Check Point Certified Security Expert (CCSE) R81 — Question 180

You want to set up a VPN tunnel to an external gateway. You had to make sure that the IKE P2 SA will only be established between two subnets and not all subnets defined in the default VPN domain of your gateway.

Answer options

• A. In the SmartConsole create a dedicated VPN Community for both Gateways. On the Gateway add the following line to the $FWDIR/conf/user.def.FW1 file -> subnet_for_range_and_peer = {};
• B. In the SmartConsole create a dedicated VPN Community for both Gateways. Go to Security Policies /Access Control and create an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA. Put the name of the Community in the VPN column.
• C. In the SmartConsole create a dedicated VPN Community for both Gateways. Selecting the local gateway in the Community you can set the VPN Domain to 'User defined' and put in the local network.
• D. In the SmartConsole create a dedicated VPN Community for both Gateways. On the Management add the following line to the $FWDIR/conf/user.def.FW1 file -> subnet_for_range_and_peer = {};

Correct answer: C

Explanation

The correct answer is C because it allows you to specifically define the VPN Domain to include only the local network, ensuring that the IKE P2 SA is established only between the defined subnets. Options A and D are incorrect as they don't change the VPN Domain settings, and option B focuses on access control rules rather than defining the VPN Domain.