Checkpoint 156-315.81 Exam With Confidence Using Practice Dumps

 In the Network policy layer, the default action for the Implied last rule is drop all traffic. However, in the Application Control policy layer, the default action is accept all traffic. The Implied last rule is a rule that is automatically added at the end of each policy layer and defines what to do with traffic that does not match any of the user-defined rules. The default actions for each policy layer can be changed in the Global Properties or in the layer properties. References: R81 Security Management Administration Guide, page 30.

 Sub Policies are a new R81 Gateway feature that had not been available in R77.X and older. Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule. This allows for more granular and modular control over the policy. The other features were already available in previous versions . References: Check Point R81 Security Management Administration Guide, Check Point R77 Security Management Administration Guide, Check Point R77 Gaia Administration Guide, Check Point R77 Security Gateway Technical Administration Guide

After trust has been established between the Check Point components, the Security Gateway IP address cannot be changed without re-establishing the trust. This is because the trust is based on the Secure Internal Communication (SIC) mechanism, which uses certificates to authenticate and encrypt the communication. The certificates are issued by the Internal Certificate Authority (ICA) of the Security Management Server / Domain Management Server, and contain the name and IP address of the component. Therefore, if the IP address of a component is changed, the certificate will become invalid and the trust will be lost. To restore the trust, the certificate must be renewed or reissued by the ICA12.

However, there are some exceptions to this rule. The Security Gateway name can be changed in command line without re-establishing trust, as long as the IP address remains the same. This is because the SIC mechanism does not rely on the hostname, but on the IP address and the SIC name (which is usually derived from the hostname, but can be manually changed). The Security Management Server name can be changed in SmartConsole without re-establishing trust, as long as the IP address remains the same. This is because SmartConsole uses a different mechanism to connect to the Security Management Server, which does not depend on the SIC certificate. The Security Management Server IP address can be changed without re-establishing trust, as long as some steps are followed to update the Check Point Registry file on the managed Security Gateways / Cluster Members / VSX Virtual Devices. This is because the Registry file contains the IP address of the ICA, which is used for certificate renewal. If the Registry file is not updated, then the certificate renewal will fail and the trust will be lost3.

References: 1: Check Point R81 Security Administration Guide - Check Point Software, page 162 2: Check Point R81 Security Engineering Guide - Check Point Software, page 162 3: How to renew SIC after changing IP Address of Security Management Server - Check Point Software, Solution ID: sk103356