 2003-2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.
TRADEMARKS
©2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check
Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security,
Check Point Endpoint Security On Demand, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectCon-
trol, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Coopera-
tive Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding
Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-
1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid
Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Client-
less Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG,
NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile,
Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-
1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home,
Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlat-
form, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL,
SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1,SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, Smart-
Center UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-
-
8/16/2019 Ccse r71 Study
4/88
sor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView
Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network
Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector,
Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1
Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator
Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1
Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1
SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX,
Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus,
ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro,
ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trade-
marks or registered trademarks of Check Point Software Technologies Ltd. or its
affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. Allother product names mentioned herein are trademarks or registered trademarks of
their respective owners. The products described in this document are protected by
U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943,
and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pend-
ing applications.
DISCLAIMER OF WARRANTY
Check Point Software Technologies Ltd. makes no representation or warranties,
either express or implied by or with respect to anything in this document, and shall
not be liable for any implied warranties of merchantability or fitness for a particular
purpose or for any indirect special or consequential damages.
-
8/16/2019 Ccse r71 Study
5/88
International Headquarters: 5 Ha’Solelim Street
Tel Aviv 67897, Israel
Tel: +972-3-753 4555
U.S. Headquarters: 800 Bridge Parkway
Redwood City, CA 94065
Tel: 650-628-2000
Fax: 650-654-4233
Technical Support, Education & Profes-
sional Services:
8333 Ridgepoint Drive, Suite 150
Irving, TX 75063
Tel: 972-444-6612
Fax: 972-506-7913
E-mail any comments or questions about our
courseware to [email protected].
For questions or comments about other Check
Point documentation, e-mail
Document #: CCSA R70 Study Guide
Revision: R71001
Content: Mark Hoefle
Graphics: Jeffery Holder
-
8/16/2019 Ccse r71 Study
6/88
-
8/16/2019 Ccse r71 Study
7/88
Chapter 1 The Check Point Certified Security Expert Exam 1Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Management Portal 5
Check Point Management Portal Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 3 Smart Workflow 11
Check Point SmartWorkflow Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4 SmartProvisioning 17
Check Point SmartProvisioning Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 5 SSL Portal-Based VPN 25
Check Point SSL Portal-Based VPN Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Chapter 6 Acceleration 31
Check Point Acceleration Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
-
8/16/2019 Ccse r71 Study
8/88
Chapter 7 High Availability 37Check Point High Availability Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 8 Clustering 43
Check Point Clustering Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 9 Advanced Networking - Routing 49
Check Point Advanced Networking — Routing Topics . . . . . . . . . . . . . . . . . . . . . . . 50
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Chapter 10 Advanced Networking — Load
Balancing 55
Check Point Advanced Networking — Load Balancing Topics . . . . . . . . . . . . . . . 56
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Chapter 11 Advanced Networking - QoS 61
Check Point Advanced Networking — QoS Topics . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Chapter 12 Check Point IPS 67Introduction to the Check Point IPS Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
-
8/16/2019 Ccse r71 Study
9/88
Sample CCSA R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 13 Data Loss Prevention 73
Introduction to the Check Point Data Loss Prevention Topics . . . . . . . . . . . . . . . . . 74
Sample CCSA R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
-
8/16/2019 Ccse r71 Study
10/88
-
8/16/2019 Ccse r71 Study
11/88
Preface
1
The Check Point Certified Security
Expert Exam
The Check Point Security Expert R70 / R71 course is intended to provide an under-
standing of upgrading and advanced configuration of Check Point software blades,
installing and managing VPNs (on both internal and external networks), gaining the
maximum security from Security Gateways, and resolving Gateway performance
issues. The Check Point Security Expert R70 / R71 Study Guide supplements
knowledge you have gained from the Check Point Security Expert R70 / R71
course, and is not a sole means of study.
The Check Point Certified Security Expert R71 (CCSE) exam covers the following
topics:
Define how the Management Portal aids in managing and troubleshooting
security configurations.
Describe how to extend access to network policy settings to outside auditors
Identify the advantages of SmartWorkflow in tracking, approving, and auditing
security policy changes.
Assess the benefits of policy life-cycle management and change management.
Determine typical SmartWorkflow administrative and use processes.
Identify the advantages of SmartProvisioning as a centralized management
tool.
-
8/16/2019 Ccse r71 Study
12/88
Preface: The Check Point Certified Security Expert Exam
2 Check Point Security Expert R70 / R71 Study Guide
Determine typical typical SmartProvisioning deployment scenarios. Describe profile based management as it applies to SmartProvisioning.
Describe the security features of SSL VPN
Identify the role of the SSL VPN in common deployment scenarios.
Identify the advantages of SecureXL security acceleration with intense security
processing requirements.
Assess the benefits of multi-core CPU combined with SecureXL security
acceleration.
Identify the features and limitations of Management High Availability. Determine typical multiple security gateway cluster configurations using
ClusterXL
Identify the advantages of Advanced Routing protocols for scalability, fault-
tolerance, security.
Determine typical Load Balancing configurations using Advanced Networking
Determine typical Load Balancing configurations using Advanced Networking
Define the purpose for Reporting.
Given logged data, produce reports that provide an audit of network traffic.
Define the need for intrusion event analysis.
Monitor and analyze alerts to track and identify network intrusions.
-
8/16/2019 Ccse r71 Study
13/88
Frequently Asked Questions Preface: The Check Point Certified Security Expert Exam
Check Point Security Expert R70 / R71 Study Guide 3
Frequently Asked Questions The table below provides answers to commonly asked questions aboutthe CCSE NGX R71 exam:
Question Answer
What are the Check Point rec-
ommendations and prerequi-
sites?
You must pass the CCSA R71 exam, before takingthe CCSE R71 exam. Check Point recommends youhave at least 6 months to 1 year of experience withthe products, before attempting to take the CCSER70 exam. In addition, you should also have basicnetworking knowledge, knowledge of WindowsServer and/or UNIX, and experience with TCP/IPand the Internet.
Check Point also recommends you take the Check Point Security Administrator R70 / R71 class from aCheck Point Authorized Training Center (ATC). Werecommend you take this class before taking theCCSE R71 exam. To locate an ATC, see:
www.checkpoint.com/services/education/certification/ngx_atc.html
How do I register? Check Point exams are offered through PearsonVUE, a third-party testing vendor with more than3,500 testing centers worldwide.
Pearson VUE offers a variety of registration options.Register via the Web or visit a specific test center.Registrations at a testing center may be made inadvance or on the day you wish to test, subject toavailability. For same-day testing, contact the testingcenter directly.
Locate a testing center from the VUE Pearson Website:
www.pearsonvue.com
What is the exam structure? The exams are composed of multiple-choice
and scenario questions. There is no partial
credit for incorrectly marked questions.
-
8/16/2019 Ccse r71 Study
14/88
Preface: The Check Point Certified Security Expert Exam Frequently Asked Questions
4 Check Point Security Expert R70 / R71 Study Guide
For more exam and course information, see:
http://www.checkpoint.com/services/education/
How long is the exam?
Do I get extra time, if I am not
a native English speaker?
The following countries are given 120 minutes
to complete the exam. All other regions get 150
minutes:
Australia
Bermuda
Canada
Japan
New Zealand
Ireland
South Africa
UK
US
Question Answer
-
8/16/2019 Ccse r71 Study
15/88
Chapter
5
1Management Portal
The Check Point Management Portal Software Blade allows the extension of browser-based management access to outside groups, such as technical support
staff or auditors, while still maintaining centralized administrative control of policy
enforcement. Management Portal users can view security policies, check on the sta-
tus of all Check Point products, and administrator activity, manage firewall logs,
and edit, create and modify internal users.
Objectives:
Configure Administrative access to the Security Management server froman offsite machine to facilitate remote management of corporate Security
Gateways.
-
8/16/2019 Ccse r71 Study
16/88
Chapter 1: Management Portal Check Point Management Portal Topics
6 Check Point Security Expert R70 / R71 Study Guide
Check Point Management Portal Topics The following table outlines the topics covered in the “ManagementPortal” chapter of the Check Point Security Expert R70 / R71 Course. Thistable is intended as a supplement to knowledge you have gained fromthe Security Expert R70 / R71 Courseware handbook, and is not meantto be a sole means of study.
Topic Key ElementPage
Number
Web Based Administration p. 03
Deploying the Management Portal -Dedicated Server
p. 03
Deploying the Management Portal -
Security Management Server
p. 04
Management Portal Commands and
Configurations
p. 04
Client Side Requirements p. 05
Table 1-1: Management Portal Topics
-
8/16/2019 Ccse r71 Study
17/88
Check Point Management Portal Topics Chapter 1: Management Portal
Check Point Security Expert R70 / R71 Study Guide 7
Lab 1: Environment Setup L-p. 1
Build the Management Server L-p. 2
Build Gateways L-p. 7
Install and Configure NTP L-p. 11
Establishing SIC L-p. 12
Lab 2:Management Portal L-p. 15
Configure Management Portal on
Corporate Site
L-p. 16
Test Management Portal Access L-p. 18
Configure Management Portal
Access on Partner Site
L-p. 22
Test Management Portal with Read
Only Access
L-p. 27
Topic Key Element PageNumber
Table 1-1: Management Portal Topics
-
8/16/2019 Ccse r71 Study
18/88
Chapter 1: Management Portal Sample CCSE R71 Exam Question
8 Check Point Security Expert R70 / R71 Study Guide
Sample CCSE R71 Exam Question The Management Portal allows all of the following EXCEPT:
1. View administrator activity.
2. Schedule policy installation.
3. View the status of Check Point products.
4. Manage firewall logs.
-
8/16/2019 Ccse r71 Study
19/88
Answer Chapter 1: Management Portal
Check Point Security Expert R70 / R71 Study Guide 9
Answer The Management Portal allows all of the following EXCEPT:
1. View administrator activity.
2. Schedule policy installation.
3. View the status of Check Point products.
4. Manage firewall logs.
-
8/16/2019 Ccse r71 Study
20/88
-
8/16/2019 Ccse r71 Study
21/88
Chapter
11
2Smart Workflow
The SmartWorkflow Blade is a security policy change-management solution thattracks all proposed changes to the Check Point network security environment, and
provides a management review and approval process, before a new policy imple-
mentation.
Objectives:
Process a change request based on an organization’s existing managementinfrastructure.
-
8/16/2019 Ccse r71 Study
22/88
Chapter 2: Smart Workflow Check Point SmartWorkflow Topics
12 Check Point Security Expert R70 / R71 Study Guide
Check Point SmartWorkflow Topics The following table outlines the topics covered in the “SmartWorkflow”chapter of the Check Point Security Expert R70 R71 Course. This table isintended as a supplement to knowledge you have gained from theSecurity Expert R70 / R71 Courseware handbook, and is not meant tobe a sole means of study.
Topic Key ElementPage
Number
Change Management p. 11
The SmartWorkflow Environment p. 12Task Flow p. 12
SmartWorkflow Toolbar p. 15
The SmartWorkflow Session Man-
agement Window
p. 17
SmartWorkflow Session Informa-
tion
p. 20
Working with SmartWork-
flow
p. 21
Assigning Permissions p. 21
Enabling SmartWorkflow p. 21
Configuring SmartWorkflow p. 22
Working with Sessions p. 23
Comparing Policies p. 26
Approving Sessions p. 27
Auditing Changes p. 28
Table 2-2: SmartWorkflowTopics
-
8/16/2019 Ccse r71 Study
23/88
Check Point SmartWorkflow Topics Chapter 2: Smart Workflow
Check Point Security Expert R70 / R71 Study Guide 13
Lab 3: SmartWorkflow L-p. 29
Create New Administrators L-p. 30
Configure SmartWorkflow L-p. 33
Open and Submit a Session for
Approval
L-p. 36
Disapprove the Session and Request
a Modification
L-p. 42
Repair Sessin 1 L-p. 45
Approve the Session and Install
Policy
L-p. 50
Disable SmartWorkflow L-p. 51
Topic Key Element PageNumber
Table 2-2: SmartWorkflowTopics
-
8/16/2019 Ccse r71 Study
24/88
Chapter 2: Smart Workflow Sample CCSE R71 Exam Question
14 Check Point Security Expert R70 / R71 Study Guide
Sample CCSE R71 Exam Question Which of the following can NOT approve a change in a SmartWorkflowSession?
1. Customer Superusers.
2. Provider-1 Superusers.
3. FireWalll Administrators
4. FireWall Managers.
-
8/16/2019 Ccse r71 Study
25/88
Answer Chapter 2: Smart Workflow
Check Point Security Expert R70 / R71 Study Guide 15
Answer Which of the following can NOT approve a change in a SmartWorkflowSession?
1. Customer Superusers.
2. Provider-1 Superusers.
3. FireWalll Administrators
4. FireWall Managers.
-
8/16/2019 Ccse r71 Study
26/88
-
8/16/2019 Ccse r71 Study
27/88
Chapter
17
3SmartProvisioning
The Check Point SmartProvisioning software blade enables you to manage andmaintain thousands of gateways from a single Security Management server or Pro-
vider- 1 CMA, with features to define, manage, and provision large-scale deploy-
ments of Check Point gateways.
Objectives:
Determine and implement the appropriate Provisioning deploymentscenario based on corporate requirements.
Modify different properties on remote Gateways (i.e., DNS, Networking)per corporate requirements.
-
8/16/2019 Ccse r71 Study
28/88
Chapter 3: SmartProvisioning Check Point SmartProvisioning Topics
18 Check Point Security Expert R70 / R71 Study Guide
Check Point SmartProvisioning Topics The following table outlines the topics covered in the“SmartProvisioning” chapter of the Check Point Security Expert R70 / R71Course. This table is intended as a supplement to knowledge you havegained from the Security Expert R70 / R71 Courseware handbook, andis not meant to be a sole means of study.
Topic Key ElementPage
Number
SmartProvisioning Over-
view
p. 33
SmartProvisioning Management p. 33
Enabling SmartProvisioning p. 34
SmartProvisioning Console p. 36
Tree Pane p. 36
Workspace Pane p. 36
Status View p. 37
SmartProvisioning Wizard p. 39
SmartProvisioning Profiles p. 40
UTM-1 Edge-Only SmartProvision-ing
p. 41
Gateway Management p. 44
Adding Gateways to SmartProvi-
sioning
p. 44
Gateway Edit Windows p. 45
Real-Time Gateway
Actions
p. 45
Remotely Controlled Gateways p. 45
Editing Gateway Proper-
ties
p. 47
Table 3-3: SmartProvisioning Topics
-
8/16/2019 Ccse r71 Study
29/88
Check Point SmartProvisioning Topics Chapter 3: SmartProvisioning
Check Point Security Expert R70 / R71 Study Guide 19
Executing Commands p. 47
Managing SmartLSM Secu-
rity Gateways
p. 48
Applying Dynamic Object Values p. 48
Getting Updated Security Policy p. 49
Changing Assigned SmartLSM
Security Profile
p. 50
Tracking p. 51
Log Servers p. 52
Configuring SmartLSM Gateway
Topology
p. 53
Managing Security Gate-
ways
p. 55
Scheduling Backups p. 55
Configuring Hosts p. 56
Configuring the Domain p. 57
Configuring Host Name p. 57
Configuring Routing p. 58
Managing Software p. 58
The package Repository p. 59
Distributing Packages p. 59
Security Gateway Actions p. 60
Applying Changes p. 62
Maintenance Mode p. 63
UTM-1 Edge Portal p. 64
UTM-1 Edge Ports p. 64
Topic Key Element PageNumber
Table 3-3: SmartProvisioning Topics
-
8/16/2019 Ccse r71 Study
30/88
Chapter 3: SmartProvisioning Check Point SmartProvisioning Topics
20 Check Point Security Expert R70 / R71 Study Guide
Provisional Settings p. 65
Understanding Dynamic
Objects
p. 68
Benefits of Dynamic Objects p. 68
Dynamic Object Types p. 68
Dynamic Object Values p. 69
Command Line p. 70
Topic Key Element PageNumber
Table 3-3: SmartProvisioning Topics
-
8/16/2019 Ccse r71 Study
31/88
Check Point SmartProvisioning Topics Chapter 3: SmartProvisioning
Check Point Security Expert R70 / R71 Study Guide 21
Lab 4: SmartProvisioning L-p. 53
Enable SmartProvisioning L-p. 54
Create New Profile L-p. 63
Assign Profile to Gateways L-p. 66
Push Policy to Gateways L-p. 68
Verify Profile Changes L-p. 69
Topic Key Element PageNumber
Table 3-3: SmartProvisioning Topics
-
8/16/2019 Ccse r71 Study
32/88
Sample CCSE R71 Exam Question Chapter 3: SmartProvisioning
Check Point Security Expert R70 / R71 Study Guide 22
Sample CCSE R71 Exam Question Which version is the minimum requirement for SmartProvisioning??
1. R70.2
2. R65-HFA 40
3. R70
4. R71
-
8/16/2019 Ccse r71 Study
33/88
Answer Chapter 3: SmartProvisioning
Check Point Security Expert R70 / R71 Study Guide 23
Answer Which version is the minimum requirement for SmartProvisioning??
1. R70.2
2. R65-HFA 40
3. R70
4. R71
-
8/16/2019 Ccse r71 Study
34/88
-
8/16/2019 Ccse r71 Study
35/88
Chapter
25
4SSL Portal-Based VPN
Check Point SSL VPN Software Blade is a comprehensive remote access solutionthat allows mobile and remote workers to connect easily and securely from any lo-
cation, with any Internet device to critical resources. This software blade option in-
tegrates easily into your existing Check Point gateway, enabling more secure and
operationally efficient remote access for your endpoint users. The data transmitted
by remote access is decrypted and then filtered and inspected in real-time by Check
Point’s gateway security services such as anti-virus, intrusion prevention and Web
security. The SSL VPN Software Blade also includes secure methods for authenti-
cation, and the ability to check the security posture of the remote device.
Objectives:
Configure applications for SSL VPN remote access based on corporateand user requirements.
-
8/16/2019 Ccse r71 Study
36/88
Chapter 4: SSL Portal-Based VPN Check Point SSL Portal-Based VPN Topics
26 Check Point Security Expert R70 / R71 Study Guide
Check Point SSL Portal-Based VPN Topics The following table outlines the topics covered in the “SSL Portal-Based VPN” chapter of the Check Point Security Expert R70 / R71 Course. Thistable is intended as a supplement to knowledge you have gained fromthe Security Expert R70 / R71 Courseware handbook, and is not meantto be a sole means of study.
Topic Key ElementPage
Number
SSL VPN Software Blade
Overview
p. 75
Key Features p. 76
Simple Deployment - SSL VPN p. 77
Deploying SSL VPN - DMZ p. 78
Cluster Deployment p. 79
SSL VPN Management p. 79
SSL Network Extender p. 80
SSL VPN Security Features p. 81
Configuration Workflows p. 83
The SSL VPN Wizard p. 84
Setting up the SSL VPN Portal p. 84
User Workflow p. 84
Managing Access to Applications p. 84
Protection Levels p. 86
Introduction to Applica-
tions
p. 87
Web Applications p. 87
File Shares p. 87
Citrix Services p. 88
Table 4-4: SmartWorkflowTopics
-
8/16/2019 Ccse r71 Study
37/88
Check Point SSL Portal-Based VPN Topics Chapter 4: SSL Portal-Based VPN
Check Point Security Expert R70 / R71 Study Guide 27
Web Mail Services p. 88
Native Applications p. 89
Topic Key Element PageNumber
Table 4-4: SmartWorkflowTopics
-
8/16/2019 Ccse r71 Study
38/88
Chapter 4: SSL Portal-Based VPN Check Point SSL Portal-Based VPN Topics
28 Check Point Security Expert R70 / R71 Study Guide
Lab 5: SSL VPN L-p. 71
Install SSL VPN L-p. 72
Manditory Hotfix for R71 SSL
VPN Software Blade
L-p. 73
Enable SSL VPN in SmartDash-
boardl
L-p. 73
Create a File-Share Application in
SSL VPN Tab
L-p. 73
Create an Internal User L-p. 78
Assign File-Share Access to User
Group
L-p. 81
Verify File-Share Access Through
the User Portal
L-p. 85
Configure Embedded RDP L-p. 88
Permit Access to Applications L-p. 93
Configure Global Properties L-p. 96
Configure Server and Client L-p. 98
Test RDP Session L-p. 98
Topic Key Element PageNumber
Table 4-4: SmartWorkflowTopics
-
8/16/2019 Ccse r71 Study
39/88
Sample CCSE R71 Exam Question Chapter 4: SSL Portal-Based VPN
Check Point Security Expert R70 / R71 Study Guide 29
Sample CCSE R71 Exam Question Where is the ideal place to deploy your SSL VPN:
1. SSL VPN enabled on the gateway
2. Anywhere
3. Deployed in DMZ
4. In front of the external interface on the gateway
-
8/16/2019 Ccse r71 Study
40/88
Answer Chapter 4: SSL Portal-Based VPN
Check Point Security Expert R70 / R71 Study Guide 30
Answer Where is the ideal place to deploy your SSL VPN:
1. SSL VPN enabled on the gateway
2. Anywhere
3. Deployed in DMZ
4. In front of the external interface on the gateway
-
8/16/2019 Ccse r71 Study
41/88
Chapter
31
5Acceleration
The Check Point Acceleration and Clustering Software Blade delivers a set of ad-vanced technologies, SecureXL and ClusterXL, that work together to maximize
performance and security in high-performance environments.
Objectives:
Configure and verify that traffic throughput is enhanced using SecureXLon a SecurePlatform Pro Security Gateway.
-
8/16/2019 Ccse r71 Study
42/88
Chapter 5: Acceleration Check Point Acceleration Topics
32 Check Point Security Expert R70 / R71 Study Guide
Check Point Acceleration Topics The following table outlines the topics covered in the “Acceleration”chapter of the Check Point Security Expert R70 / R71 Course. This table isintended as a supplement to knowledge you have gained from theSecurity Expert R70 / R71 Courseware handbook, and is not meant tobe a sole means of study.
Topic Key ElementPage
Number
Check Point Acceleration
and Clustering
p. 95
SecureXL Security Acceleration p. 95
What SecureXL Does p. 96
Throughput Acceleration p. 96
Connection Rate Acceleration p. 96
Madking the Source Port p. 97
Application Layer Protocol p. 98
HTTP 1.1 p. 99
Other Application Layer Protocols p. 100
UDP Pseudo-Connections p. 100
Packet Flow p. 101
SecureXL API p. 102
VPN Capabilities p. 103
CoreXL: Multicore Accel-
eration
p. 105
Supported Platforms and Features p. 106
Performance Tuning p. 107
Processing Core Allocation p. 107
Packet Flows p. 108
Table 5-5: SecureXL
-
8/16/2019 Ccse r71 Study
43/88
Check Point Acceleration Topics Chapter 5: Acceleration
Check Point Security Expert R70 / R71 Study Guide 33
Adding Processing Cores to the
Hardware
p. 108
Allocating an Additional Core to
the SND
p. 109
Allocating a Core for Heavy Log-
ging
p. 109
Topic Key Element PageNumber
Table 5-5: SecureXL
-
8/16/2019 Ccse r71 Study
44/88
Chapter 5: Acceleration Check Point Acceleration Topics
34 Check Point Security Expert R70 / R71 Study Guide
Lab 6: SecureXL L-p. 101
Enable and Configure SecureXL on
the Gateway
L-p. 102
Open Connections and Verify
Acceleration
L-p. 104
Topic Key Element PageNumber
Table 5-5: SecureXL
-
8/16/2019 Ccse r71 Study
45/88
Sample CCSE R71 Exam Question Chapter 5: Acceleration
Check Point Security Expert R70 / R71 Study Guide 35
Sample CCSE R71 Exam Question What is the maximum number of cores supported by CoreXL?
1. 6
2. 18
3. 04
4. 012
-
8/16/2019 Ccse r71 Study
46/88
Answer Chapter 5: Acceleration
Check Point Security Expert R70 / R71 Study Guide 36
Answer What is the maximum number of cores supported by CoreXL?
1. 6
2. 8
3. 4
4. 12
-
8/16/2019 Ccse r71 Study
47/88
Chapter
37
6High Availability
Check Point High Availability limits any disruption to network uptime should a se-curity gateway face unforeseen performance issues. High Availability transparently
redistributes workloads to surviving cluster gateways without impacting communi-
cation throughout the cluster.
Objectives:
Deploy New Mode HA on a new cluster member.
-
8/16/2019 Ccse r71 Study
48/88
Chapter 6: High Availability Check Point High Availability Topics
38 Check Point Security Expert R70 / R71Study Guide
Check Point High Availability Topics The following table outlines the topics covered in the “High Availability” chapter of the Check Point Security Expert R70 / R71 Course. This table is intended as a supplement to knowledge you have gainedfrom the Security Expert R70 / R71 Courseware handbook, and is notmeant to be a sole means of study.
Topic Key ElementPage
Number
Management High Avail-
ability
p. 115
The Management High Availability
Environment
p. 116
What Data is Backed Up gy the
Standby Security Servers?
p. 117
Synchronization Modes p. 117
Synchronization Status p. 117
Table 6-6: High Availability
-
8/16/2019 Ccse r71 Study
49/88
Check Point High Availability Topics Chapter 6: High Availability
Check Point Security Expert R70 / R71 Study Guide 39
Lab 7: Deploying New
Mode HA
L-p. 107
Create and Configure a Secondary
Cluster Member
L-p. 109
Cluster and Member IP Addresses L-p. 110
Reconfigure Routing L-p. 113
Configure Gateway-Cluster Objects L-p. 114
Configure ClusterXL Properties L-p. 123
Modify the Rule Base L-p. 125
Pass Traffic Through Cluster L-p. 125
Observe Cluster Status in Smart-
View Monitor
L-p. 126
Test Failover L-p. 128
Method 1 L-p. 128
Method 2 L-p. 129
Method 3 L-p. 129
Topic Key Element PageNumber
Table 6-6: High Availability
-
8/16/2019 Ccse r71 Study
50/88
Chapter 6: High Availability Sample CCSE R71 Exam Question
40 Check Point Security Expert R70 / R71Study Guide
Sample CCSE R71 Exam Question What could be a reason why synchronization between primary andsecondary Security Management Servers does not occur?
1. You have installed both Security Management Servers on differentserver systems (e.g. one machine on HP hardware and the other oneon Dell).
2. You did not activate synchronization within the Global Properties.
3. You are using different time zones.
4. If the set of installed products differ from each other, the SecurityManagement Servers do not synchronize the database to each other.
-
8/16/2019 Ccse r71 Study
51/88
Answer Chapter 6: High Availability
Check Point Security Expert R70 / R71 Study Guide 41
Answer What could be a reason why synchronization between primary andsecondary Security Management Servers does not occur?
1. You have installed both Security Management Servers on differentserver systems (e.g. one machine on HP hardware and the other oneon Dell).
2. You did not activate synchronization within the Global Properties.
3. You are using different time zones.
4. If the set of installed products differ from each other, theSecurity Management Servers do not synchronize the database
to each other..
-
8/16/2019 Ccse r71 Study
52/88
-
8/16/2019 Ccse r71 Study
53/88
Chapter
43
7Clustering
The Check Point Acceleration and Clustering Software Blade delivers a set of ad-vanced technologies, SecureXL and ClusterXL, that work together to maximize
performance and security in high-performance environments.
Objectives:
Learn the standard configurations for ClusterXL
Learn how packets travel through a cluster
Learn the basics of how VRRP works on the IP appliance
-
8/16/2019 Ccse r71 Study
54/88
Chapter 7: Clustering Check Point Clustering Topics
44 Check Point Security Expert R70 / R71 Study Guide
Check Point Clustering Topics The following table outlines the topics covered in the “Clustering”chapter of the Check Point Security Expert R70 / R71 Course. This table isintended as a supplement to knowledge you have gained from theSecurity Expert R70 / R71 Courseware handbook, and is not meant tobe a sole means of study.
Topic Key ElementPage
Number
ClusterXL: Smart Load
Balancing
p. 125
Installing ClusterXL p. 126
Clusteing terms p. 126
Unicast Load Sharing p. 128
How Pivot Mode Works p. 129
How Packets Travel Through a
Custer
p. 130
Cluster Control Protocol p. 131
Cluster Synchronization p. 131
Check Point State Synchronization p. 131
Sticky Connections p. 133
The Sticky Decision Function p. 133
ClusterXL Configuration
Issues
p. 134
Modes of ClusterXL Supporting
SecureXL
p. 134
Crossover-Cable Support p. 134
VRRP Overview p. 135
How VRRP Works p. 136
Table 7-7: Clustering
-
8/16/2019 Ccse r71 Study
55/88
Check Point Clustering Topics Chapter 7: Clustering
Check Point Security Expert R70 / R71 Study Guide 45
VRRP with Internal and External
VRIDs
p. 137
VRRP with Simultaneous Backup p. 138
Topic Key Element PageNumber
Table 7-7: Clustering
-
8/16/2019 Ccse r71 Study
56/88
Chapter 7: Clustering Check Point Clustering Topics
46 Check Point Security Expert R70 / R71 Study Guide
Lab 8: Load Sharing Uni-
cast (Pivot) and Multicast
Modes
L-p. 131
Configure Load Sharing Unicast
Mode
L-p. 132
Test Load Sharing Unicast Mode L-p. 133
Configure Load Sharing Multicast
Mode
L-p. 137
Test Load Sharing Multicast Mode L-p. 139
Lab 9: VPN with Sticky
Decision Function
L-p. 141
Configure VPN in a Cluster L-p. 142
Define the VPN Domain L-p. 142
Create the VPN Community L-p. 145
Create the VPN Rule and Modify
the Rule Base
L-p. 147
Test VPN Connection L-p. 148
View a Packet Capture of FT Con-nections without Sticky Decision
Function
L-p. 149
View a Packet Capture of FT Con-
nections with Sticky Decision Func-
tion
L-p. 152
Topic Key Element PageNumber
Table 7-7: Clustering
-
8/16/2019 Ccse r71 Study
57/88
Sample CCSE R71 Exam Question Chapter 7: Clustering
Check Point Security Expert R70 / R71 Study Guide 47
Sample CCSE R71 Exam QuestionBy default, a standby Security Management Server is automaticallysynchronized by an active Security Management Server, when:.
1. The Security Policy is saved.
2. The Security Policy is installed.
3. The user database is installed.
4. The standby Security Management Server starts for the first time.
-
8/16/2019 Ccse r71 Study
58/88
Answer Chapter 7: Clustering
Check Point Security Expert R70 / R71 Study Guide 48
Answer By default, a standby Security Management Server is automaticallysynchronized by an active Security Management Server, when:.
1. The Security Policy is saved.
2. The Security Policy is installed.
3. The user database is installed.
4. The standby Security Management Server starts for the first time.
-
8/16/2019 Ccse r71 Study
59/88
Chapter
49
8Advanced Networking - Routing
The Check Point Advanced Networking Software Blade makes it easier for admin-istrators to deploy security within complex and highly utilized network environ-
ments making this ideal for high-end enterprise and datacenter environments where
performance and availability are critical.
Objectives:
Configure VPN in a clustered environment, and demonstrate VPNfailover.
Configure and test VPN Tunnel Interfaces (VTIs) for a clusteredenvironment.
-
8/16/2019 Ccse r71 Study
60/88
Chapter 8: Advanced Networking - RoutingCheck Point Advanced Networking — Routing Topics
50 Check Point Security Expert R70 / R71 Study Guide
Check Point Advanced Networking —Routing Topics
The following table outlines the topics covered in the “AdvancedNetworking - Routing” chapter of the Check Point Security Expert R70 /R71 Course. This table is intended as a supplement to knowledge youhave gained from the Security Expert R70 / R71 Courseware handbook,and is not meant to be a sole means of study.
Topic Key ElementPage
Number
Advanced Networking Blade
p. 143
Check Point Dynamic Routing p. 145
The Command Line Inter-
face
p. 147
User Execution Mode p. 147
Privileged Execution Mode p. 147
Global Configuration Mode p. 147
Router Configuration Mode p. 148
Interfaces p. 149
Kernel Interfaces p. 149
Martian Addresses p. 150
Border Gateway Protocol
(BGP)
p. 151
BGP Decision Process p. 152
Dynamic Capabilities p. 153
Internet Control Message
Protocol (ICMP)
p. 154
Open Shortest Path First
Protocol
p. 155
Table 8-8: Advanced Networking - Routing
-
8/16/2019 Ccse r71 Study
61/88
Check Point Advanced Networking — Routing TopicsChapter 8: Advanced Networking - Routing
Check Point Security Expert R70 / R71 Study Guide 51
Router Discovery Protocol p. 157
SNMP Multiplexing
(SMUX)
p. 159
Distance Vector Multicast
Routing Protocol
(DVMRP)
p. 160
Internet Group Manage-
ment Protocol (IGMP)
p. 161
Protocol Independent Multicast p. 160
Access Lists p. 163
AS Paths and AS Path Lists p. 163
BGP Communities and Community
Lists
p. 165
Prefix Lists and Prefix Trees p. 165
Route Aggregation and
Generation
p. 166
Route Flap Damping p. 167
Route Maps p. 167 Multicast Access Control p. 168
Multicast Routing Protocols p. 169
Dynamic Registration Using IGMP p. 169
IP Multicast Group Addressing p. 169
Reserved Local Addresses p. 169
Per-Interface Multicast Restrictions p. 171
VPN Connections p. 171
Topic Key Element PageNumber
Table 8-8: Advanced Networking - Routing
-
8/16/2019 Ccse r71 Study
62/88
Chapter 8: Advanced Networking - Routing Sample CCSE R71 Exam Question
52 Check Point Security Expert R70 / R71 Study Guide
Sample CCSE R71 Exam Question Which statement is TRUE for route-based VPNs?
1. Route-based VPNs replace domain-based VPNs.
2. IP Pool NAT must be configured on each gateway.
3. Route-based VPNs are a form of partial overlap VPN Domain.
4. Dynamic-routing protocols are not required.
-
8/16/2019 Ccse r71 Study
63/88
Answer Chapter 8: Advanced Networking - Routing
Check Point Security Expert R70 / R71 Study Guide 53
Answer Which statement is TRUE for route-based VPNs?
1. Route-based VPNs replace domain-based VPNs.
2. IP Pool NAT must be configured on each gateway.
3. Route-based VPNs are a form of partial overlap VPN Domain.
4. Dynamic-routing protocols are not required.
-
8/16/2019 Ccse r71 Study
64/88
Answer Chapter 8: Advanced Networking - Routing
Check Point Security Expert R70 / R71 Study Guide 54
-
8/16/2019 Ccse r71 Study
65/88
Chapter
55
9Advanced Networking — LoadBalancing
The Check Point Advanced Networking Software Blade provides for flexible server
load balancing. Each connection request is directed to a specific server based on one
of the Advanced Networking Software Blade’s pre-defined load balancing algo-
rithms.
Objectives:
Configure Load Sharing Unicast (Pivot) and Multicast Mode on a clustermember.
-
8/16/2019 Ccse r71 Study
66/88
Chapter 9: Advanced Networking — Load Balancing Check Point Advanced Networking — Load
56 Check Point Security Expert R70 / R71 Study Guide
Check Point Advanced Networking — LoadBalancing Topics
The following table outlines the topics covered in the “AdvancedNetworking - Load Balancing” chapter of the Check Point Security ExpertR70 / R71 Course. This table is intended as a supplement to knowledgeyou have gained from the Security Expert R70 / R71 Coursewarehandbook, and is not meant to be a sole means of study.
Topic Key ElementPage
Number
Why Load Balancing? p. 175ConnectControl p. 175
Methods of Load-Balancing p. 176
ConnectControl Packet Flow p. 177
Logical Server Types p. 177
Packet Flow in an HTTP Logical
Server
p. 178
Packet Flow in Other Logical
Server Types
p. 179
Persistent Server Mode p. 181
Server Availability p. 182
Load Measuring p. 183
Table 9-9: Advanced Networking - Load Balancing
-
8/16/2019 Ccse r71 Study
67/88
Sample CCSE R71 Exam Question Chapter 9: Advanced Networking — Load Balancing
Check Point Security Expert R70 / R71 Study Guide 57
Sample CCSE R71 Exam QuestionIn which ClusterXL Load Sharing mode, does the pivot machne getchosen automatically by ClusterXL
1. Hot Standby Load Sharing
2. CCP Load Sharing
3. Unicast Load Sharing
4. Multicast Load Sharing
-
8/16/2019 Ccse r71 Study
68/88
Chapter 9: Advanced Networking — Load Balancing Answer
58 Check Point Security Expert R70 / R71 Study Guide
Answer In which ClusterXL Load Sharing mode, does the pivot machne getchosen automatically by ClusterXL
1. Hot Standby Load Sharing
2. CCP Load Sharing
3. Unicast Load Sharing
4. Multicast Load Sharing
-
8/16/2019 Ccse r71 Study
69/88
Answer Chapter 9: Advanced Networking — Load Balancing
Check Point Security Expert R70 / R71 Study Guide 59
-
8/16/2019 Ccse r71 Study
70/88
-
8/16/2019 Ccse r71 Study
71/88
Chapter
61
10Advanced Networking - QoS
The Advanced Networking blade lets you to prioritize business-critical traffic suchas ERP, database, and Web services traffic over less time-critical traffic. It also al-
lows you to guarantee bandwidth and control latency for streaming applications
such as Voice over Internet Protocol (VoIP) and video conferencing. In addition,
with highly granular controls, the Advanced Networking blade enables guaranteed
or priority access to specific employees—even if they are remotely accessing net-
work resources through a VPN tunnel.
Objectives:
Setup and verify the best QoS configuration, using the Advanced
Networking Software Blade, for your corporate environment, and testand confirm a bandwidth control Policy.
-
8/16/2019 Ccse r71 Study
72/88
Chapter 10: Advanced Networking - QoS Check Point Advanced Networking — QoS Topics
62 Check Point Security Expert R70 / R71 Study Guide
Check Point Advanced Networking — QoSTopics
The following table outlines the topics covered in the “AdvancedNetworking - QoS” chapter of the Check Point Security Expert R70 / R71Course. This table is intended as a supplement to knowledge you havegained from the Security Expert R70 / R71 Courseware handbook, andis not meant to be a sole means of study.
Topic Key ElementPage
Number
Quality of Service p. 189QoS Technology - Stateful Inspec-
tion
p. 190
QoS Architecture p. 192
QoS Gateway p. 193
QoS Security Management Server p. 193
QoS SmartConsole p. 194
QoS Configuration p. 195
Client/Server Interaction p. 196
QoS Policy Management p. 197
Bandwidth Allocation and Rules p. 199
Default Rule p. 200
QoS Action Type p. 200
Example of a Rule Matching VPN
Traffic
p. 201
Bandwidth Allocation and Sub-
Rules
p. 202
Implementing the Rule Base p. 203
Deploying QoS p. 204
Table 10-10: Advanced Networking - QoS
-
8/16/2019 Ccse r71 Study
73/88
Check Point Advanced Networking — QoS Topics Chapter 10: Advanced Networking - QoS
Check Point Security Expert R70 / R71 Study Guide 63
Sample Bandwidth Allocations p. 205
Topic Key Element PageNumber
Table 10-10: Advanced Networking - QoS
-
8/16/2019 Ccse r71 Study
74/88
Chapter 10: Advanced Networking - QoS Check Point Advanced Networking — QoS Topics
64 Check Point Security Expert R70 / R71 Study Guide
Lab 10: Configuring Check
Point QoS Policy
L-p. 155
Enable and Configure Check Point
QoS
L-p. 156
Enable Check Point QoS on Secu-
rity Gateway
L-p. 156
Configure Check Point QoS Global
Properties
L-p. 157
Configure QoS on the Gateway L-p. 157
Create Check Point QoS Rules and
Adjust rule Weights
L-p. 159
Add Outbound Rule L-p. 159
Add Inbound Rule L-p. 161
Verify and Install Policy L-p. 163
Test QoS Policy L-p. 164
Inbound Transfer Rate L-p. 164
Outbound Transfer Rate L-p. 165
Topic Key Element PageNumber
Table 10-10: Advanced Networking - QoS
-
8/16/2019 Ccse r71 Study
75/88
Sample CCSE R71 Exam Question Chapter 10: Advanced Networking - QoS
Check Point Security Expert R70 / R71 Study Guide 65
Sample CCSE R71 Exam QuestionShich Check Point QoS feature is used to dynamically allocat relativeportions of available bandwidth?
1. Guarantees
2. Weighted Fair Queing
3. Low Latency Queuing
4. Differentiated Services
-
8/16/2019 Ccse r71 Study
76/88
Answer Chapter 10: Advanced Networking - QoS
Check Point Security Expert R70 / R71 Study Guide 66
Answer Shich Check Point QoS feature is used to dynamically allocat relativeportions of available bandwidth?
1. Guarantees
2. Weighted Fair Queing
3. Low Latency Queuing
4. Differentiated Services
-
8/16/2019 Ccse r71 Study
77/88
Chapter
67
11Check Point IPS
This chapter presents basic information on Check Point’s Intrusion Prevention Soft-ware Blade, how intrusion prevention systems work, and prevent network attacks
that the intrusion prevention system can detect.
Objectives:
Implement default or customized profiles to designated Gateways in thecorporate network.
Manage profiles by tracking changes to the network, includingperformance degradation, and troubleshoot issues with the networkrelated to specific IPS policy rules.
-
8/16/2019 Ccse r71 Study
78/88
Chapter 11: Check Point IPS Introduction to the Check Point IPS Topics
68 Check Point Security Administrator R70 / R71 Study Guide
Introduction to the Check Point IPS Topics The following table outlines the topics covered in the “Check PointIPS” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gainedfrom the Security Administrator R70 / R71 Courseware handbook, andis not meant to be a sole means of study.
Topic Key ElementPage
Number
IPS Overview p. 211
New IPS Engine/Architecture p. 213Flexible IPS Policy Management p. 215
IPS Event Manager p. 216
Configuring and Manag-
ing IPS
p. 217
IPS Protection p. 219
IPS Profiles p. 220
Assigning Profiles p. 220
Protection Browser p. 221
Exporting the Protections List p. 223
Protection Parameters p. 223
Activating Protections p. 226
Automatically Activating Protec-
tions
p. 226
Manually Activating Protections p. 228
Monitoring Traffic p. 229
Network Exceptions p. 231
Viewing Packet Information p. 232
Optimizing IPS p. 233
Table 11-11: Check Point IPS Topics
-
8/16/2019 Ccse r71 Study
79/88
Introduction to the Check Point IPS Topics Chapter 11: Check Point IPS
Check Point Security Administrator R70 / R71Study Guide 69
Performance Management p. 234
Bypass Under Load p. 235
Troubleshooting p. 236
Tuning Protections p. 237
IPS Policy Settings p. 237
Enhancing System Performance p. 238
Updating Protections - IPS
Subscription
p. 239
Managing IPS Protections p. 240
Updating IPS Protections p. 240
IPS Software Blade Contracts (R71) p. 242
Lab 11: Implementing IPS L-p. 167
Modify the Gateway Properties L-p. 168
Modify DMZ Server Object L-p. 169
Configure IPS for Preliminary
Detection
L-p. 172
Create a New IPS Profile L-p. 173
Assign to Gateway L-p. 179
Generate an Attack L-p. 181
Analyze the Attack L-p. 184
Reconfigure IPS to Block Attacks L-p. 187
Review Logs L-p. 190
Topic Key Element PageNumber
Table 11-11: Check Point IPS Topics
-
8/16/2019 Ccse r71 Study
80/88
Chapter 11: Check Point IPS Sample CCSA R71 Exam Question
70 Check Point Security Administrator R70 / R71 Study Guide
Sample CCSA R71 Exam Question You just upgraded to R71 and are using the IPS Software Blade. You want to enable all critical protections while keeping the rate of falsepositive very low. How can you achieve this?
1. The new IPS system is based on policies and gives you the ability toactivate all checks with critical severity and a high confidence level.
2. This can't be achieved; activating any IPS system always causes a highrate of false positives.
3. As in SmartDefense, this can be achieved by activating all the critical
checks manually.
4. The new IPS system is based on policies, but it has no ability tocalculate or change the confidence level, so it always has a high rateof false positives.
-
8/16/2019 Ccse r71 Study
81/88
Answer Chapter 11: Check Point IPS
Check Point Security Administrator R70 / R71Study Guide 71
Answer You just upgraded to R71 and are using the IPS Software Blade. You want to enable all critical protections while keeping the rate of falsepositive very low. How can you achieve this?
1. The new IPS system is based on policies and gives you the
ability to activate all checks with critical severity and a high
confidence level.
2. This can't be achieved; activating any IPS system always causes a highrate of false positives.
3. As in SmartDefense, this can be achieved by activating all the criticalchecks manually.
4. The new IPS system is based on policies, but it has no ability tocalculate or change the confidence level, so it always has a high rateof false positives.
-
8/16/2019 Ccse r71 Study
82/88
Chapter 11: Check Point IPS Answer
72 Check Point Security Administrator R70 / R71 Study Guide
-
8/16/2019 Ccse r71 Study
83/88
Chapter
73
12Data Loss Prevention
The need to secure our data goes beyond access to network resources. It isn’tenough to permit or deny access into and out of internal networks where confiden-
tial company data is located. Research has shown that one of the greatest threats to
data loss is unintentional and from the inside. The Check Point Data Loss Preven-
tion (DLP) Appliances and Software Blade address the need to protect sensitive
data from leaving secure corporate sites.
Objectives:
Configure DLP Data Types in a rule.
Monitor and adjust DLP Policies
-
8/16/2019 Ccse r71 Study
84/88
Chapter 12: Data Loss Prevention Introduction to the Check Point Data Loss Prevention Topics
74 Check Point Security Administrator R70 / R71 Study Guide
Introduction to the Check Point Data LossPrevention Topics
The following table outlines the topics covered in the “Data LossPrevention” chapter of the Check Point Security Administrator R70 / R71Course. This table is intended as a supplement to knowledge you havegained from the Security Administrator R70 / R71 Coursewarehandbook, and is not meant to be a sole means of study.
Topic Key ElementPage
Number
The Need for Data Loss Prevention
p. 249
DLP Gateway in a Network p. 251
What Happens on Rule Match p. 252
Deployment Options p. 253
DLP Platforms and Performance p. 253
DLP User Check p. 254
Installing, Connecting, Verifying
Clients
p. 255
Data Loss Prevention Portal p. 255
Data Loss Prevention
Views
p. 257
My Organization p. 259
DLP Policies p. 260
The Default Policy p. 260
DLP Policy vs, Security Policy p. 261
Data Loss Prevention
Actions
p. 263
Data Types P. 264
Table 12-12: Check Point IPS Topics
-
8/16/2019 Ccse r71 Study
85/88
Introduction to the Check Point Data Loss Prevention Topics Chapter 12: Data Loss Prevention
Check Point Security Administrator R70 / R71Study Guide 75
Protecting Data by Keyword p. 265
Dictionary Data Types p. 266
Protecting Documents by Template p. 266
Protecting Files p. 267
Protecting Data by Pattern p. 267
Protecting Data by CPcode p. 267
Defining Compound Data
Types
p. 268
Data Type Groups p. 269
Lab 12: Data Loss Preven-
tion
L-p. 191
Topology Setup L-p. 192
Configure the DLP Gateway L-p. 196
Configure the DLP Object in Smart-
Dashboard
L-p. 202
Modify the Rule Base L-p. 209
Test the Default Policy L-p. 210Employee Name L-p. 212
Keyword Search L-p. 218
Template Exercise L-p. 231
Topic Key Element PageNumber
Table 12-12: Check Point IPS Topics
-
8/16/2019 Ccse r71 Study
86/88
Chapter 12: Data Loss Prevention Sample CCSA R71 Exam Question
76 Check Point Security Administrator R70 / R71 Study Guide
Sample CCSA R71 Exam QuestionMark the configuratin options that are available for Data LossPrevention in R71
1. A Dedicated DLP Gateway running only the DLP Software Blade.
2. The DLP Gateway running only the Firewall Software Blade.
3. The DLP Gateway running only the Management Server on the samemachine.
4. The DLP as an integrated software blade, which can be enabled on a
Check Point Security Gateway running other software blades such asFirewall, IPS and Management.
-
8/16/2019 Ccse r71 Study
87/88
Answer Chapter 12: Data Loss Prevention
Check Point Security Administrator R70 / R71Study Guide 77
Answer Mark the configuratin options that are available for Data LossPrevention in R71
1. A Dedicated DLP Gateway running only the DLP Software
Blade.
2. The DLP Gateway running only the Firewall Software Blade.
3. The DLP Gateway running only the Management Server on the samemachine.
4. The DLP as an integrated software blade, which can be enabled on aCheck Point Security Gateway running other software blades such asFirewall, IPS and Management.
-
8/16/2019 Ccse r71 Study
88/88
Chapter 12: Data Loss Prevention Answer