Check Point Certified Security Administrator (CCSA) R81.20 — Question 137

You want to set up a VPN tunnel to an external gateway. You had to make sure that the IKE P2 SA will only be established between two subnets and not all subnets defined in the default VPN domain of your gateway.

Answer options

• A. In the SmartConsole create a dedicated VPN Community for both Gateways. On the Management add the following line to the $FWDIR/conf/user.def.FW1 file -> subnet_for_range_and_peer = {};
• B. In the SmartConsole create a dedicated VPN Community for both Gateways. Selecting the local gateway in the Community you can set the VPN Domain to ‘User defined’ and put in the local network.
• C. In the SmartConsole create a dedicated VPN Community for both Gateways. On the Gateway add the following line to the $FWDIR/conf/user.def.FW1 file -> subnet_for_range_and_peer = {};
• D. In the SmartConsole create a dedicated VPN Community for both Gateways. Go to Security Policies / Access Control and create an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA. Put the name of the Community in the VPN column.

Correct answer: B

Explanation

Option B is correct because it allows setting the VPN Domain to 'User defined,' which restricts the IKE P2 SA to the specified local network. Options A and C incorrectly suggest modifying the user.def.FW1 file, which does not directly address the VPN Domain configuration. Option D focuses on creating access control rules, which is not the correct method for limiting the VPN Domain.