nerdexam
Check_Point

156-215.80 · Question #215

Study the Rule base and Client Authentication Action properties screen. After being authenticated by the Security Gateways, a user starts a HTTP connection to a Web site. What happens when the user tr

The correct answer is C. user is prompted to authenticate from that FTP site only, and does not need to enter his. With Check Point Client Authentication, each new service connection can trigger a separate authentication challenge, so a user authenticated for HTTP is prompted again specifically for a new FTP command-line session without disturbing the existing HTTP session.

User Management and Authentication

Question

Study the Rule base and Client Authentication Action properties screen. After being authenticated by the Security Gateways, a user starts a HTTP connection to a Web site. What happens when the user tries to FTP to another site using the command line? The:

Exhibits

156-215.80 question #215 exhibit 1
156-215.80 question #215 exhibit 2

Options

  • Auser is prompted for authentication by the Security Gateways again.
  • BFTP data connection is dropped after the user is authenticated successfully.
  • Cuser is prompted to authenticate from that FTP site only, and does not need to enter his
  • DFTP connection is dropped by Rule 2.

How the community answered

(33 responses)
  • A
    3% (1)
  • B
    12% (4)
  • C
    70% (23)
  • D
    15% (5)

Why each option

With Check Point Client Authentication, each new service connection can trigger a separate authentication challenge, so a user authenticated for HTTP is prompted again specifically for a new FTP command-line session without disturbing the existing HTTP session.

Auser is prompted for authentication by the Security Gateways again.

The user is not prompted to authenticate to the Security Gateway generically again; the prompt is scoped specifically to the new FTP service connection, not a full gateway-level re-authentication.

BFTP data connection is dropped after the user is authenticated successfully.

The FTP data connection is not dropped after authentication; the purpose of Client Authentication is to permit the connection to proceed once credentials are successfully verified.

Cuser is prompted to authenticate from that FTP site only, and does not need to enter hisCorrect

Client Authentication in Check Point operates on a per-connection, per-service basis, meaning each distinct service session can require its own credential verification. When the already-authenticated HTTP user initiates an FTP connection from the command line, Client Authentication prompts them specifically for that FTP session only - the user authenticates for FTP independently and does not need to re-authenticate for the previously established HTTP connection, since each service is tracked separately.

DFTP connection is dropped by Rule 2.

Rule 2 dropping the FTP connection is incorrect because the Client Authentication action is configured to challenge and then allow the FTP session upon successful authentication, not to drop it outright.

Concept tested: Check Point Client Authentication per-service session behavior

Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_FirewallAdminGuide/Topics-FWG/Client-Auth.htm

Topics

#Client Authentication#HTTP#FTP#authentication rules

Community Discussion

No community discussion yet for this question.

Full 156-215.80 Practice