Check Point Certified Security Expert (CCSE) R81 — Question 156

In terms of “Order of Rule Enforcement”. When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom. Which Statement is correct?

Answer options

• A. If the rule does not match in the Network policy it will continue to other enabled polices.
• B. If the Action of the matching rule is Drop, the gateway continues to check rules in the next Policy Layer down.
• C. If the Action of the matching rule is Accept, the gateway will drop the packet.
• D. If the Action of the matching rule is Drop, the gateway stops matching against later rules in the Policy Rule Base and drops the packet.

Correct answer: D

Explanation

The correct answer is D because when a rule's action is set to Drop, it signifies that the packet should be discarded, and the gateway will not evaluate any further rules. Option A is incorrect as it implies continuation to other policies, which does not happen upon a Drop action. Option B incorrectly states that the gateway continues checking further layers after a Drop action, and Option C mistakenly claims that an Accept action leads to dropping the packet, which contradicts the purpose of an Accept action.