Checkpoint CCSA - General Questions
Three ways to control network traffic - ANSWER: Packet filtering, stateful inspection,
application firewall
Packet filtering - ANSWER: source & destination IP, port, protocol
Stateful Inspection - ANSWER: same as packet filtering but now looking at packet
content
Application FW - ANSWER: Granular level filtering; inspects traffic through lower levels
of TCP/IP module and up to the application layer
SIC - ANSWER: Secure internal communications - how gateways and mgmt servers
authenticate one another to communicate
Three authentication methods for SIC - ANSWER: Certificates, TLS for encrypted
channels, 3DES (for R71-) or AES128 (for R71+)
ICA - ANSWER: Internal certificate authority
Responsible for issuing certs for SIC, VPN communities, Users
SIC statuses - ANSWER: Communicating - mgmt server and gateway are talking
Unknown - gateway and mgmt server no connection
Not communicating - mgmt server can contact gateway but can't establish SIC
Three components of CP Sec Architecture - ANSWER: Smart console --> mgmt server
--> sec gateway
Smart console = GUI
mgmt server = where policies are stored
sec gateway = enforces policies
Smart Console tabs - ANSWER: 1. Gateways and servers
2. security policy
3. Logs & Monitors
4. manage & settings
Smart Console apps - ANSWER: Smart Event - correlates logs and detects sec threats
Smart View - displays complete pic of network and sec performance
Smart Update - manage licenses and packages
Smart Dashboard - used for legacy applications
, Checkpoint deployment platforms - ANSWER: Small business and branch office,
enterprise, DC, Chassis, Rugged appliance, open servers
Deployment options - ANSWER: Standalone - mgmt server and gw are on same
appliance
distributed - mgmt server and gw on different appliances
bridge mode - using switches
CPUSE - ANSWER: updates for CP products, auto update CP products for GAIA,
hotfixes
Two hardware options for deploying CP tech - ANSWER: CP appliances or open
servers (non CP)
Object types for rules - ANSWER: used to represent physical and virtual network
components
network object - ANSWER: gw, host, networks, address ranges, etc
service object - ANSWER: protocols
custom app/site object - ANSWER: applications, user categories, URL categorizations
VPN community object - ANSWER: site to site or remote access VPN
user object - ANSWER: user groups, users, user templates
server object - ANSWER: trusted CAs, RADIUS, TACACS, OPSEC servers
time object - ANSWER: time, time group, bw limit on upload and download rates
Security zone - ANSWER: group of one or more network interfaces from a centrally
managed gw bound together and used directly in the rule base
Anti-Spoofing - ANSWER: spoofing - where intrude gains access by changing IP
verifies packets are going from and going to the correct interfaces
Cleanup rule - ANSWER: how to handle traffic not matched by the above rule base -
placed at the bottom
Stealth rule - ANSWER: rule added so that a user cannot connect directly to the gw - gw
is invisible to users over the network
Explicit Rule - ANSWER: created in the rule base by the admin
Three ways to control network traffic - ANSWER: Packet filtering, stateful inspection,
application firewall
Packet filtering - ANSWER: source & destination IP, port, protocol
Stateful Inspection - ANSWER: same as packet filtering but now looking at packet
content
Application FW - ANSWER: Granular level filtering; inspects traffic through lower levels
of TCP/IP module and up to the application layer
SIC - ANSWER: Secure internal communications - how gateways and mgmt servers
authenticate one another to communicate
Three authentication methods for SIC - ANSWER: Certificates, TLS for encrypted
channels, 3DES (for R71-) or AES128 (for R71+)
ICA - ANSWER: Internal certificate authority
Responsible for issuing certs for SIC, VPN communities, Users
SIC statuses - ANSWER: Communicating - mgmt server and gateway are talking
Unknown - gateway and mgmt server no connection
Not communicating - mgmt server can contact gateway but can't establish SIC
Three components of CP Sec Architecture - ANSWER: Smart console --> mgmt server
--> sec gateway
Smart console = GUI
mgmt server = where policies are stored
sec gateway = enforces policies
Smart Console tabs - ANSWER: 1. Gateways and servers
2. security policy
3. Logs & Monitors
4. manage & settings
Smart Console apps - ANSWER: Smart Event - correlates logs and detects sec threats
Smart View - displays complete pic of network and sec performance
Smart Update - manage licenses and packages
Smart Dashboard - used for legacy applications
, Checkpoint deployment platforms - ANSWER: Small business and branch office,
enterprise, DC, Chassis, Rugged appliance, open servers
Deployment options - ANSWER: Standalone - mgmt server and gw are on same
appliance
distributed - mgmt server and gw on different appliances
bridge mode - using switches
CPUSE - ANSWER: updates for CP products, auto update CP products for GAIA,
hotfixes
Two hardware options for deploying CP tech - ANSWER: CP appliances or open
servers (non CP)
Object types for rules - ANSWER: used to represent physical and virtual network
components
network object - ANSWER: gw, host, networks, address ranges, etc
service object - ANSWER: protocols
custom app/site object - ANSWER: applications, user categories, URL categorizations
VPN community object - ANSWER: site to site or remote access VPN
user object - ANSWER: user groups, users, user templates
server object - ANSWER: trusted CAs, RADIUS, TACACS, OPSEC servers
time object - ANSWER: time, time group, bw limit on upload and download rates
Security zone - ANSWER: group of one or more network interfaces from a centrally
managed gw bound together and used directly in the rule base
Anti-Spoofing - ANSWER: spoofing - where intrude gains access by changing IP
verifies packets are going from and going to the correct interfaces
Cleanup rule - ANSWER: how to handle traffic not matched by the above rule base -
placed at the bottom
Stealth rule - ANSWER: rule added so that a user cannot connect directly to the gw - gw
is invisible to users over the network
Explicit Rule - ANSWER: created in the rule base by the admin
