Checkpoint Updated 156-315.81 Exam Questions and Answers by zohaan

When Identity Awareness is enabled, AD Query and Browser-based Authentication are used as identity sources for Application Control. AD Query allows the Security Gateway to query Active Directory servers for identity information based on IP addresses. Browser-based Authentication allows the Security Gateway to redirect unidentified users to a captive portal where they can authenticate with their credentials. These identity sources provide accurate and up-to-date identity information for Application Control, which can enforce granular policies based on user, group, machine, and domain objects. References: R81 Identity Awareness Administration Guide, page 9.

 A pre-shared secret is a secret key that is shared between the two VPN peers before establishing a secure connection. It is used to authenticate the VPN peers and encrypt the VPN traffic. A pre-shared secret is required for a site-to-site VPN tunnel that does not use certificates, because certificates are another way of authenticating the VPN peers using public key cryptography. Without certificates, the VPN peers need to have a common secret key that only they know. References: Check Point R81 VPN Administration Guide, page 13

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on Security Gateways that acquire identities from various sources, such as AD Query, Identity Agent, Captive Portal, etc. PEP is a daemon that runs on Security Gateways that enforce the security policy based on identities received from PDPs. Identity sharing is a feature that allows PDPs to share identities with other PDPs or PEPs in different gateways or domains. References: [Check Point R81 Identity Awareness Administration Guide]

The "Network Access VPN Domain" feature allows remote-access VPN users to access resources across a site-to-site VPN tunnel. This feature allows remote users to securely access internal network resources as if they were physically connected to the network. This is achieved by adding the remote-access VPN users to a "VPN Domain" that has access to the internal network resources via a site-to-site VPN tunnel. This VPN Domain is also referred to as a "Network Access VPN Domain".