Questions for the 156-315-81 were updated on : Dec 01 ,2025
Fill in the blanks: Default port numbers for an LDAP server is ________________ for standard
connections and SSL connections.
D
Explanation:
LDAP (Lightweight Directory Access Protocol) operates over different ports, with each serving a
specific purpose. Port 389 is the default port for unsecured LDAP connections or LDAP with StartTLS,
which upgrades the connection to use TLS (Transport Layer Security) for encryption.
On the other
hand, port 636 is used for LDAP over SSL/TLS, often referred to as LDAPS (LDAP Secure), where
communication is encrypted from the start of the connection1
.
Reference:
LDAP Ports Explained: Configuring Standard, StartTLS, and LDAPS Connections
Red Hat Directory Server documentation on changing LDAP and LDAPS port numbers
Oracle documentation on Directory Server and Directory Proxy Server LDAP and LDAPS Port Numbers
ServerFault discussion on LDAP server authentication ports
Fill in the blank: An identity server uses a _________________ to trust a Terminal Server Identity
Agent.
A
Explanation:
When configuring Terminal Servers with Identity Awareness, you must configure the same password
as a shared secret in both the Terminal Servers Identity Agent on the application server that hosts the
Terminal/Citrix services and on the Identity Awareness Gateway.
This shared secret enables secure
communication and allows the Security Gateway to trust the application server with the Terminal
Servers functionality1
.
Reference:
Check Point Software - Configuring Terminal Servers
Check Point Identity Awareness Clients Admin Guide
Check Point Troubleshooting Expert - R81 (CCTE) Reference Materials
Check Point Certified Troubleshooting Expert R81.20 - CCTE
Check Point CCTE Certification Sample Questions and Practice Exam
Identity Awareness allows easy configuration for network access and auditing based on what three
items?
B
Explanation:
Identity Awareness maps users and computer identities, enabling enforcement of Access Control
policy rules and auditing data based on identity.
It is an easy-to-deploy and scalable solution that
works for both Active Directory and non-Active Directory based networks, including employees and
guest users1
.
By considering network location, user identity, and machine identity, organizations can
control access between different segments in the network using an identity-based policy2
.
Reference:
Check Point Troubleshooting Expert - R81 (CCTE) Reference Materials
Check Point Certified Troubleshooting Expert R81.20 - CCTE
Check Point CCTE Certification Sample Questions and Practice Exam
Which of the following is NOT a method used by Identity Awareness for acquiring identity?
A
Explanation:
Identity Awareness uses various methods to acquire identity information. These methods include:
Active Directory Query: Identity Awareness queries Active Directory servers to retrieve user and
group information.
Cloud IdP (Identity Provider): Identity Awareness integrates with cloud identity providers such as
Microsoft Azure AD, Okta, and Google Workspace.
RADIUS: Identity Awareness can use RADIUS servers to authenticate users.
However, Remote Access is not a method used by Identity Awareness for acquiring identity. Remote
Access typically refers to VPN connections, and while Identity Awareness can be used in conjunction
with VPNs, it does not directly acquire identity information from remote access connections.
Reference:
Check Point Troubleshooting Expert - R81 (CCTE) Reference Materials guides and documents.
Check Point Certified Troubleshooting Expert R81.20 - CCTE
Check Point CCTE Certification Sample Questions and Practice Exam
The back-end database for Check Point Management uses:
B
Explanation:
Check Point Management uses MongoDB as its back-end database. MongoDB is a NoSQL database
that offers high performance, high availability, and easy scalability, which are essential for managing
the complex and dynamic nature of network security configurations and logs.
Fill in the blank RADIUS protocol uses_____to communicate with the gateway
D
identity Awareness allows easy configuration for network access, and auditing based on what three
items?
B
Which of the following is NOT a method used by identity Awareness for acquiring identity?
C
Which Identity Source(s) should be selected in Identity Awareness Tot when there is a requirement
for a higher level of security for sensitive servers?
A
To enable Dynamic Dispatch on Security Gateway without the Firewall Priority Queues, run the
following command in Expert mode and reboot:
D
Explanation:
According to the Check Point R81.20 documentation, the fw ctl Dyn_Dispatch enable command
enables the CoreXL Dynamic Dispatcher on Security Gateway, which improves the performance of
multi-core systems by dynamically balancing the traffic among the available cores1
.
Reference
:
CoreXL Dynamic Dispatcher - Check Point Software
, section “Enabling the CoreXL Dynamic
Dispatcher on Security
After upgrading the primary security management server from R80.40 to R81.10 Bob wants to use
the central deployment in SmartConsole R81.10 for the first time. How many installations (e.g.
Jumbo Hotfix, Hotfixes or Upgrade Packages) can run of such at the same time:
C
Explanation:
According to the Check Point R81.20 documentation, the central deployment feature allows you to
install up to 10 packages simultaneously on multiple gateways1.
Reference
1: Check Point R81.20 Administration Guide, page 35.
What ports are used for SmartConsole to connect to the Security Management Server?
C
Explanation:
The correct answer is C) CPM (19009), CPMI (18190) https (443).
SmartConsole is a client application that connects to the Security Management Server to manage
and configure the security policy and objects.
SmartConsole uses three ports to communicate with
the Security Management Server1
:
CPM (19009): This port is used for the communication between the SmartConsole client and the
Check Point Management (CPM) process on the Security Management Server. The CPM process
handles the database operations and the policy installation.
CPMI (18190): This port is used for the communication between the SmartConsole client and the
Check Point Management Interface (CPMI) process on the Security Management Server. The CPMI
process handles the authentication and encryption of the SmartConsole sessions.
https (443): This port is used for the communication between the SmartConsole client and the web
server on the Security Management Server. The web server provides the SmartConsole GUI and the
SmartConsole extensions.
The other options are incorrect because they either include ports that are not used by SmartConsole
or omit ports that are used by SmartConsole.
Reference:
SmartConsole R81.20 - Check Point Software1
Which of the following is true regarding the Proxy ARP feature for Manual NAT?
B
Explanation:
The verified answer is B) Automatic proxy ARP configuration can be enabled.
Proxy ARP is a feature that allows a gateway to respond to ARP requests on behalf of another IP
address that is not on the same network segment.
Proxy ARP is required for manual NAT rules when
the NATed IP addresses are not routed to the gateway1
.
By default, proxy ARP for manual NAT rules has to be configured manually by editing the local.arp file
or using the CLISH commands on the gateway2
.
However, since R80.10, there is an option to enable
automatic proxy ARP configuration for manual NAT rules by modifying the files
$CPDIR/tmp/.CPprofile.sh and $CPDIR/tmp/.CPprofile.csh on the gateway3
.
fw ctl proxy is a command that displays the proxy ARP table on the gateway, but it does not configure
proxy ARP4
.
Translate Destination on Client Side is a NAT option that determines whether the destination IP
address is translated before or after the routing decision. It does not affect proxy ARP.
Reference:
Configuring Proxy ARP for Manual NAT - Check Point Software1
R80.10: Automatic Proxy ARP with Manual NAT rules - checkpoint<dot>engineer2
Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.103
fw ctl proxy - Check Point Software
NAT Properties - Check Point Software
What destination versions are supported for a Multi-Version Cluster Upgrade?
B
Explanation:
The correct answer is B) R80.10 and later.
According to the Check Point documentation1
, the Multi-Version Cluster Upgrade (MVC) is a new
feature in R80.40 and higher that replaces the Connectivity Upgrade (CU) method. MVC allows you
to upgrade a cluster to a newer version without a loss in connectivity and test the new version on
some of the cluster members before you decide to upgrade the rest of the cluster members.
The
MVC feature supports the following destination versions2
:
R80.10
R80.20
R80.30
R80.40
R81
R81.20
The other options are incorrect because they are either not supported by MVC or they are older than
the source version (R80.40).
Reference:
Multi-Version Cluster (MVC) replaces Connectivity Upgrade (CU) in R80.401
ClusterXL upgrade methods and paths2
Alice was asked by Bob to implement the Check Point Mobile Access VPN blade - therefore are some
basic configuration steps required - which statement about the configuration steps is true?
D
Explanation:
The verified answer is D) 1. Enable Mobile Access blade on the Security Gateway object and
complete the wizard 2. Configure Mobile Access parameters in Security Gateway object 3. Add a rule
in the Access Control Policy and install policy 4. Connect to the Mobile Access Portal
The basic configuration steps for the Check Point Mobile Access VPN blade are as follows1
:
Enable Mobile Access blade on the Security Gateway object and complete the wizard: This step
activates the Mobile Access blade on the selected gateway and guides you through the initial
configuration, such as defining the portal name, the certificate, and the authentication methods.
Configure Mobile Access parameters in Security Gateway object: This step allows you to customize
the Mobile Access settings, such as defining the supported applications, the access roles, the client
settings, and the advanced options.
Add a rule in the Access Control Policy and install policy: This step creates a rule that allows the
traffic from the Mobile Access portal to the protected resources and installs the policy on the
gateway.
Connect to the Mobile Access Portal: This step verifies that the Mobile Access portal is accessible and
functional from a web browser or a mobile device.
The other options are incorrect because they do not follow the correct order or include the necessary
steps.
Reference:
Mobile Access Administration Guide R81 - Check Point Software1