The POP3 rule is disabled.

POP3 is accepted in Global Properties.

The POP3 rule is hidden.

POP3 is one of 3 services (POP3, IMAP, and SMTP) accepted by the default mail object in R77.

Acquires identities from unidentified users.

Is only used for guest user authentication.

Allows access to users already identified.

Is deployed from the Identity Awareness page in the Global Properties settings.

XlateDst

XlateSPort

XlateDPort

XlateSrc

Do nothing. Old logs are deleted, until free space is restored.

Use the command fwm logexport to export the old log files to another location.

Configure a script to run fw logswitch and SCP the output file to a separate file server.

Do nothing. The Security Management Server automatically copies old logs to a backup server before purging.

Yes, but you need SPLAT operating system to enable the feature Hits Count in the SmartDashboard client.

Yes, since R75 40 you can use the feature Hits Count in the SmartDashboard client.

Yes, but you need Gala operating system to enable the feature Hits Count in the SmartDashboard client.

No, due to an architecture limitation it is not possible to track the number of connections each rule matches.

Intrusion Detection System (IDS) Policy install

Change the Rule Base and install the Policy to all Security Gateways

SAM - Block Intruder feature of SmartView Tracker

SAM - Suspicious Activity Rules feature of SmartView Monitor

She needs to edit /etc/SSHd/SSHd_config and add the Standard Mode account.

She needs to run sysconfig and restart the SSH process.

She needs to edit /etc/scpusers and add the Standard Mode account.

She needs to run cpconfig to enable the ability to SCP files.

The Stealth rule should not be logged

The Stealth rule is required for proper firewall protection

The Stealth rule should be located just before the Cleanup rule

The Stealth rule must be the first rule in a policy

Eventia Analyzer

SmartView Tracker

SmartView Monitor

This information can only be viewed with the command fw ctl pstat from the CLI.

SMTP Security Server

HTTP Security Server

FTP Security Server

HTTPS Security Server

Mismatch in VPN Domains.

Mismatch in preshared secrets.

Mismatch in Diffie-Hellman group.

Mismatch in encryption schemes.

Scalability to accommodate user groups

Centralized management

Strong authentication

Strong data encryption

Traffic not explicitly permitted is dropped.

Traffic is filtered using controlled port scanning.

All traffic is expressly permitted via explicit rules.

IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.

2, 3, 4, 1, 5

2, 1, 3, 4, 5

1, 3, 2, 4, 5

2, 3, 4, 5, 1

Peers agree on encryption method.

Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key.

Peers agree on integrity method.

Each side generates a session key from its private key and the peer’s public key.

Session and Transport

Physical and Data

Presentation and Application

Datalink and Network

Asymmetric encryption

Dynamic encryption

Certificate-based encryption

Symmetric encryption

There is no possibility to expand the three pre-defined options Ping, Whois, and Nslookup.

Go to the menu Tools > Custom Commands and configure the Windows command tracert.exe to the list.

Use the program GUIdbedit to add the command traceroute to the Security Management Server properties.

Go to the menu, Tools > Custom Commands and configure the Linux command traceroute to the list.

A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On.

When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target.

In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.

A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install on Target.

Two, one for outbound, one for inbound

Only one, outbound

Two, both outbound, one for the real IP connection and one for the NAT IP connection

Only one, inbound

SmartView Tracker

SmartPortal

SmartUpdate

SmartDashboard

Since the Security Management Server is not available, the remote Gateway cannot fetch the Security Policy. Therefore, all traffic is allowed through the Gateway.

Since the Security Management Server is not available, the remote Gateway cannot fetch the Security Policy. Therefore, no traffic is allowed through the Gateway.

The remote Gateway fetches the last installed Security Policy locally and passes traffic normally. The Gateway will log locally, since the Security Management Server is not available.

Since the Security Management Server is not available, the remote Gateway uses the local Security Policy, but does not log traffic.

upgrade_import

cpinfo -recover

cpconfig

fwm dbimport -p

Log, Active, and Audit

Log, Active, and Management

Network and Endpoint, Active, and Management

Log, Track, and Management

2, 4, and 5

1, 2, 3, 4, and 5

1, 2, and 3

1, 3, and 4

Rules 1, 2, 3 will appear in the new package.

Only rule 1 will appear in the new package.

NAT rules will be empty in the new package.

Rules 4 and 5 will appear in the new package.

fw show policy

fw stat -l

fw ctl pstat -policy

fw ver -p

2, 4, 7, 10, 11

3, 4, 5, 6, 9, 12, 13

5, 6, 9, 12, 13

1, 2, 8, 10, 11

Create network objects for 192.168.10.0/24 and 192.168.20.0/24. Enable Hide NAT on both network objects, using 200.200.200.5 as hiding IP address. Add an ARP entry for 200.200.200.3 for the MAC address of 200.200.200.5.

Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable Hide NAT on the NAT page of the address range object. Enter Hiding IP address 200.200.200.5. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.

Create a network object 192.168.0.0/16. Enable Hide NAT on the NAT page. Enter 200.200.200.5 as the hiding IP address. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.

Create two network objects: 192.168.10.0/24 and 192.168.20.0/24. Add the two network objects to a group object. Create a manual NAT rule like the following: Original source - group object; Destination - any; Service - any; Translated source - 200.200.200.5; Destination - original; Service - original.

This is not a SmartView Tracker feature.

Display Capture Action

Network and Endpoint Tab

Display Payload View

You can unlock Peter’s account by using the command fwm lock_admin -u Peter on the Security Management Server.

You can unlock Peter’s account by using the command fwm unlock_admin -u Peter on the Security Management Server

It is not possible to unlock Peter’s account. You have to install the firewall once again or abstain from Peter’s help.

You can unlock Peter’s account by using the command fwm unlock_admin -u Peter on the Security Gateway.

Security Management Server

Check Point Gateway

SmartConsole

SmartUpdate upgrading/patching

fw unload policy

fw unloadlocal

fw delete all.all@localhost

fwm unloadlocal

Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.

Run separate SmartConsole instances to login and configure each Security Gateway directly.

Create network objects that restrict all applicable rules to only certain networks.

Create a separate Security Policy package for each remote Security Gateway.

259

900

256

257

Remove the service HTTP from the column Service in Rule 4.

Modify the column VPN in Rule 2 to limit access to specific traffic.

Nothing at all

Modify the columns Source or Destination in Rule 4.

Reinstall the base operating system (i.e., GAiA). Configure the Gateway interface so that the Gateway can communicate with the TFTP server. Revert to the stored snapshot image, and install the Security Policy.

Run the command revert to restore the snapshot, establish SIC, and install the Policy.

Run the command revert to restore the snapshot. Reinstall any necessary Check Point products. Establish SIC and install the Policy.

Reinstall the base operating system (i.e., GAia). Configure the Gateway interface so that the Gateway can communicate with the TFTP server. Reinstall any necessary Check Point products and previously applied hotfixes. Revert to the stored snapshot image, and install the Policy.

snapshot creates a full OS-level backup, including network-interface data, Check Point product information, and configuration settings during an upgrade of a GAiA Security Gateway.

snapshot creates a Security Management Server full system-level backup on any OS.

snapshot stores only the system-configuration settings on the Gateway.

A Gateway snapshot includes configuration settings and Check Point product information from the remote Security Management Server.

Manual copies of the directory $FWDIR/conf

GAiA back up utilities

upgrade_export and upgrade_import commands

Database Revision Control

SmartConsole

SmartUpdate

Security Management Server

SmartDashboard

Ask your reseller to get a ticket for Check Point SmartUse and deliver him the Security Management Server cpinfo file.

In SmartDashboard, right-click in the column field Service > Query Column. Then, put the services HTTP and SSH in the list. Do the same in the field Action and select Accept here.

In SmartDashboard menu, select Search > Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. “HTTP_SSH”?) and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND.

This cannot be configured since two selections (Service, Action) are not possible.

-u

-i

-S

newpkg CANNOT be used to uninstall a package

fw cpinfo

cpinfo -o date.cpinfo.txt

diag

cpstat - date.cpstat.txt

3 only

1, 2, 3, 4, and 5

2, 3 only

3, 4, and 5 only

You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on both the Security Gateway and the Management Server.

You first need to run the command fw unloadlocal on the new Security Gateway.

You first need to initialize SIC in SmartUpdate.

You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on the Security Management Server.

259

900

256

80

Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties.

Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user re-authenticate for each service.

Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect.

Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address.

show interface (interface) - chain

tcpdump

tcpdump/ snoop

fw monitor

user is prompted for authentication by the Security Gateway again.

FTP data connection is dropped after the user is authenticated successfully.

user is prompted to authenticate from that FTP site only, and does not need to enter his username and password for Client Authentication.

FTP connection is dropped by Rule 2.

HTTP: // [IPADDRESS]

HTTPS:// [IPADDRESS] : 8080

HTTPS:// [IPADDRESS] : 4434

HTTPS:// [IPADDRESS]

SmartUpdate only allows you to update Check Point and OPSEC certified products.

SmartUpdate only allows you to manage product licenses.

SmartUpdate allows you to update Check Point and OPSEC certified products and to manage product licenses.

SmartUpdate is not a Check Point product.

514

257

256

258

SmartView Tracker, SmartDashboard, CPINFO, SmartUpdate, SmartView Status

SmartView Tracker, SmartDashboard, SmartLSM, SmartView Monitor

SmartView Tracker, CPINFO, SmartUpdate

Security Policy Editor, Log Viewer, Real Time Monitor GUI