156-215.81 Checkpoint Exam Lab Questions

This answer is correct because this is the recommended way to configure a VPN tunnel between two subnets and not all subnets defined in the default VPN domain of your gateway1. By creating a dedicated VPN Community, you can specify the VPN peers and the encryption settings for the VPN tunnel2. By selecting the local gateway in the Community, you can set the VPN Domain to ‘User defined’ and put in the local network that you want to include in the VPN tunnel1. This way, you can limit the VPN traffic to the subnets that you want and avoid unnecessary encryption and decryption of other traffic.

The other answers are not correct because they are either outdated or incorrect ways to configure a VPN tunnel between two subnets. Answer A and C are outdated methods that involve editing the user.def file, which is not recommended and can cause problems with the VPN configuration3. Answer D is incorrect because creating an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA will not affect the VPN tunnel establishment, but only the access control policy4. The VPN column in the rule is used to specify the VPN direction, not the VPN Community name4.

• How to configure a Site-to-Site VPN with a universal tunnel
• Site to Site VPN R81 Administration Guide - Check Point Software
• How to configure a Site-to-Site VPN with a 3rd-party remote gateway
• Access Control Policy R81 Administration Guide - Check Point Software

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate1. A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2. A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3. The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication. PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4. Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4. PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

• What is mutual authentication? | Two-way authentication
• Mutual authentication - AWS Client VPN
• VPN authentication options - Windows Security
• Mutual Authentication | Top 3 Methods of Mutual Authentication
• Authentication methods and features - Microsoft Entra

If the NAT property ‘Translate destination on client side’ is not enabled in Global properties, nothing needs to be configured on the client side, because the Gateway takes care of all details necessary. The Gateway translates the destination IP address before sending the packet to the client, so the client does not need to know about the NAT rule or add any host route or ARP entry.

References: Check Point Security Engineering Study Guide, p. 136-137

The statement that is not true about Delta synchronization is that it uses UDP Multicast or Broadcast on port 8161. The correct port number for Delta synchronization is 811612. The other statements are true about Delta synchronization. References: ClusterXL Administration Guide R81, Check Point CCSA - R81: Practice Test & Explanation