156-215.80 · Question #215
Study the Rule base and Client Authentication Action properties screen. After being authenticated by the Security Gateways, a user starts a HTTP connection to a Web site. What happens when the user tr
The correct answer is C. user is prompted to authenticate from that FTP site only, and does not need to enter his. With Check Point Client Authentication, each new service connection can trigger a separate authentication challenge, so a user authenticated for HTTP is prompted again specifically for a new FTP command-line session without disturbing the existing HTTP session.
Question
Study the Rule base and Client Authentication Action properties screen. After being authenticated by the Security Gateways, a user starts a HTTP connection to a Web site. What happens when the user tries to FTP to another site using the command line? The:
Exhibits
Options
- Auser is prompted for authentication by the Security Gateways again.
- BFTP data connection is dropped after the user is authenticated successfully.
- Cuser is prompted to authenticate from that FTP site only, and does not need to enter his
- DFTP connection is dropped by Rule 2.
How the community answered
(33 responses)- A3% (1)
- B12% (4)
- C70% (23)
- D15% (5)
Why each option
With Check Point Client Authentication, each new service connection can trigger a separate authentication challenge, so a user authenticated for HTTP is prompted again specifically for a new FTP command-line session without disturbing the existing HTTP session.
The user is not prompted to authenticate to the Security Gateway generically again; the prompt is scoped specifically to the new FTP service connection, not a full gateway-level re-authentication.
The FTP data connection is not dropped after authentication; the purpose of Client Authentication is to permit the connection to proceed once credentials are successfully verified.
Client Authentication in Check Point operates on a per-connection, per-service basis, meaning each distinct service session can require its own credential verification. When the already-authenticated HTTP user initiates an FTP connection from the command line, Client Authentication prompts them specifically for that FTP session only - the user authenticates for FTP independently and does not need to re-authenticate for the previously established HTTP connection, since each service is tracked separately.
Rule 2 dropping the FTP connection is incorrect because the Client Authentication action is configured to challenge and then allow the FTP session upon successful authentication, not to drop it outright.
Concept tested: Check Point Client Authentication per-service session behavior
Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_FirewallAdminGuide/Topics-FWG/Client-Auth.htm
Topics
Community Discussion
No community discussion yet for this question.

