Check Point Certified Security Administrator (CCSA) 156-215.80 Exam Questions and Answers – Page 1

The latest Check Point Certified Security Administrator (CCSA) 156-215.80 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Check Point Certified Security Administrator (CCSA) 156-215.80 exam and earn Check Point Certified Security Administrator (CCSA) 156-215.80 certification.

Exam Question 51

Web Control Layer has been set up using the settings in the following dialogue:
Web Control Layer has been set up using the settings in the following dialogue:
Consider the following policy and select the BEST answer.
Consider the following policy and select the BEST answer.

A. Traffic that does not match any rule in the subpolicy is dropped.
B. All employees can access only Youtube and Vimeo.
C. Access to Youtube and Vimeo is allowed only once a day.
D. Anyone from internal network can access the internet, expect the traffic defined in drop rules 5.2, 5.5 and 5.6.
Correct Answer:
D. Anyone from internal network can access the internet, expect the traffic defined in drop rules 5.2, 5.5 and 5.6.
Answer Description:
Policy Layers and Sub-Policies: R80 introduces the concept of layers and sub-policies, allowing you to segment your policy according to your network segments or business units/functions. In addition, you can also assign granular privileges by layer or sub-policy to distribute workload and tasks to the most qualified administrators.

  • With layers, the rule base is organized into a set of security rules. These set of rules or layers, are inspected in the order in which they are defined, allowing control over the rule base flow and the security functionalities that take precedence. If an “accept” action is performed across a layer, the inspection will continue to the next layer. For example, a compliance layer can be created to overlay across a crosssection of rules.
  • Sub-policies are sets of rules that are created for a specific network segment, branch office or business unit, so if a rule is matched, inspection will continue through this subset of rules before it moves on to the next rule.
  • Sub-policies and layers can be managed by specific administrators, according to their permissions profiles. This facilitates task delegation and workload distribution.

Exam Question 52

When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom, and enforces the first rule that matches a packet. Which of the following statements about the order of rule enforcement is true?

A. If the Action is Accept, the gateway allows the packet to pass through the gateway.
B. If the Action is Drop, the gateway continues to check rules in the next Policy Layer down.
C. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.
D. If the Action is Drop, the gateway applies the Implicit Clean-up Rule for that Policy Layer.
Correct Answer:
C. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.

Exam Question 53

Jack works for a Managed Service Provider and he has been tasked to create 17 new policies for several new customers. He does not have much time. What is the BEST way to do this with R80 security management?

A. Create a text-file with mgmt_cli script that creates all objects and policies. Open the file in SmartConsole Command Line to run it.
B. Create a text-file with Gaia CLI -commands in order to create all objects and policies. Run the file in CLISH with command load configuration.
C. Create a text-file with DBEDIT script that creates all objects and policies. Run the file in the command line of the management server using command dbedit -f.
D. Use Object Explorer in SmartConsole to create the objects and Manage Policies from the menu to create the policies.
Correct Answer:
A. Create a text-file with mgmt_cli script that creates all objects and policies. Open the file in SmartConsole Command Line to run it.
Answer Description:
Did you know: mgmt_cli can accept csv files as inputs using the –batch option.
The first row should contain the argument names and the rows below it should hold the values for these parameters. So an equivalent solution to the powershell script could look like this:
data.csv:

NameIP v4 addressColor
host1192.168.35.1Black
host2192.168.35.2Red
host3192.168.35.3Blue

mgmt_cli add host --batch data.csv -u <username> -p <password> -m <management server>
This can work with any type of command not just “add host” : simply replace the column names with the ones relevant to the command you need.

Exam Question 54

When Identity Awareness is enabled, which identity source(s) is(are) used for Application Control?

A. RADIUS
B. Remote Access and RADIUS
C. AD Query
D. AD Query and Browser-based Authentication
Correct Answer:
D. AD Query and Browser-based Authentication
Answer Description:
Identity Awareness gets identities from these acquisition sources:

  • AD Query
  • Browser-Based Authentication
  • Endpoint Identity Agent
  • Terminal Servers Identity Agent
  • Remote Access

Exam Question 55

Which of the following is NOT a back up method?

A. Save backup
B. System backup
C. snapshot
D. Migrate
Correct Answer:
A. Save backup
Answer Description:
The built-in Gaia backup procedures:

  • Snapshot Management
  • System Backup (and System Restore)
  • Save/Show Configuration (and Load Configuration)

Check Point provides three different procedures for backing up (and restoring) the operating system and networking parameters on your appliances.

  • Snapshot (Revert)
  • Backup (Restore)
  • upgrade_export (Migrate)

Exam Question 56

Which Check Point software blade prevents malicious files from entering a network using virus signatures and anomaly-based protections from ThreatCloud?

A. Firewall
B. Application Control
C. Anti-spam and Email Security
D. Antivirus
Correct Answer:
D. Antivirus
Answer Description:
The enhanced Check Point Antivirus Software Blade uses real-time virus signatures and anomaly-based protections from ThreatCloud™, the first collaborative network to fight cybercrime, to detect and block malware at the gateway before users are affected.

Exam Question 57

What is the default method for destination NAT?

A. Destination side
B. Source side
C. Server side
D. Client side
Correct Answer:
D. Client side
Answer Description:
Client Side NAT: destination is NAT`d by the inbound kernel.

Exam Question 58

Which of the following is NOT a VPN routing option available in a star community?

A. To satellites through center only
B. To center, or through the center to other satellites, to Internet and other VPN targets
C. To center and to other satellites through center
D. To center only
Correct Answer:
A. To satellites through center only
D. To center only
Answer Description:
SmartConsole: For simple hubs and spokes (or if there is only one Hub), the easiest way is to configure a VPN star community in R80 SmartConsole:

  1. On the Star Community window, in the:
    • Center Gateways section, select the Security Gateway that functions as the “Hub”.
    • Satellite Gateways section, select Security Gateways as the “spokes”, or satellites.
  2. On the VPN Routing page, Enable VPN routing for satellites section, select one of these options:
    • To center and to other Satellites through center: This allows connectivity between the Security Gateways, for example if the spoke Security Gateways are DAIP Security Gateways, and the Hub is a Security Gateway with a static IP address.
    • To center, or through the center to other satellites, to internet and other VPN targets: This allows connectivity between the Security Gateways as well as the ability to inspect all communication passing through the Hub to the Internet.
  3. Create an appropriate Access Control Policy rule.
  4. NAT the satellite Security Gateways on the Hub if the Hub is used to route connections from Satellites to the Internet.

The two Dynamic Objects (DAIP Security Gateways) can securely route communication through the Security Gateway with the static IP address.

Exam Question 59

What is the default shell of Gaia CLI?

A. Monitor
B. CLI.sh
C. Read-only
D. Bash
Correct Answer:
B. CLI.sh
Answer Description:
This chapter gives an introduction to the Gaia command line interface (CLI).
The default shell of the CLI is called clish.

Exam Question 60

Which of the following licenses are considered temporary?

A. Perpetual and Trial
B. Plug-and-play (Trial) and Evaluation
C. Subscription and Perpetual
D. Evaluation and Subscription
Correct Answer:
B. Plug-and-play (Trial) and Evaluation
Answer Description:
Should be Trial or Evaluation, even Plug-and-play (all are synonyms ). Answer B is the best choice.