ccse r71 study

8/16/2019 Ccse r71 Study

1/88

Check Point Security Expert R70 / R71

Study Guide

Check Point Certified Security Administrator

Exam: #156-315.71


2/88


3/88

Copyright © Check Point Software TechnologiesLtd. All rights reserved.

Printed by Check Point Press

A Division of Check Point Software Technologies Ltd.

First Printing December 2010

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in

subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at

DFARS 252.227-7013 and FAR 52.227-19.

© 2003-2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and

distributed under licensing restricting their use, copying, distribution, and decompilation. No

part of this product or related documentation may be reproduced in any form or by any means

without prior written authorization of Check Point. While every precaution has been taken in

the preparation of this book, Check Point assumes no responsibility for errors or omissions.

This publication and features described herein are subject to change without notice.

TRADEMARKS

©2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check

Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security,

Check Point Endpoint Security On Demand, Check Point Express, Check Point

Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectCon-

trol, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Coopera-

tive Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding

Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-

1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid

Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Client-

less Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG,

NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile,

Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-

1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home,

Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlat-

form, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL,

SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1,SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, Smart-

Center UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-


4/88

sor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning,

SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView

Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network

Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector,

Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1

Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator

Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1

Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1

SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX,

Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus,

ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro,

ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trade-

marks or registered trademarks of Check Point Software Technologies Ltd. or its

affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. Allother product names mentioned herein are trademarks or registered trademarks of

their respective owners. The products described in this document are protected by

U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943,

and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pend-

ing applications.

DISCLAIMER OF WARRANTY

Check Point Software Technologies Ltd. makes no representation or warranties,

either express or implied by or with respect to anything in this document, and shall

not be liable for any implied warranties of merchantability or fitness for a particular

purpose or for any indirect special or consequential damages.


5/88

International Headquarters: 5 Ha’Solelim Street

Tel Aviv 67897, Israel

Tel: +972-3-753 4555

U.S. Headquarters: 800 Bridge Parkway

Redwood City, CA 94065

Tel: 650-628-2000

Fax: 650-654-4233

Technical Support, Education & Profes-

sional Services:

8333 Ridgepoint Drive, Suite 150

Irving, TX 75063

Tel: 972-444-6612

Fax: 972-506-7913

E-mail any comments or questions about our

courseware to [email protected].

For questions or comments about other Check

Point documentation, e-mail

[email protected].

Document #: CCSA R70 Study Guide

Revision: R71001

Content: Mark Hoefle

Graphics: Jeffery Holder


6/88


7/88

Chapter 1 The Check Point Certified Security Expert Exam 1Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Management Portal 5

Check Point Management Portal Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3 Smart Workflow 11

Check Point SmartWorkflow Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Sample CCSE R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4 SmartProvisioning 17

Check Point SmartProvisioning Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5 SSL Portal-Based VPN 25

Check Point SSL Portal-Based VPN Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 6 Acceleration 31

Check Point Acceleration Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36


8/88

Chapter 7 High Availability 37Check Point High Availability Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 8 Clustering 43

Check Point Clustering Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Chapter 9 Advanced Networking - Routing 49

Check Point Advanced Networking — Routing Topics . . . . . . . . . . . . . . . . . . . . . . . 50


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 10 Advanced Networking — Load

Balancing 55

Check Point Advanced Networking — Load Balancing Topics . . . . . . . . . . . . . . . 56


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Chapter 11 Advanced Networking - QoS 61

Check Point Advanced Networking — QoS Topics . . . . . . . . . . . . . . . . . . . . . . . . . . 62


Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Chapter 12 Check Point IPS 67Introduction to the Check Point IPS Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68


9/88

Sample CCSA R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Chapter 13 Data Loss Prevention 73

Introduction to the Check Point Data Loss Prevention Topics . . . . . . . . . . . . . . . . . 74

Sample CCSA R71 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77


10/88


11/88

Preface

1

The Check Point Certified Security

Expert Exam

The Check Point Security Expert R70 / R71 course is intended to provide an under-

standing of upgrading and advanced configuration of Check Point software blades,

installing and managing VPNs (on both internal and external networks), gaining the

maximum security from Security Gateways, and resolving Gateway performance

issues. The Check Point Security Expert R70 / R71 Study Guide supplements

knowledge you have gained from the Check Point Security Expert R70 / R71

course, and is not a sole means of study.

The Check Point Certified Security Expert R71 (CCSE) exam covers the following

topics:

Define how the Management Portal aids in managing and troubleshooting

security configurations.

Describe how to extend access to network policy settings to outside auditors

Identify the advantages of SmartWorkflow in tracking, approving, and auditing

security policy changes.

Assess the benefits of policy life-cycle management and change management.

Determine typical SmartWorkflow administrative and use processes.

Identify the advantages of SmartProvisioning as a centralized management

tool.


12/88

Preface: The Check Point Certified Security Expert Exam

2 Check Point Security Expert R70 / R71 Study Guide

Determine typical typical SmartProvisioning deployment scenarios. Describe profile based management as it applies to SmartProvisioning.

Describe the security features of SSL VPN

Identify the role of the SSL VPN in common deployment scenarios.

Identify the advantages of SecureXL security acceleration with intense security

processing requirements.

Assess the benefits of multi-core CPU combined with SecureXL security

acceleration.

Identify the features and limitations of Management High Availability. Determine typical multiple security gateway cluster configurations using

ClusterXL

Identify the advantages of Advanced Routing protocols for scalability, fault-

tolerance, security.

Determine typical Load Balancing configurations using Advanced Networking

Determine typical Load Balancing configurations using Advanced Networking

Define the purpose for Reporting.

Given logged data, produce reports that provide an audit of network traffic.

Define the need for intrusion event analysis.

Monitor and analyze alerts to track and identify network intrusions.


13/88

Frequently Asked Questions Preface: The Check Point Certified Security Expert Exam

Check Point Security Expert R70 / R71 Study Guide 3

Frequently Asked Questions The table below provides answers to commonly asked questions aboutthe CCSE NGX R71 exam:

Question Answer

What are the Check Point rec-

ommendations and prerequi-

sites?

You must pass the CCSA R71 exam, before takingthe CCSE R71 exam. Check Point recommends youhave at least 6 months to 1 year of experience withthe products, before attempting to take the CCSER70 exam. In addition, you should also have basicnetworking knowledge, knowledge of WindowsServer and/or UNIX, and experience with TCP/IPand the Internet.

Check Point also recommends you take the Check Point Security Administrator R70 / R71 class from aCheck Point Authorized Training Center (ATC). Werecommend you take this class before taking theCCSE R71 exam. To locate an ATC, see:

www.checkpoint.com/services/education/certification/ngx_atc.html

How do I register? Check Point exams are offered through PearsonVUE, a third-party testing vendor with more than3,500 testing centers worldwide.

Pearson VUE offers a variety of registration options.Register via the Web or visit a specific test center.Registrations at a testing center may be made inadvance or on the day you wish to test, subject toavailability. For same-day testing, contact the testingcenter directly.

Locate a testing center from the VUE Pearson Website:

www.pearsonvue.com

What is the exam structure? The exams are composed of multiple-choice

and scenario questions. There is no partial

credit for incorrectly marked questions.


14/88

Preface: The Check Point Certified Security Expert Exam Frequently Asked Questions


For more exam and course information, see:

http://www.checkpoint.com/services/education/

How long is the exam?

Do I get extra time, if I am not

a native English speaker?

The following countries are given 120 minutes

to complete the exam. All other regions get 150

minutes:

Australia

Bermuda

Canada

Japan

New Zealand

Ireland

South Africa

UK

US

Question Answer


15/88

Chapter

5

1Management Portal

The Check Point Management Portal Software Blade allows the extension of browser-based management access to outside groups, such as technical support

staff or auditors, while still maintaining centralized administrative control of policy

enforcement. Management Portal users can view security policies, check on the sta-

tus of all Check Point products, and administrator activity, manage firewall logs,

and edit, create and modify internal users.

Objectives:

Configure Administrative access to the Security Management server froman offsite machine to facilitate remote management of corporate Security

Gateways.


16/88

Chapter 1: Management Portal Check Point Management Portal Topics


Check Point Management Portal Topics The following table outlines the topics covered in the “ManagementPortal” chapter of the Check Point Security Expert R70 / R71 Course. Thistable is intended as a supplement to knowledge you have gained fromthe Security Expert R70 / R71 Courseware handbook, and is not meantto be a sole means of study.

Topic Key ElementPage

Number

Web Based Administration p. 03

Deploying the Management Portal -Dedicated Server

p. 03

Deploying the Management Portal -

Security Management Server

p. 04

Management Portal Commands and

Configurations

p. 04

Client Side Requirements p. 05

Table 1-1: Management Portal Topics


17/88

Check Point Management Portal Topics Chapter 1: Management Portal


Lab 1: Environment Setup L-p. 1

Build the Management Server L-p. 2

Build Gateways L-p. 7

Install and Configure NTP L-p. 11

Establishing SIC L-p. 12

Lab 2:Management Portal L-p. 15

Configure Management Portal on

Corporate Site

L-p. 16

Test Management Portal Access L-p. 18

Configure Management Portal

Access on Partner Site

L-p. 22

Test Management Portal with Read

Only Access

L-p. 27

Topic Key Element PageNumber

Table 1-1: Management Portal Topics


18/88

Chapter 1: Management Portal Sample CCSE R71 Exam Question


Sample CCSE R71 Exam Question The Management Portal allows all of the following EXCEPT:

1. View administrator activity.

2. Schedule policy installation.

3. View the status of Check Point products.

4. Manage firewall logs.


19/88

Answer Chapter 1: Management Portal


Answer The Management Portal allows all of the following EXCEPT:

1. View administrator activity.

2. Schedule policy installation.

3. View the status of Check Point products.

4. Manage firewall logs.


20/88


21/88

Chapter

11

2Smart Workflow

The SmartWorkflow Blade is a security policy change-management solution thattracks all proposed changes to the Check Point network security environment, and

provides a management review and approval process, before a new policy imple-

mentation.

Objectives:

Process a change request based on an organization’s existing managementinfrastructure.


22/88

Chapter 2: Smart Workflow Check Point SmartWorkflow Topics


Check Point SmartWorkflow Topics The following table outlines the topics covered in the “SmartWorkflow”chapter of the Check Point Security Expert R70 R71 Course. This table isintended as a supplement to knowledge you have gained from theSecurity Expert R70 / R71 Courseware handbook, and is not meant tobe a sole means of study.


Number

Change Management p. 11

The SmartWorkflow Environment p. 12Task Flow p. 12

SmartWorkflow Toolbar p. 15

The SmartWorkflow Session Man-

agement Window

p. 17

SmartWorkflow Session Informa-

tion

p. 20

Working with SmartWork-

flow

p. 21

Assigning Permissions p. 21

Enabling SmartWorkflow p. 21

Configuring SmartWorkflow p. 22

Working with Sessions p. 23

Comparing Policies p. 26

Approving Sessions p. 27

Auditing Changes p. 28

Table 2-2: SmartWorkflowTopics


23/88

Check Point SmartWorkflow Topics Chapter 2: Smart Workflow


Lab 3: SmartWorkflow L-p. 29

Create New Administrators L-p. 30

Configure SmartWorkflow L-p. 33

Open and Submit a Session for

Approval

L-p. 36

Disapprove the Session and Request

a Modification

L-p. 42

Repair Sessin 1 L-p. 45

Approve the Session and Install

Policy

L-p. 50

Disable SmartWorkflow L-p. 51




24/88

Chapter 2: Smart Workflow Sample CCSE R71 Exam Question


Sample CCSE R71 Exam Question Which of the following can NOT approve a change in a SmartWorkflowSession?

1. Customer Superusers.

2. Provider-1 Superusers.

3. FireWalll Administrators

4. FireWall Managers.


25/88

Answer Chapter 2: Smart Workflow


Answer Which of the following can NOT approve a change in a SmartWorkflowSession?

1. Customer Superusers.

2. Provider-1 Superusers.

3. FireWalll Administrators

4. FireWall Managers.


26/88


27/88

Chapter

17

3SmartProvisioning

The Check Point SmartProvisioning software blade enables you to manage andmaintain thousands of gateways from a single Security Management server or Pro-

vider- 1 CMA, with features to define, manage, and provision large-scale deploy-

ments of Check Point gateways.

Objectives:

Determine and implement the appropriate Provisioning deploymentscenario based on corporate requirements.

Modify different properties on remote Gateways (i.e., DNS, Networking)per corporate requirements.


28/88

Chapter 3: SmartProvisioning Check Point SmartProvisioning Topics


Check Point SmartProvisioning Topics The following table outlines the topics covered in the“SmartProvisioning” chapter of the Check Point Security Expert R70 / R71Course. This table is intended as a supplement to knowledge you havegained from the Security Expert R70 / R71 Courseware handbook, andis not meant to be a sole means of study.


Number

SmartProvisioning Over-

view

p. 33

SmartProvisioning Management p. 33

Enabling SmartProvisioning p. 34

SmartProvisioning Console p. 36

Tree Pane p. 36

Workspace Pane p. 36

Status View p. 37

SmartProvisioning Wizard p. 39

SmartProvisioning Profiles p. 40

UTM-1 Edge-Only SmartProvision-ing

p. 41

Gateway Management p. 44

Adding Gateways to SmartProvi-

sioning

p. 44

Gateway Edit Windows p. 45

Real-Time Gateway

Actions

p. 45

Remotely Controlled Gateways p. 45

Editing Gateway Proper-

ties

p. 47

Table 3-3: SmartProvisioning Topics


29/88

Check Point SmartProvisioning Topics Chapter 3: SmartProvisioning


Executing Commands p. 47

Managing SmartLSM Secu-

rity Gateways

p. 48

Applying Dynamic Object Values p. 48

Getting Updated Security Policy p. 49

Changing Assigned SmartLSM

Security Profile

p. 50

Tracking p. 51

Log Servers p. 52

Configuring SmartLSM Gateway

Topology

p. 53

Managing Security Gate-

ways

p. 55

Scheduling Backups p. 55

Configuring Hosts p. 56

Configuring the Domain p. 57

Configuring Host Name p. 57

Configuring Routing p. 58

Managing Software p. 58

The package Repository p. 59

Distributing Packages p. 59

Security Gateway Actions p. 60

Applying Changes p. 62

Maintenance Mode p. 63

UTM-1 Edge Portal p. 64

UTM-1 Edge Ports p. 64




30/88

Chapter 3: SmartProvisioning Check Point SmartProvisioning Topics


Provisional Settings p. 65

Understanding Dynamic

Objects

p. 68

Benefits of Dynamic Objects p. 68

Dynamic Object Types p. 68

Dynamic Object Values p. 69

Command Line p. 70




31/88

Check Point SmartProvisioning Topics Chapter 3: SmartProvisioning


Lab 4: SmartProvisioning L-p. 53

Enable SmartProvisioning L-p. 54

Create New Profile L-p. 63

Assign Profile to Gateways L-p. 66

Push Policy to Gateways L-p. 68

Verify Profile Changes L-p. 69




32/88

Sample CCSE R71 Exam Question Chapter 3: SmartProvisioning


Sample CCSE R71 Exam Question Which version is the minimum requirement for SmartProvisioning??

1. R70.2

2. R65-HFA 40

3. R70

4. R71


33/88

Answer Chapter 3: SmartProvisioning


Answer Which version is the minimum requirement for SmartProvisioning??

1. R70.2

2. R65-HFA 40

3. R70

4. R71


34/88


35/88

Chapter

25

4SSL Portal-Based VPN

Check Point SSL VPN Software Blade is a comprehensive remote access solutionthat allows mobile and remote workers to connect easily and securely from any lo-

cation, with any Internet device to critical resources. This software blade option in-

tegrates easily into your existing Check Point gateway, enabling more secure and

operationally efficient remote access for your endpoint users. The data transmitted

by remote access is decrypted and then filtered and inspected in real-time by Check

Point’s gateway security services such as anti-virus, intrusion prevention and Web

security. The SSL VPN Software Blade also includes secure methods for authenti-

cation, and the ability to check the security posture of the remote device.

Objectives:

Configure applications for SSL VPN remote access based on corporateand user requirements.


36/88

Chapter 4: SSL Portal-Based VPN Check Point SSL Portal-Based VPN Topics


Check Point SSL Portal-Based VPN Topics The following table outlines the topics covered in the “SSL Portal-Based VPN” chapter of the Check Point Security Expert R70 / R71 Course. Thistable is intended as a supplement to knowledge you have gained fromthe Security Expert R70 / R71 Courseware handbook, and is not meantto be a sole means of study.


Number

SSL VPN Software Blade

Overview

p. 75

Key Features p. 76

Simple Deployment - SSL VPN p. 77

Deploying SSL VPN - DMZ p. 78

Cluster Deployment p. 79

SSL VPN Management p. 79

SSL Network Extender p. 80

SSL VPN Security Features p. 81

Configuration Workflows p. 83

The SSL VPN Wizard p. 84

Setting up the SSL VPN Portal p. 84

User Workflow p. 84

Managing Access to Applications p. 84

Protection Levels p. 86

Introduction to Applica-

tions

p. 87

Web Applications p. 87

File Shares p. 87

Citrix Services p. 88



37/88

Check Point SSL Portal-Based VPN Topics Chapter 4: SSL Portal-Based VPN


Web Mail Services p. 88

Native Applications p. 89




38/88

Chapter 4: SSL Portal-Based VPN Check Point SSL Portal-Based VPN Topics


Lab 5: SSL VPN L-p. 71

Install SSL VPN L-p. 72

Manditory Hotfix for R71 SSL

VPN Software Blade

L-p. 73

Enable SSL VPN in SmartDash-

boardl

L-p. 73

Create a File-Share Application in

SSL VPN Tab

L-p. 73

Create an Internal User L-p. 78

Assign File-Share Access to User

Group

L-p. 81

Verify File-Share Access Through

the User Portal

L-p. 85

Configure Embedded RDP L-p. 88

Permit Access to Applications L-p. 93

Configure Global Properties L-p. 96

Configure Server and Client L-p. 98

Test RDP Session L-p. 98




39/88

Sample CCSE R71 Exam Question Chapter 4: SSL Portal-Based VPN


Sample CCSE R71 Exam Question Where is the ideal place to deploy your SSL VPN:

1. SSL VPN enabled on the gateway

2. Anywhere

3. Deployed in DMZ

4. In front of the external interface on the gateway


40/88

Answer Chapter 4: SSL Portal-Based VPN


Answer Where is the ideal place to deploy your SSL VPN:

1. SSL VPN enabled on the gateway

2. Anywhere

3. Deployed in DMZ

4. In front of the external interface on the gateway


41/88

Chapter

31

5Acceleration

The Check Point Acceleration and Clustering Software Blade delivers a set of ad-vanced technologies, SecureXL and ClusterXL, that work together to maximize

performance and security in high-performance environments.

Objectives:

Configure and verify that traffic throughput is enhanced using SecureXLon a SecurePlatform Pro Security Gateway.


42/88

Chapter 5: Acceleration Check Point Acceleration Topics


Check Point Acceleration Topics The following table outlines the topics covered in the “Acceleration”chapter of the Check Point Security Expert R70 / R71 Course. This table isintended as a supplement to knowledge you have gained from theSecurity Expert R70 / R71 Courseware handbook, and is not meant tobe a sole means of study.


Number

Check Point Acceleration

and Clustering

p. 95

SecureXL Security Acceleration p. 95

What SecureXL Does p. 96

Throughput Acceleration p. 96

Connection Rate Acceleration p. 96

Madking the Source Port p. 97

Application Layer Protocol p. 98

HTTP 1.1 p. 99

Other Application Layer Protocols p. 100

UDP Pseudo-Connections p. 100

Packet Flow p. 101

SecureXL API p. 102

VPN Capabilities p. 103

CoreXL: Multicore Accel-

eration

p. 105

Supported Platforms and Features p. 106

Performance Tuning p. 107

Processing Core Allocation p. 107

Packet Flows p. 108

Table 5-5: SecureXL


43/88

Check Point Acceleration Topics Chapter 5: Acceleration


Adding Processing Cores to the

Hardware

p. 108

Allocating an Additional Core to

the SND

p. 109

Allocating a Core for Heavy Log-

ging

p. 109


Table 5-5: SecureXL


44/88

Chapter 5: Acceleration Check Point Acceleration Topics


Lab 6: SecureXL L-p. 101

Enable and Configure SecureXL on

the Gateway

L-p. 102

Open Connections and Verify

Acceleration

L-p. 104


Table 5-5: SecureXL


45/88

Sample CCSE R71 Exam Question Chapter 5: Acceleration


Sample CCSE R71 Exam Question What is the maximum number of cores supported by CoreXL?

1. 6

2. 18

3. 04

4. 012


46/88

Answer Chapter 5: Acceleration


Answer What is the maximum number of cores supported by CoreXL?

1. 6

2. 8

3. 4

4. 12


47/88

Chapter

37

6High Availability

Check Point High Availability limits any disruption to network uptime should a se-curity gateway face unforeseen performance issues. High Availability transparently

redistributes workloads to surviving cluster gateways without impacting communi-

cation throughout the cluster.

Objectives:

Deploy New Mode HA on a new cluster member.


48/88

Chapter 6: High Availability Check Point High Availability Topics

38 Check Point Security Expert R70 / R71Study Guide

Check Point High Availability Topics The following table outlines the topics covered in the “High Availability” chapter of the Check Point Security Expert R70 / R71 Course. This table is intended as a supplement to knowledge you have gainedfrom the Security Expert R70 / R71 Courseware handbook, and is notmeant to be a sole means of study.


Number

Management High Avail-

ability

p. 115

The Management High Availability

Environment

p. 116

What Data is Backed Up gy the

Standby Security Servers?

p. 117

Synchronization Modes p. 117

Synchronization Status p. 117

Table 6-6: High Availability


49/88

Check Point High Availability Topics Chapter 6: High Availability


Lab 7: Deploying New

Mode HA

L-p. 107

Create and Configure a Secondary

Cluster Member

L-p. 109

Cluster and Member IP Addresses L-p. 110

Reconfigure Routing L-p. 113

Configure Gateway-Cluster Objects L-p. 114

Configure ClusterXL Properties L-p. 123

Modify the Rule Base L-p. 125

Pass Traffic Through Cluster L-p. 125

Observe Cluster Status in Smart-

View Monitor

L-p. 126

Test Failover L-p. 128

Method 1 L-p. 128

Method 2 L-p. 129

Method 3 L-p. 129


Table 6-6: High Availability


50/88

Chapter 6: High Availability Sample CCSE R71 Exam Question

40 Check Point Security Expert R70 / R71Study Guide

Sample CCSE R71 Exam Question What could be a reason why synchronization between primary andsecondary Security Management Servers does not occur?

1. You have installed both Security Management Servers on differentserver systems (e.g. one machine on HP hardware and the other oneon Dell).

2. You did not activate synchronization within the Global Properties.

3. You are using different time zones.

4. If the set of installed products differ from each other, the SecurityManagement Servers do not synchronize the database to each other.


51/88

Answer Chapter 6: High Availability


Answer What could be a reason why synchronization between primary andsecondary Security Management Servers does not occur?

1. You have installed both Security Management Servers on differentserver systems (e.g. one machine on HP hardware and the other oneon Dell).

2. You did not activate synchronization within the Global Properties.

3. You are using different time zones.

4. If the set of installed products differ from each other, theSecurity Management Servers do not synchronize the database

to each other..


52/88


53/88

Chapter

43

7Clustering

The Check Point Acceleration and Clustering Software Blade delivers a set of ad-vanced technologies, SecureXL and ClusterXL, that work together to maximize

performance and security in high-performance environments.

Objectives:

Learn the standard configurations for ClusterXL

Learn how packets travel through a cluster

Learn the basics of how VRRP works on the IP appliance


54/88

Chapter 7: Clustering Check Point Clustering Topics


Check Point Clustering Topics The following table outlines the topics covered in the “Clustering”chapter of the Check Point Security Expert R70 / R71 Course. This table isintended as a supplement to knowledge you have gained from theSecurity Expert R70 / R71 Courseware handbook, and is not meant tobe a sole means of study.


Number

ClusterXL: Smart Load

Balancing

p. 125

Installing ClusterXL p. 126

Clusteing terms p. 126

Unicast Load Sharing p. 128

How Pivot Mode Works p. 129

How Packets Travel Through a

Custer

p. 130

Cluster Control Protocol p. 131

Cluster Synchronization p. 131

Check Point State Synchronization p. 131

Sticky Connections p. 133

The Sticky Decision Function p. 133

ClusterXL Configuration

Issues

p. 134

Modes of ClusterXL Supporting

SecureXL

p. 134

Crossover-Cable Support p. 134

VRRP Overview p. 135

How VRRP Works p. 136

Table 7-7: Clustering


55/88

Check Point Clustering Topics Chapter 7: Clustering


VRRP with Internal and External

VRIDs

p. 137

VRRP with Simultaneous Backup p. 138




56/88

Chapter 7: Clustering Check Point Clustering Topics


Lab 8: Load Sharing Uni-

cast (Pivot) and Multicast

Modes

L-p. 131

Configure Load Sharing Unicast

Mode

L-p. 132

Test Load Sharing Unicast Mode L-p. 133

Configure Load Sharing Multicast

Mode

L-p. 137

Test Load Sharing Multicast Mode L-p. 139

Lab 9: VPN with Sticky

Decision Function

L-p. 141

Configure VPN in a Cluster L-p. 142

Define the VPN Domain L-p. 142

Create the VPN Community L-p. 145

Create the VPN Rule and Modify

the Rule Base

L-p. 147

Test VPN Connection L-p. 148

View a Packet Capture of FT Con-nections without Sticky Decision

Function

L-p. 149

View a Packet Capture of FT Con-

nections with Sticky Decision Func-

tion

L-p. 152




57/88

Sample CCSE R71 Exam Question Chapter 7: Clustering


Sample CCSE R71 Exam QuestionBy default, a standby Security Management Server is automaticallysynchronized by an active Security Management Server, when:.

1. The Security Policy is saved.

2. The Security Policy is installed.

3. The user database is installed.

4. The standby Security Management Server starts for the first time.


58/88

Answer Chapter 7: Clustering


Answer By default, a standby Security Management Server is automaticallysynchronized by an active Security Management Server, when:.

1. The Security Policy is saved.

2. The Security Policy is installed.

3. The user database is installed.

4. The standby Security Management Server starts for the first time.


59/88

Chapter

49

8Advanced Networking - Routing

The Check Point Advanced Networking Software Blade makes it easier for admin-istrators to deploy security within complex and highly utilized network environ-

ments making this ideal for high-end enterprise and datacenter environments where

performance and availability are critical.

Objectives:

Configure VPN in a clustered environment, and demonstrate VPNfailover.

Configure and test VPN Tunnel Interfaces (VTIs) for a clusteredenvironment.


60/88

Chapter 8: Advanced Networking - RoutingCheck Point Advanced Networking — Routing Topics


Check Point Advanced Networking —Routing Topics

The following table outlines the topics covered in the “AdvancedNetworking - Routing” chapter of the Check Point Security Expert R70 /R71 Course. This table is intended as a supplement to knowledge youhave gained from the Security Expert R70 / R71 Courseware handbook,and is not meant to be a sole means of study.


Number

Advanced Networking Blade

p. 143

Check Point Dynamic Routing p. 145

The Command Line Inter-

face

p. 147

User Execution Mode p. 147

Privileged Execution Mode p. 147

Global Configuration Mode p. 147

Router Configuration Mode p. 148

Interfaces p. 149

Kernel Interfaces p. 149

Martian Addresses p. 150

Border Gateway Protocol

(BGP)

p. 151

BGP Decision Process p. 152

Dynamic Capabilities p. 153

Internet Control Message

Protocol (ICMP)

p. 154

Open Shortest Path First

Protocol

p. 155

Table 8-8: Advanced Networking - Routing


61/88

Check Point Advanced Networking — Routing TopicsChapter 8: Advanced Networking - Routing


Router Discovery Protocol p. 157

SNMP Multiplexing

(SMUX)

p. 159

Distance Vector Multicast

Routing Protocol

(DVMRP)

p. 160

Internet Group Manage-

ment Protocol (IGMP)

p. 161

Protocol Independent Multicast p. 160

Access Lists p. 163

AS Paths and AS Path Lists p. 163

BGP Communities and Community

Lists

p. 165

Prefix Lists and Prefix Trees p. 165

Route Aggregation and

Generation

p. 166

Route Flap Damping p. 167

Route Maps p. 167 Multicast Access Control p. 168

Multicast Routing Protocols p. 169

Dynamic Registration Using IGMP p. 169

IP Multicast Group Addressing p. 169

Reserved Local Addresses p. 169

Per-Interface Multicast Restrictions p. 171

VPN Connections p. 171


Table 8-8: Advanced Networking - Routing


62/88

Chapter 8: Advanced Networking - Routing Sample CCSE R71 Exam Question


Sample CCSE R71 Exam Question Which statement is TRUE for route-based VPNs?

1. Route-based VPNs replace domain-based VPNs.

2. IP Pool NAT must be configured on each gateway.

3. Route-based VPNs are a form of partial overlap VPN Domain.

4. Dynamic-routing protocols are not required.


63/88

Answer Chapter 8: Advanced Networking - Routing


Answer Which statement is TRUE for route-based VPNs?

1. Route-based VPNs replace domain-based VPNs.

2. IP Pool NAT must be configured on each gateway.

3. Route-based VPNs are a form of partial overlap VPN Domain.

4. Dynamic-routing protocols are not required.


64/88

Answer Chapter 8: Advanced Networking - Routing



65/88

Chapter

55

9Advanced Networking — LoadBalancing

The Check Point Advanced Networking Software Blade provides for flexible server

load balancing. Each connection request is directed to a specific server based on one

of the Advanced Networking Software Blade’s pre-defined load balancing algo-

rithms.

Objectives:

Configure Load Sharing Unicast (Pivot) and Multicast Mode on a clustermember.


66/88

Chapter 9: Advanced Networking — Load Balancing Check Point Advanced Networking — Load


Check Point Advanced Networking — LoadBalancing Topics

The following table outlines the topics covered in the “AdvancedNetworking - Load Balancing” chapter of the Check Point Security ExpertR70 / R71 Course. This table is intended as a supplement to knowledgeyou have gained from the Security Expert R70 / R71 Coursewarehandbook, and is not meant to be a sole means of study.


Number

Why Load Balancing? p. 175ConnectControl p. 175

Methods of Load-Balancing p. 176

ConnectControl Packet Flow p. 177

Logical Server Types p. 177

Packet Flow in an HTTP Logical

Server

p. 178

Packet Flow in Other Logical

Server Types

p. 179

Persistent Server Mode p. 181

Server Availability p. 182

Load Measuring p. 183

Table 9-9: Advanced Networking - Load Balancing


67/88

Sample CCSE R71 Exam Question Chapter 9: Advanced Networking — Load Balancing


Sample CCSE R71 Exam QuestionIn which ClusterXL Load Sharing mode, does the pivot machne getchosen automatically by ClusterXL

1. Hot Standby Load Sharing

2. CCP Load Sharing

3. Unicast Load Sharing

4. Multicast Load Sharing


68/88

Chapter 9: Advanced Networking — Load Balancing Answer


Answer In which ClusterXL Load Sharing mode, does the pivot machne getchosen automatically by ClusterXL

1. Hot Standby Load Sharing

2. CCP Load Sharing

3. Unicast Load Sharing

4. Multicast Load Sharing


69/88

Answer Chapter 9: Advanced Networking — Load Balancing



70/88


71/88

Chapter

61

10Advanced Networking - QoS

The Advanced Networking blade lets you to prioritize business-critical traffic suchas ERP, database, and Web services traffic over less time-critical traffic. It also al-

lows you to guarantee bandwidth and control latency for streaming applications

such as Voice over Internet Protocol (VoIP) and video conferencing. In addition,

with highly granular controls, the Advanced Networking blade enables guaranteed

or priority access to specific employees—even if they are remotely accessing net-

work resources through a VPN tunnel.

Objectives:

Setup and verify the best QoS configuration, using the Advanced

Networking Software Blade, for your corporate environment, and testand confirm a bandwidth control Policy.


72/88

Chapter 10: Advanced Networking - QoS Check Point Advanced Networking — QoS Topics


Check Point Advanced Networking — QoSTopics

The following table outlines the topics covered in the “AdvancedNetworking - QoS” chapter of the Check Point Security Expert R70 / R71Course. This table is intended as a supplement to knowledge you havegained from the Security Expert R70 / R71 Courseware handbook, andis not meant to be a sole means of study.


Number

Quality of Service p. 189QoS Technology - Stateful Inspec-

tion

p. 190

QoS Architecture p. 192

QoS Gateway p. 193

QoS Security Management Server p. 193

QoS SmartConsole p. 194

QoS Configuration p. 195

Client/Server Interaction p. 196

QoS Policy Management p. 197

Bandwidth Allocation and Rules p. 199

Default Rule p. 200

QoS Action Type p. 200

Example of a Rule Matching VPN

Traffic

p. 201

Bandwidth Allocation and Sub-

Rules

p. 202

Implementing the Rule Base p. 203

Deploying QoS p. 204

Table 10-10: Advanced Networking - QoS


73/88

Check Point Advanced Networking — QoS Topics Chapter 10: Advanced Networking - QoS


Sample Bandwidth Allocations p. 205




74/88

Chapter 10: Advanced Networking - QoS Check Point Advanced Networking — QoS Topics


Lab 10: Configuring Check

Point QoS Policy

L-p. 155

Enable and Configure Check Point

QoS

L-p. 156

Enable Check Point QoS on Secu-

rity Gateway

L-p. 156

Configure Check Point QoS Global

Properties

L-p. 157

Configure QoS on the Gateway L-p. 157

Create Check Point QoS Rules and

Adjust rule Weights

L-p. 159

Add Outbound Rule L-p. 159

Add Inbound Rule L-p. 161

Verify and Install Policy L-p. 163

Test QoS Policy L-p. 164

Inbound Transfer Rate L-p. 164

Outbound Transfer Rate L-p. 165




75/88

Sample CCSE R71 Exam Question Chapter 10: Advanced Networking - QoS


Sample CCSE R71 Exam QuestionShich Check Point QoS feature is used to dynamically allocat relativeportions of available bandwidth?

1. Guarantees

2. Weighted Fair Queing

3. Low Latency Queuing

4. Differentiated Services


76/88

Answer Chapter 10: Advanced Networking - QoS


Answer Shich Check Point QoS feature is used to dynamically allocat relativeportions of available bandwidth?

1. Guarantees

2. Weighted Fair Queing

3. Low Latency Queuing

4. Differentiated Services


77/88

Chapter

67

11Check Point IPS

This chapter presents basic information on Check Point’s Intrusion Prevention Soft-ware Blade, how intrusion prevention systems work, and prevent network attacks

that the intrusion prevention system can detect.

Objectives:

Implement default or customized profiles to designated Gateways in thecorporate network.

Manage profiles by tracking changes to the network, includingperformance degradation, and troubleshoot issues with the networkrelated to specific IPS policy rules.


78/88

Chapter 11: Check Point IPS Introduction to the Check Point IPS Topics

68 Check Point Security Administrator R70 / R71 Study Guide

Introduction to the Check Point IPS Topics The following table outlines the topics covered in the “Check PointIPS” chapter of the Check Point Security Administrator R70 / R71 Course. This table is intended as a supplement to knowledge you have gainedfrom the Security Administrator R70 / R71 Courseware handbook, andis not meant to be a sole means of study.


Number

IPS Overview p. 211

New IPS Engine/Architecture p. 213Flexible IPS Policy Management p. 215

IPS Event Manager p. 216

Configuring and Manag-

ing IPS

p. 217

IPS Protection p. 219

IPS Profiles p. 220

Assigning Profiles p. 220

Protection Browser p. 221

Exporting the Protections List p. 223

Protection Parameters p. 223

Activating Protections p. 226

Automatically Activating Protec-

tions

p. 226

Manually Activating Protections p. 228

Monitoring Traffic p. 229

Network Exceptions p. 231

Viewing Packet Information p. 232

Optimizing IPS p. 233

Table 11-11: Check Point IPS Topics


79/88

Introduction to the Check Point IPS Topics Chapter 11: Check Point IPS

Check Point Security Administrator R70 / R71Study Guide 69

Performance Management p. 234

Bypass Under Load p. 235

Troubleshooting p. 236

Tuning Protections p. 237

IPS Policy Settings p. 237

Enhancing System Performance p. 238

Updating Protections - IPS

Subscription

p. 239

Managing IPS Protections p. 240

Updating IPS Protections p. 240

IPS Software Blade Contracts (R71) p. 242

Lab 11: Implementing IPS L-p. 167

Modify the Gateway Properties L-p. 168

Modify DMZ Server Object L-p. 169

Configure IPS for Preliminary

Detection

L-p. 172

Create a New IPS Profile L-p. 173

Assign to Gateway L-p. 179

Generate an Attack L-p. 181

Analyze the Attack L-p. 184

Reconfigure IPS to Block Attacks L-p. 187

Review Logs L-p. 190




80/88

Chapter 11: Check Point IPS Sample CCSA R71 Exam Question


Sample CCSA R71 Exam Question You just upgraded to R71 and are using the IPS Software Blade. You want to enable all critical protections while keeping the rate of falsepositive very low. How can you achieve this?

1. The new IPS system is based on policies and gives you the ability toactivate all checks with critical severity and a high confidence level.

2. This can't be achieved; activating any IPS system always causes a highrate of false positives.

3. As in SmartDefense, this can be achieved by activating all the critical

checks manually.

4. The new IPS system is based on policies, but it has no ability tocalculate or change the confidence level, so it always has a high rateof false positives.


81/88

Answer Chapter 11: Check Point IPS


Answer You just upgraded to R71 and are using the IPS Software Blade. You want to enable all critical protections while keeping the rate of falsepositive very low. How can you achieve this?

1. The new IPS system is based on policies and gives you the

ability to activate all checks with critical severity and a high

confidence level.

2. This can't be achieved; activating any IPS system always causes a highrate of false positives.

3. As in SmartDefense, this can be achieved by activating all the criticalchecks manually.

4. The new IPS system is based on policies, but it has no ability tocalculate or change the confidence level, so it always has a high rateof false positives.


82/88

Chapter 11: Check Point IPS Answer



83/88

Chapter

73

12Data Loss Prevention

The need to secure our data goes beyond access to network resources. It isn’tenough to permit or deny access into and out of internal networks where confiden-

tial company data is located. Research has shown that one of the greatest threats to

data loss is unintentional and from the inside. The Check Point Data Loss Preven-

tion (DLP) Appliances and Software Blade address the need to protect sensitive

data from leaving secure corporate sites.

Objectives:

Configure DLP Data Types in a rule.

Monitor and adjust DLP Policies


84/88

Chapter 12: Data Loss Prevention Introduction to the Check Point Data Loss Prevention Topics


Introduction to the Check Point Data LossPrevention Topics

The following table outlines the topics covered in the “Data LossPrevention” chapter of the Check Point Security Administrator R70 / R71Course. This table is intended as a supplement to knowledge you havegained from the Security Administrator R70 / R71 Coursewarehandbook, and is not meant to be a sole means of study.


Number

The Need for Data Loss Prevention

p. 249

DLP Gateway in a Network p. 251

What Happens on Rule Match p. 252

Deployment Options p. 253

DLP Platforms and Performance p. 253

DLP User Check p. 254

Installing, Connecting, Verifying

Clients

p. 255

Data Loss Prevention Portal p. 255

Data Loss Prevention

Views

p. 257

My Organization p. 259

DLP Policies p. 260

The Default Policy p. 260

DLP Policy vs, Security Policy p. 261

Data Loss Prevention

Actions

p. 263

Data Types P. 264



85/88

Introduction to the Check Point Data Loss Prevention Topics Chapter 12: Data Loss Prevention


Protecting Data by Keyword p. 265

Dictionary Data Types p. 266

Protecting Documents by Template p. 266

Protecting Files p. 267

Protecting Data by Pattern p. 267

Protecting Data by CPcode p. 267

Defining Compound Data

Types

p. 268

Data Type Groups p. 269

Lab 12: Data Loss Preven-

tion

L-p. 191

Topology Setup L-p. 192

Configure the DLP Gateway L-p. 196

Configure the DLP Object in Smart-

Dashboard

L-p. 202

Modify the Rule Base L-p. 209

Test the Default Policy L-p. 210Employee Name L-p. 212

Keyword Search L-p. 218

Template Exercise L-p. 231




86/88

Chapter 12: Data Loss Prevention Sample CCSA R71 Exam Question


Sample CCSA R71 Exam QuestionMark the configuratin options that are available for Data LossPrevention in R71

1. A Dedicated DLP Gateway running only the DLP Software Blade.

2. The DLP Gateway running only the Firewall Software Blade.

3. The DLP Gateway running only the Management Server on the samemachine.

4. The DLP as an integrated software blade, which can be enabled on a

Check Point Security Gateway running other software blades such asFirewall, IPS and Management.


87/88

Answer Chapter 12: Data Loss Prevention


Answer Mark the configuratin options that are available for Data LossPrevention in R71

1. A Dedicated DLP Gateway running only the DLP Software

Blade.

2. The DLP Gateway running only the Firewall Software Blade.

3. The DLP Gateway running only the Management Server on the samemachine.

4. The DLP as an integrated software blade, which can be enabled on aCheck Point Security Gateway running other software blades such asFirewall, IPS and Management.


88/88

Chapter 12: Data Loss Prevention Answer