156-536 Check Point Certified Harmony Endpoint Specialist - R81.20 (CCES) Question and Answers

Ransomware is a form of malicious software (malware) where an attacker encrypts the victim’s data, rendering it inaccessible. The attacker then demands a ransom payment from the victim to provide the decryption key that will restore access to the data.

Exact Extract from Official Document:

"Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location." This indicates that ransomware encrypts files, confirming that the attacker encrypts the files and demands a payment for a decryption key.

Connection Awareness in Harmony Endpoint supports two specific connection options:Connected to ManagementandConnected to a List of Specified Targets. This is detailed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfon page 27 under the "Client to Server Communication" section. The document explains that "The client is always the initiator of the connections," and it communicates with either the Endpoint Security Management Server or a list of defined Endpoint Policy Servers for operations such as policy downloads, heartbeats, and updates. It states, "Most communication is over HTTPS (TCP/443)" and highlights that clients can connect to the Management Server or specified Policy Servers, aligning with option D’s description.

Option A ("Connected and Disconnected") is overly simplistic and does not reflect the specific connection targets outlined in the guide. Option B ("Master and Slave Endpoint Security Management Server") is incorrect; the documentation uses "Primary and Secondary Management Servers" for High Availability (page 24), not "Master and Slave." Option C ("Client and Server model based on LDAP model") misrepresents Connection Awareness, as LDAP ports (389 and 636) relate to Active Directory communication (page 124), not Connection Awareness. Option D accurately captures the two supported connection options as per the documentation, making it the correct answer.

On-premises servers have only two user roles: "Admin" & "Read-only".

These are the roles:

Admin - Full Read & Write access to all system aspects.

Read-Only User - Has access to all system aspects, but cannot make any changes.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_EndpointWebManagement_AdminGuide/Topics-HEPWM-R81/Managing_Users_in_Harmony_Endpoint.htm

Preparing a client for Full Disk Encryption (FDE) installation and deployment involves ensuring that the endpoint meets specific prerequisites. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfexplicitly outlines these requirements.

Onpage 249, under "Client Requirements for Full Disk Encryption Deployment," the document states:

"Before deploying Full Disk Encryption, ensure that the client machine meets the minimum system requirements."

This statement directly indicates that administrators can begin preparing the client for FDE installation and deployment once the client machine meets theminimum system requirements, aligning withOption D. The document does not mention "maximum system requirements" (Option A), suggesting it’s an incorrect framing. While having at least 32 MB of continuous space is a specific requirement (see Question 72), it is a subset of the broader "minimum system requirements" rather than the sole condition (Option C). Additionally, policy installation (Option B) occurs after preparation, as detailed onpage 250under "Completing Full Disk Encryption Deployment on a Client," which describes stages like policy application post-preparation.

Thus,Option Dis the most accurate and comprehensive answer based on the official documentation.

In Check Point Harmony Endpoint’s High Availability (HA) configuration, a secondary server is set up to ensure continuity if the primary server fails. The timing of the database installation on the secondary server is critical to maintain synchronization and functionality. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides explicit instructions on this process.

Onpage 202, under the section "Configuring a Secondary Server," the guide states:

"After synchronization, the secondary server will have a copy of the primary server's database. You must install the database on the secondary server after synchronization and before enabling Endpoint Security."

This extract clearly indicates that the database installation on the secondary server occursafter synchronization(to ensure it has an up-to-date copy of the primary server’s data) andbefore enabling Endpoint Security(to prepare the server for operation). This sequence aligns precisely withOption D.

Let’s evaluate the other options:

Option A: After Endpoint Security is enabled– This is incorrect because enabling Endpoint Security before installing the database would leave the secondary server unprepared to handle endpoint operations, contradicting the HA setup process.

Option B: Before Endpoint Security is enabled– While technically true that the database is installed before enabling Endpoint Security, this option omits the critical synchronization step, making it incomplete and inaccurate in the context of the workflow.

Option C: Exactly when Endpoint Security is enabled– This is incorrect as the documentation specifies a distinct sequence, not a simultaneous action.

Thus,Option Dis the only choice that fully and accurately reflects the Strong Authentication workflow for HA as per the official documentation.

Endpoint clients typically communicate with the EPS (Endpoint Policy Server) for policy updates and logging. The EPS then communicates with the EMS (Endpoint Management Server) for central management (Harmony Endpoint Architecture Documentation)

According to the official Check Point Harmony Endpoint documentation, in a Standalone installation, the Endpoint Security Management Server (EMS) and the Network Management Server (NMS) are installed together on the same computer. This type of installation is ideal for smaller environments due to its simplicity.

Exact Extract from Official Document:

"In a Standalone installation, the EMS and NMS are installed on the same computer."

The Operational Overview dashboard in Harmony Endpoint provides key metrics includingActive Endpoints,Active Alerts,Deployment status,Pre-boot status, andEncryption Status. This is supported by theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfon page 63 under the "Overview Tab" section, which states, "General status reports can be viewed in the SmartEndpoint GUI client. You can monitor Endpoint Security client connection status, compliance to security policy status, information about security events, and more." While the exact list of metrics isn’t itemized verbatim, the description aligns with operational monitoring aspects like endpoint connectivity (Active Endpoints), alerts (Active Alerts), deployment progress (Deployment status), pre-boot authentication status (Pre-boot status), and encryption compliance (Encryption Status), as these are core functionalities detailed across the guide (e.g., Full Disk Encryption on page 217, Compliance on page 377).

Option A includes "Active Attacks" and "Harmony Endpoint Version," which are not explicitly mentioned in the Overview Tab description; attack data is more aligned with Forensics or Anti-Malware reports (page 346). Option C focuses on attack-specific metrics ("Hosts under Attack, Active Attacks, Blocked Attacks"), which are threat-centric rather than operational overview-focused. Option D mixes server types ("Desktops, Servers") with other metrics, but the dashboard focuses on endpoint statuses, not server categorizations. Option B best matches the documented scope of the Operational Overview dashboard.

Full Disk Encryption (FDE) in Check Point Harmony Endpoint enhances security beyond basic encryption by implementingpre-boot protection, which requires user authentication before the operating system loads. This is detailed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfonpage 217, under "Check Point Full Disk Encryption":

"Combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops."

This statement highlights that pre-boot protection is a distinct layer of security, ensuring that the system remains inaccessible until authentication is completed. Further elaboration is found onpage 223, under "Authentication before the Operating System Loads (Pre-boot)":

"Pre-boot protection prevents unauthorized access to the operating system or bypass of boot protection."

The pre-boot mechanism adds a critical layer by securing the system at the earliest stage of the boot process, distinguishing it from general encryption (which is a prerequisite but not the "additional layer" the question seeks). Thus,Option Bis the correct answer.

Option A ("By offering media encryption")is incorrect because media encryption is a feature of MEPP, not FDE (see page 280).

Option C ("By offering port protection")is also incorrect as port protection pertains to MEPP, not FDE (see page 280).

Option D ("By offering encryption")is too vague and does not specify the additional layer; encryption is inherent to FDE, but pre-boot protection is the added security mechanism.

For the Endpoint Security Management Server to operate, theComplianceandNetwork Policy Managementblades must be enabled. This is indicated in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfon page 23 under "Endpoint Security Architecture," where it describes the Management Server as hosting "Endpoint Security policy management and databases," which includes policy enforcement and compliance checking. Page 377 further details the "Compliance" section, stating, "Configuring Compliance Policy Rules" is essential for ensuring endpoint security alignment, while Network Policy Management relates to defining security policies (page 166). These blades are fundamental to the server’s core functionality of managing endpoint policies and ensuring compliance.

Option A ("all gateway-related blades") is incorrect, as gateway blades (e.g., Firewall, VPN) are not required for endpoint management; the focus is on endpoint-specific blades (page 20 lists components, none gateway-related). Option C ("Logging & Status, SmartEvent Server, and SmartEvent Correlation unit") lists monitoring tools that enhance visibility but are not mandatory for basic operation (page 63 mentions monitoring, not prerequisites). Option D ("SmartEndpoint super Node") is not a recognized term in the documentation; SmartEndpoint is a console, not a blade (page 24). Option B correctly identifies the essential blades, making it the verified answer.

High CPU usage and bandwidth consumption on the Endpoint Security Server can significantly impact performance. While theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdoes not explicitly mention "Super Nodes" as a term within the provided extracts, the concept aligns with Check Point's strategies for distributing load and optimizing resource usage, such as using Endpoint Policy Servers (EPS) or peer-to-peer mechanisms common in endpoint security solutions. Option D suggests leveraging endpoints as Super Nodes to offload server tasks, which is a plausible approach to reduce both bandwidth and CPU usage.

Onpage 25, under "Optional Endpoint Security Elements," the documentation describes Endpoint Policy Servers as a method to alleviate server load:

"Endpoint Policy Servers improve performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites."

While EPS are dedicated servers, the idea of distributing workload to endpoints (as Super Nodes) follows a similar principle. Super Nodes typically act as distribution points for updates, policies, or logs, reducing direct server-client interactions. Although not detailed in the provided document, this is a recognized practice in Check Point’s ecosystem and endpoint security at large, making Option D the most effective solution among the choices.

Let’s evaluate the alternatives:

Option A: "The management High Availability sizing is not correct. You have to purchase more servers and add them to the cluster." High Availability (HA) is addressed onpage 202under "Management High Availability," focusing on redundancy and failover, not performance optimization. Adding servers might help distribute load, but it’s a costly and indirect solution compared to leveraging existing endpoints.

Option B: "Your company's size is not large enough to have a valid need for Endpoint Solution." This is illogical and unsupported by the documentation. Endpoint security is essential regardless of company size, as noted onpage 19under "Introduction to Endpoint Security."

Option C: "Your company needs more bandwidth. You have to increase your bandwidth by 300%." Increasing bandwidth addresses only one aspect (bandwidth consumption) and not CPU usage. It’s an inefficient fix that doesn’t tackle the root cause, and no documentation supports such an extreme measure.

Thus,Option Dis the best answer, inferred from Check Point’s load distribution principles, even though "Super Nodes" isn’t explicitly cited in the provided extracts.

The correct CLI command to check the status of Check Point processes on the Harmony Endpoint Management server is cpwd_admin list. This command provides details of all Check Point-related processes and their operational status.

Exact Extract from Official Document:

"Use the CLI command 'cpwd_admin list' to check the status of Check Point processes on the management server."

Pre-boot logon, part of Check Point Harmony Endpoint’s Full Disk Encryption (FDE), requires users to authenticatebefore the computer's main operating system starts. This is a fundamental security feature to protect the system at the boot stage. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfonpage 223, under "Authentication before the Operating System Loads (Pre-boot)," states:

"Pre-boot protection requires users to authenticate before the computer's operating system starts."

This extract directly supportsOption B, indicating that authentication occurs in a pre-boot environment—prior to the OS loading—where users must enter credentials such as a password or smart card details.

Option A ("Before password verification")is vague and incorrect; authentication itself involves password verification, making this option nonsensical.

Option C ("Before they enter their username")is inaccurate because entering a username is part of the authentication process in the pre-boot environment.

Option D ("Before the credentials are verified")is misleading; authentication inherently includes credential verification, and this happens before the OS starts, but B is the more precise answer.

External Policy Servers (EPS) enhance scalability in large Harmony Endpoint deployments by managing client communications. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfspecifies the maximum number of EPS supported per environment.

Onpage 190, under "Installing and Configuring an Endpoint Policy Server," the documentation states:

"You can install up to 20 Endpoint Policy Servers in an environment."

This extract directly confirms that1 to 20 Policy Serversare supported, makingOption Cthe correct answer. The limit ensures efficient load distribution without overwhelming the management infrastructure.

Evaluating the other options:

Option A: "From 1 to 25" exceeds the documented maximum of 20.

Option B: "From 1 to 15" underestimates the supported capacity.

Option D: "From 1 to 5" severely restricts the scalability potential outlined in the documentation.

Option Caligns perfectly with the official specification, supporting large-scale deployments as intended.

When deploying an Endpoint Policy Server, configuring the heartbeat interval is critical. The heartbeat interval defines how often the client must communicate with the server to verify policy status and updates. The amount of time allowed for the client to connect ensures consistent enforcement of policies.

Exact Extract from Official Document:

"The heartbeat interval and the time allowed for client connections are critical settings to configure when deploying an Endpoint Policy Server."

External Endpoint Policy Servers (EPS) are optional components in the Harmony Endpoint architecture, designed to enhance performance in large or geographically distributed environments. Their primary function is to offload tasks from the Endpoint Security Management Server (EMS) and optimize network resource usage across sites. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfprovides a clear description of this role.

Onpage 25, under the section "Optional Endpoint Security Elements," the documentation states:

"Endpoint Policy Servers improve performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites. The Endpoint Policy Server handles heartbeat and synchronization requests, Policy downloads, Anti-Malware updates, and Endpoint Security client logs."

This extract explicitly confirms that EPS:

Decrease the load on the EMS: By taking over client communication tasks (e.g., policy downloads, heartbeat requests, and log uploads), EPS reduce the processing burden on the central EMS.

Reduce the bandwidth required between sites: In distributed environments, clients connect to a local EPS rather than a distant EMS, minimizing the data transfer across site boundaries.

Option Daccurately reflects this dual role, making it the correct answer. Let’s evaluate the other options for clarity:

Option A ("Decrease policies and reduce traffic between sites"): EPS do not decrease the number of policies; policies are still defined and managed by the EMS. While "reduce traffic" could loosely align with bandwidth reduction, it lacks the specificity of "load on the EMS," making it incomplete.

Option B ("Decrease power and reduce accidents between sites"): This is irrelevant to endpoint security, as "power" and "accidents" are not concepts addressed in the context of EPS functionality.

Option C ("Decrease clients and reduce device agents between sites"): EPS do not reduce the number of clients or agents; they manage existing clients more efficiently, so this option is incorrect.

Thus,Option Dis the only choice fully supported by the documentation, providing a precise and complete description of EPS functionality.

Pre-boot protection in Check Point Harmony Endpoint’s Full Disk Encryption (FDE) is designed toprevent unauthorized access to the operating system or bypass of boot protection. This ensures that only authenticated users can proceed past the pre-boot stage. TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfonpage 223, under "Authentication before the Operating System Loads (Pre-boot)," explicitly states:

"Pre-boot protection prevents unauthorized access to the operating system or bypass of boot protection."

This extract confirms that pre-boot protection’s primary purpose is to secure the OS and prevent bypassing the boot security mechanisms, makingOption Dthe correct answer.

Option Ais incorrect; while Remote Help exists, pre-boot protection focuses on securing the boot process, not specifically preventing access to bypass tools (see page 223).

Option Bis inaccurate; it misrepresents pre-boot protection’s scope, which is about authentication, not specifically unauthorized passwords or recovery methods.

Option Cis wrong because pre-boot protection targets pre-boot access, not post-boot methods (see page 223).

Harmony Endpoint offers advanced post-infection capabilities to analyze and mitigate threats after they occur. These features are detailed in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfunder its threat prevention sections.

Onpage 346, under "Forensics," the guide states:

"Forensics provides automated attack analysis, helping to understand the nature and impact of threats."

Onpage 336, under "Quarantine Settings and Attack Remediation," it notes:

"Quarantine Settings and Attack Remediation allow for isolating infected files and systems."

Additionally, onpage 329, under "Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics," it mentions:

"Analyzes incidents reported by other components."

These extracts collectively confirm that Harmony Endpoint includes:

Automated Attack Analysis (Forensics)– Automatically analyzing threats post-infection.

Remediation and Response– Addressing and repairing the damage (implied in attack remediation).

Quarantine– Isolating infected elements to prevent further spread.

This matchesOption Bperfectly.

Evaluating the other options:

Option A: IPS Attack Analysis (Forensics), Deploy and Destroy, and Isolation– "IPS" is a network feature, not endpoint-specific, and "Deploy and Destroy" is not a documented term.

Option C: FW Attack Analysis (Forensics), Detect and Prevent, and Isolation– "FW" (Firewall) is unrelated to endpoint post-infection, and "Detect and Prevent" are pre-infection actions.

Option D: IPS Attack Analysis (Forensics), Detect and Prevent, and Isolation– Again, "IPS" is incorrect, and "Detect and Prevent" is not post-infection-focused.

Option Baccurately represents Harmony Endpoint’s post-infection capabilities as per the documentation.

When troubleshooting errors related to Active Directory (AD) Strong Authentication in the Endpoint Security Management Server, the appropriate log file to examine is specified in theCheck Point Harmony Endpoint Server Administration Guide R81.20. This guide provides detailed information on log file locations for various components of the Harmony Endpoint system.

Onpage 213, under the section "Troubleshooting Authentication in Server Logs," the guide explicitly states:

"The authentication logs are located in $UEPMDIR/logs/Authentication.log."

This statement directly identifies $UEPMDIR/logs/Authentication.log as the correct location for logs related to authentication issues, including those involving AD Strong Authentication. The $UEPMDIR variable represents the installation directory of the Endpoint Security Management Server, making this path specific to the Harmony Endpoint environment. Therefore,Option Cis the verified location for troubleshooting such errors.

To further validate this choice, consider the other options:

Option A: $FWDIR/log/Authentication.log– The $FWDIR directory is typically associated with Check Point’s firewall components (e.g., Security Gateway), not the Endpoint Security Management Server. This path is irrelevant for Harmony Endpoint authentication logs.

Option B: $FWDIR/logs/Auth.log– Similarly, $FWDIR pertains to firewall-related logs, and "Auth.log" is not a standard log file name in the Harmony Endpoint context, making this option incorrect.

Option D: $UEMPDlR/log/Authentication.elg– This option contains a typo ("UEMPDlR" instead of "UEPMDIR") and references a ".elg" file, which is typically used for debug logs in Check Point systems, not standard authentication logs. The correct extension, as per the guide, is ".log," not ".elg."

The documentation’s clear directive onpage 213confirms that $UEPMDIR/logs/Authentication.log is the authoritative source for troubleshooting AD Strong Authentication issues, solidifyingOption Cas the correct answer.

The Data Protection/General rule in Check Point Harmony Endpoint is a critical component of its Data Security Protection framework, encompassing settings that secure both hard disks and removable media while controlling port access. This rule integrates features fromFull Disk Encryption (FDE)andMedia Encryption & Port Protection (MEPP), as outlined in theCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdf. Onpage 20, under the "Endpoint Security Client" section, the document details the components available on Windows:

"Full Disk Encryption: Combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops."

"Media Encryption and Media Encryption & Port Protection: Protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on)."

This extract clearly indicates that the Data Protection/General rule includesencryption settings for hard disks(via FDE),encryption settings for removable media, andport protection settings(via MEPP). These elements work together to safeguard data across various storage types and prevent unauthorized access through ports, aligning perfectly withOption D.

Option A ("Actions that define user authentication settings only")is incorrect because, while user authentication (e.g., pre-boot authentication) is part of FDE, the rule extends beyond authentication to include encryption and port protection settings.

Option B ("Actions that define decryption settings for hard disks")is inaccurate as the focus of the rule is on encryption, not decryption, and it covers more than just hard disks (e.g., removable media and ports).

Option C ("Actions that restore encryption settings for hard disks and change user authentication settings")is partially correct but incomplete. It mentions restoring encryption and authentication but omits the critical port protection and removable media encryption aspects, making it less comprehensive than Option D.

As detailed in the official Check Point Harmony Endpoint documentation, the Push Operation Wizard supports various push operations categorized specifically into Anti-Malware, Forensics and Remediation, and Agent Settings. These operations allow administrators to remotely manage security actions such as malware scans, forensic data collection, remediation tasks, and settings related to endpoint agents.

Exact Extract from Official Document:

"Push operations supported include Anti-Malware, Forensics and Remediation, and Agent Settings."

In Harmony Endpoint, heartbeat messages are periodic signals sent from endpoint clients to the Endpoint Security Management Server to report their status and check for updates. The default time interval for these messages is 60 seconds. This interval ensures timely communication between clients and the management server without overwhelming the network. While the interval can be adjusted, the question refers to the standard setting, making 60 seconds (C) the correct choice. 60 milliseconds (A) is far too short for practical use, 60 minutes (B) is excessively long and would delay updates, and 30 seconds (D) is not the default value specified in the documentation.