Check Point Certified Security Administrator (CCSA) R81.20 — Question 71

Which of the following statements about Site-to-Site VPN Domain-based is NOT true?

Answer options

• A. Route-based- The Security Gateways will have a Virtual Tunnel Interface (VTI) for each VPN Tunnel with a peer VPN Gateway. The Routing Table can have routes to forward traffic to these VTIs. Any traffic routed through a VTI is automatically identified as VPN Traffic and is passed through the VPN Tunnel associated with the VTI.
• B. Domain-based- VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.
• C. Domain-based- VPN domains are pre-defined for all VPN Gateways. A VPN domain is a host or network that can send or receive VPN traffic through a VPN Gateway.
• D. Domain-based- VPN domains are pre-defined for all VPN Gateways. When the Security Gateway encounters traffic originating from one VPN Domain with the destination to a VPN Domain of another VPN Gateway, that traffic is identified as VPN traffic and is sent through the VPN Tunnel between the two Gateways.

Correct answer: B

Explanation

Option B is incorrect because a VPN domain is defined as a host or network rather than a service or user. Options A, C, and D correctly describe aspects of Domain-based VPNs and how they function with Security Gateways, making them valid statements.