HTML
   HTML5
   CSS
   CSS3
   JavaScript
   jQuery
   AngularJS
   Articles
   Tech Articles
   Blog
Google News
logo
CCSA Interview Questions
1 .
What is CCSA?
Checkpoint Certified Security Administrator (CCSA) is the perfect certification program for entry-level network engineers to optimize their basic networking knowledge. CheckPoint CCSA certification equips candidates with an understanding of fundamental concepts and skills required to configure Check Point Security Gateway and Management Software Blades.

The CCSA certification is also a requirement for the Check Point Certified Security Expert R80 (CCSE R80), who can also execute highly available solutions and proactively analyze faults.
2 .
Why is the CCSA Certification most In-Demand?
According to the U.S. Bureau of Labor Statistics (BLS), employment opportunities are expected to augment by 12% from 2012-2022 for systems administrators and networking technicians.
 
Checkpoint Certified Security Administrator(CCSA) certification is a broadly recognized IT certification program that unites value and helps networking professionals to boost their careers.
3 .
What is Checkpoint Firewall?
CheckPoint Firewall is a leading provider of Cyber Security solutions worldwide to companies and governments. It provides the best protection against cyberattacks, including ransomware, malware, and other types of threats. The device enables multiple networks to communicate with one another in accordance with defined security policies. It is a barrier that sits between private internal networks and the public Internet. Checkpoint offers an architecture that secures all networks and clouds against any targeted attack. 
4 .
What is Next Generation Firewalls (NGFW)?
Check Point gateways provide superior security beyond any Next Generation Firewall (NGFW). Best designed for SandBlast’s Zero Day protection, these gateways are the best at preventing the fifth generation of cyber attacks with more than 60 innovative security services. Based on the Infinity Architecture, the new Quantum Security Gateway™ line up of 15 models can deliver up to 1.5 Tbps of threat prevention performance and can scale on demand.
5 .
Explain some Next-Generation Firewall (NGF) functionalities.
* Mobile device and VPN (Virtual Private Network) connectivity
* Identification and computer awareness
* Providing internet access and filtering
* Monitoring and controlling an application
* Security threats and intrusion prevention
* Security measures to prevent data loss
6 .
Explain CheckPoint Firewall Architecture.
CheckPoint has designed a Unified Security Architecture, which we implement across all its security products. Unified Security Architecture allows us to manage and monitor the CheckPoint products from one administrative console and offers a consistent level of security.

The CheckPoint Architecture has four components :
 
Core Technologies : CheckPoint utilizes a general group of core technologies like INSPECT for security inspection.

Central Management : We can manage and monitor all the CheckPoint products from a single administrative console.

Open Architecture : The security architecture of CheckPoint is open and compatible in a diverse environment. For instance, CheckPoint products are compatible with other networks and security equipment from third-party sellers to allow the collaborative implementation of security policies.

Universal-Update Ability : CheckPoint has multiple collaborative updates and security-alert functions to facilitapage.te the update procedures and helps administrators assure that security is always updated.
7 .
What is the Check Point Next Generation Security Gateway Solution?
Check Point Next Generation Security Gateway Solution

Item Description
1 SmartConsoleClosed
2 Security Management Server
3 Internet and external networks
4 Security Gateway (Security Group)
5 Internal network

These are the primary components of a Check Point Firewall solution :
 
SmartConsole : A Check Point GUI application that manages security policies, monitor products and events, install updates, provision new devices and appliances, and manage a multi-domain environment.

Security Management Server : The application that manages, stores, and distributes the security policy to Security Gateways (Security Groups).

Security Gateway (Security Group) : The engine that enforces the organization's security policy, is an entry point to the LAN, and is managed by the Security Management Server.
8 .
What are different types of Checkpoints?
The following are some types of Checkpoints :
 
Standard Checkpoint : This verifies a property value of an object in an application under test. All add-in environments support it.

Bitmap Checkpoint : It can be used to check a bitmap of an image or the entire web page. Actual and expected images are compared pixel by pixel.

Text Checkpoint : This is used to check expected text in web pages and applications. It could be a small portion of text displayed or a specific area/region of the application.

Table Checkpoint : This allows you to dynamically check the contents of cells within a table (grid) that is displayed in your environment. Various table properties, such as row height and cell width, can also be checked. 

Image Checkpoint : It is used to check the properties of a web image such as the source file location. Image Checkpoint does not check pixels as Bitmap Checkpoint does.
9 .
What is the difference between Stand-alone Deployment and Distributed Deployment?
Stand-alone deployment : As part of a stand-alone deployment, both Security Management Server and Security Gateway are installed on the same platform. In this scenario, Smart Console will be installed or deployed on a separate platform with access to the Security Management Server for creating policies and pushing them to the Security Gateway. Check Point does not recommend this deployment, except for small businesses, because it defeats the whole purpose of their three-tiered architecture.
 
Distributed deployment : Distributed deployments are most commonly known as Three-Tier architectures, where each component is installed on a separate platform, and such deployments are highly recommended by Check Point. ​The Smart Console is generally installed on Windows so that it can be used easily. Depending on the requirements, Security Management Server can be installed on Windows, Linux, or FreeBSD. 
10 .
What is the difference between Standalone and Network Deployment configuration?
 
Standalone cell
Network Deployment cell
Configuration: Set up each standalone server node through the Profile Management Tool or the zpmt command. Set up additional servers within the node through the administrative console or scripting. Set up each deployment manager node through the Profile Management Tool or the zpmt command. Add application server nodes to the Network Deployment cell through the Profile Management Tool or the zpmt command.
Address spaces: Minimum: four (location service daemon, controller, servant, control region adjunct) Minimum: seven (location service daemon, application server controller, application server servant, application server control region adjunct, deployment manager controller, deployment manager servant, node agent)
  Maximum: Limited only by resources. Maximum: Limited only by resources.
Administrative isolation: Each standalone server node is a separate administrative domain. All nodes in the cell are in the same administrative domain.
Operational isolation: You can start and stop servers independently. Each server has an independent, unshared JNDI namespace. You can start and stop servers independently. The JNDI namespace is shared among all servers in the cell.
Application servers allowed to have multiple servants? Yes Yes
Clustering available? No Yes
11 .
Define Anti-spoofing?
Anti-spoofing is an essential feature of the CheckPoint Firewall, which protects the users from the attackers who create IP packets with spoof or fake source addresses. It determines whether the traffic is legal or not.
12 .
Explain Asymmetric Encryption?
In Asymmetric encryption, we have two different keys for encrypting and decrypting the message or packet. We use one key for encrypting the message and another key for decrypting the message.
13 .
What are the Checkpoint SecureXL, ClusterXL and CoreXL?
SecureXL (Secure acceleration)  : With SecureXL, you can maximize the performance of the Firewall without compromising security. Using SecureXL on a Security Gateway, several CPU-intensive operations can be processed or handled by virtualized software rather than the firewall kernel. In this manner, the Firewall can better inspect and process connections more efficiently, as well as accelerate the throughput and connection rate.

ClusterXL (Smart load balancing) : ClusterXL involves a set (cluster) of identical Check Point Security Gateways which can be connected in a way that if one (Security Gateway) fails, another replaces it immediately. ClusterXL maintains business continuity through high availability and load sharing. ​Whenever the gateway or network goes down, the connection is seamlessly redirected to the backups, which ensures business continuity. ClusterXL distributes traffic among clusters of redundant gateways, thereby combining the processing power of multiple machines to increase overall performance or throughput.

CoreXL (Multicore acceleration) : When CoreXL is enabled on a Security Gateway, the Firewall kernel is replicated multiple times and each replica (instance) runs on a single processor core. All instances are complete firewall kernels that handle and inspect traffic concurrently, thereby enhancing security gateway performance. Each Firewall instance processes traffic through the same interfaces and applies the same gateway security policies. High security and high performance are achieved simultaneously with CoreXL.
14 .
Explain AH and ESP IPSec Protocol?
IPSec uses two distinct protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP), which are defined by the IETF.

The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service. Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest. Replay protection is provided by using a sequence number field with the AH header. AH authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.
 
The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. When ESP provides authentication functions, it uses the same algorithms as AH, but the coverage is different. AH-style authentication authenticates the entire IP packet, including the outer IP header, while the ESP authentication mechanism authenticates only the IP datagram portion of the IP packet.
15 .
What Is The Packet Flow Of Checkpoint Firewall?
Basic Packet Flow :
 
The basic overall flow of packet thought the Checkpoint firewall. Below Diagram can explain the Basic flow of Checkpoint firewall.
 
* Packet received on Ingress Interface
* Stateless Inspection
* SecureXL
* Firewall Rule Base
* NAT
* Content Inspection
* Route Lookup
* Egress Interface
Basic Packet Flow
16 .
Explain SIC?
The SIC stands for Secure Internal Communication. It is a feature of the CheckPoint firewall, which we use for making the secure connection between the CheckPoint firewall components. We use SIC when the security gateway and security management server are available in the distributed deployment. 
17 .
Differentiate between bitmap checkpoint and image checkpoint.
Bitmap checkpoint Image checkpoint
Bitmap checkpoint can be defined as the process of checking only a part of a particular image. Image checkpoint can be defined as the process of checking the whole image at a time.
Image checkpoint checks the properties of application or image as a bitmap It is used to check the properties of a Web image.
The bitmap can only be used in a defined area. Image checkpoint can only be used on the whole image and not on any definite part.
18 .
What is a standard checkpoint?
Standard checkpoints capture the state, data, and hardware configuration of a running virtual machine and are intended for use in development and test scenarios. Standard checkpoints can be useful if you need to recreate a specific state or condition of a running virtual machine so that you can troubleshoot a problem.
19 .
Explain the usage of SmartLog and SmartEvent Software Blade.
 
SmartLog : Security systems typically track or monitor all activity within a network and then generate log records that can be analyzed in real-time or viewed in bulk later. ​However, traditional log management systems can take hours to run queries and search millions of log records. SmartLog is basically a log management tool that provides organizations with the ability to centrally track all log records and security activities across all Software Blades on Security Gateways and Security Management servers, thereby providing instant visibility into billions of log records. SmartLog provides the following monitoring features:

* Find logs quickly by using simple search strings.
* Select from a variety of default search queries to find the relevant logs.
* Real-time monitoring of logs.
 
SmartEvent : SmartEvent: A unified security event management and analysis tool, SmartEvent Software Blade provides real-time graphical threat management information. Using SmartEvent, you can consolidate and display all security events generated by the following Software Blades:

* Firewall
* IPS
* Application Control
* Anti-Bot and Anti-Virus

It is possible for administrators to quickly identify critical security events and take the necessary measures to prevent future attacks
20 .
What is the difference between SPLAT and GAIA?
Due to the influx of new incoming threats and requirements for protection, companies must consolidate security to ensure an optimised security operation and maximum efficiency. Check Point GAIA is a powerful, unified operating system that delivers higher security and superior efficiency over its predecessors;  SPLAT operating system and IPSO operating system. GAIA Operating Systems support the full suite of CheckPoint Gateways, Software Blades, and Security Management products. Here are some advantages of GAIA over SPLAT/IPSO.
 
* Web-Based user interface with Search Navigation
* Support for Software Blades
* Easy and simple upgrade (full compatibility with IPSO and SecurePlatform)
* Easy to use CLI (Command Line Interface)
* High connection capacity (64-bit)
* Native IPv4 and IPv6 Support (completely integrated into the operating system)
* High availability (ClusterXL or VRRP Clusters), etc.
21 .
How do we prevent IP Spoofing?
Attackers use IP Spoofing to make the IP address of a packet seem to be from an authentication source.  IP Spoofing can evade the firewall for introducing malicious actions and content to our network.
 
Anti-Spoofing identifies whether a packet with an IP address is based on the topology or not. For Instance, if the packet from an external network contains an internal IP address, then Anti-spoofing blocks that packet.
22 .
How do we define security zones?
Networks utilize various security zones for protecting essential resources and defending against malware. Create rules which enable the relevant traffic out and in a security zone. We must ensure that we have different rules in the Firewall rule base that specify the traffic to and from the security zone.
23 .
What are different kinds of Firewalls?
Following are the different kinds of firewalls:
 
Packet Filtering Firewall : Packet Filtering Firewall identifies packets and blocks useless packets, and creates network traffic release.
 
Router-Based Firewalls : A software-based firewall exists in the Router that offers only light filtering.
 
* Computer-based Firewall : It is a firewall that we store in the server with available operating systems like Linux and windows.
* Proxy Server : Proxy Server enables all the clients to use the internet with various access limits. Through its own firewall, the proxy server filters all packets from the webserver.
* Hardware-based Firewall : It is a device that allows strong security from the public network. It is suitable for Big networks.
24 .
Differentiate Router ACLs and Firewall ACLs
Routers route the traffic, not to stop it. Firewalls are useful for accepting or rejecting traffic. But both Router ACL and Firewall ACL do the same job. According to our requirement, we configure the ACLs.
25 .
What are the types of installations for remote access solutions?
Client-based : The client application is installed on endpoint computers and devices. The client is installed on managed devices, like a company-owned computer. 
 
Clientless : Users connect through web browsers and use HTTPS connections. Clientless solutions give access to web-based corporate resources. 
 
On-demand client : Users connect through a web browser. The client is installed when required.
26 .
Functions of Granular Routing Control feature.
The granular routing control feature enables the security gateway to: 
 
* Find the best possible route for VPN traffic. 
 
* Configure IP address used for VPN traffic 
 
* Use route probing to choose available VPN tunnels 
 
* Use load sharing for link selection to equally distribute VPN traffic to VPN tunnels. 
27 .
What are the different SIC management ports?
The different checkpoint SIC management ports are : 

PORT TYPE SERVICE DESCRIPTION

18209

tcp 

NGX Gateways <> ICAs (status, issue, or revoke)

18210

tcp 

Pulls Certificates from ICA.

18211

Tcp

Used by cpd daemon (on the gateway) to receive certificates.
28 .
How do you manage the Firewall Rule Base?
With SmartDashboard, it's easy to create and configure Firewall rules that ensure a strong security policy. Listed below are some fields used to manage rules for Firewall security policy : 

Field Description
No. 'No.' Refers to the rule number and indicates how important it is. A rule with a higher criticality is assigned a higher place in the Rule Base.
Hits The number of connections for each rule match.
Source Network object that initiates the communication.
Destination Network object which completes the communication.
Action Firewall action is taken when traffic matches a rule.
29 .
Explain the Stealth rule and Cleanup rule in Checkpoint firewall.
There are a few standard rules CheckPoint recommends you include in your rule base for both security and management reasons. They are as follows :
 
Stealth Rule : Stealth is the first recommended rule to include in your rule base. Using this rule, we can prevent direct access to the Security Gateway, thereby providing protection against attacks. Normally, the stealth rule should be placed near the top of the rule base, with only rules that allow or require access to the firewall above it.

Cleanup Rule : Cleanup rules are placed at the end of the security Rulebase. Furthermore, Check Point suggests adding a cleanup rule, which drops and logs every packet that isn't matched by other rules. Logging dropped packets is extremely useful for security and troubleshooting.
30 .
What kind of connections are allowed by a firewall on the perimeter?
These are some of the connections that are usually allowed by a Firewall on the perimeter :
 
1. Outgoing connections to the Internet
 
2. Connections to the DNS server
 
3. Specified external connections
 
4. Connections to servers in the DMZ
 
5. Connections from the internal network to the internal network
 
6. VPN connections
31 .
What are the features of DLP?
The features of the Data Loss Prevention software blade are : 
 
* UserCheck 
 
* MultiSpect 
 
* Out of the Box Security 
 
* Data Owner Auditing and 
 
* CPcode 
32 .
Explain Checkpoint DLP (Data Loss Prevention).
Data loss prevention (DLP) is a cybersecurity methodology that combines technology and best practices in order to help prevent sensitive data from being divulged (disclosed) outside of an organization. In particular, the data may include regulated information such as PII (Personally Identifiable Information) or compliance data such as HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), SOX (Sarbanes-Oxley Act), etc.
 
Your business is protected against unintentional loss of sensitive and valuable information by Check Point DLP. With DLP, businesses can monitor data movement and empower employees to work confidently while staying compliant with industry regulations.
33 .
In what way are Cpstop/cpstart and Fwstop/fwstart different?
Cpstart : Starts all CheckPoint applications and processes running on a machine.

Cpstop : Stops all CheckPoint applications and processes manually.

Fwstart : Start VPN-1/FireWall-1.

Fwstop : Stop VPN-1/FireWall-1.
34 .
Explain Stateful Inception?
Stateful Inception is also called Dynamic Packet Filtering. It is a firewall technology that controls the condition of the active connection. Stateful inception has replaced static packet filtering. In the static packet filtering, we only check the packet headers indicating that an attacker can get the information through the firewall by indicating “replay” in the header.
 
On the other hand, stateful inception analyzes the packets down to the application layer. Recording the session information like IP addresses, port numbers, a dynamic packet filter implements a security posture that a static packet filter can.
35 .
Explain Circuit Level Gateway?
A circuit-level gateway firewall helps in providing the security between UDP and TCP using the connection. It also acts as a handshaking device between trusted clients or servers to untrusted hosts and vice versa.

Circuit Level Gateway

Generally, these circuit-level gateways work at the session layer of the OSI model. To determine whether the session request is confirmed or not by the circuit-level gateway is with the help of handshaking between packets.
 
The information that passes to a remote computer with the help of a circuit-level gateway appears as it is initiated from the gateway. This is everything because of information hiding in protected networks. Circuit Level gateways are not expensive.
 
For defining a valid session in Circuit Level Gateway the component used are :
 
* The Destination addresses, Source addresses, and Ports.
* The time of delay.
* The protocol is being utilized.
* The user and the password.
36 .
What are the Circuit Level Gateway Features?
* It consists of security functions that determine which connections have to be allowed.
* It works at the session layer of the OSI model or in between the application and transport layer of TCP/IP.
* It hides the information about the private network they protect.
* It is a stand-alone system.
* An example of Circuit level gateway is SOCKS packages
37 .
Explain some Advantage and Disadvantage of Circuit-Level Proxy Firewall.
Advantage :
* A circuit-level gateway acts as a proxy for hiding the internal host from the serving host.
* It avoids the filtering of individual packets.
* These gateways are inexpensive.
* Address schemes can easily develop.
* Simple to implement.
* Every application does not require a separate proxy server.

Circuit-Level Proxy Firewall

Disadvantage :
* Circuit-level Gateway does not filter the individual packets
* Frequent updates are required
* Within the firewall, it does not offer protection against data leakage from devices.
* For using Circuit level gateways the TCP/IP stacks are mandatory to be modified by the vendor.
38 .
Explain the Demilitarized zone concept?
The demilitarized zone concept was lent from the military terminology. A demilitarized zone is an area that runs between two territories that are aggressive to one another or two contrary forces battle lines. A demilitarized zone provides the buffer zone, which separates the internal network from the hostile territory of the internet. Sometimes it is known as the “Perimeter network.”
39 .
Differentiate Automatic NAT and Manual NAT?
Automatic NAT Manual NAT
1. Firewalls automatically create the Automatic NAT. 1. Network Security Administrator manually creates the Manual NAT. 
2. We cannot modify the Automatic NAT. 2. We can modify the Manual NAT.
3. We cannot create Dual NAT. 3. We can create Dual NAT.
4. In Automatic NAT, port forwarding is not possible. 4. In Manual NAT, we can do part forwarding.
40 .
What do you mean by Source NAT, Hide NAT, and Destination NAT?
Security Gateways can use the following types of NAT (Network Address Translation) to translate IP addresses :
 
Source NAT : It initiates traffic from an internal network to an external network. When a source NAT is used, only the source IP address is translated into the public address.

Hide NAT : It is used to translate multiple private IP addresses into a single public IP address. In other words, many to one translations. This can only be used for source NAT translation, not destination NAT.

Destination NAT : When connecting from a public IP address to a private IP address, Destination NAT is used to translate the IP address of the destination. In this, only static NAT is used.
41 .
Explain the functions of CPD, FWM, and FWD processes.
FWM (Firewall Management) : It runs only on the SMS (Security Management Server) and is responsible for handling SmartConsole GUI connections, policy verification, and Management High Availability (HA) synchronization.

FWD (Firewall Daemon) : It runs on both SMS and Security Gateway devices. Mostly, it is responsible for routing logs from Security Gateways to SMS, but it also acts as a parent process (on security gateways) for many security server processes that are performing advanced inspections outside of the kernel.

CPD (Check Point Daemon) : It runs on both SMS and Security Gateway devices. It is responsible for handling generic functions like SmartView Monitor, SIC/certificates, licensing, and fetching/pushing policy between the SMS and Security Gateway.
42 .
Explain Some Security Zones
With Security Zones, you can create a powerful Access Control Policy that controls the flow of traffic between different parts of a network. Different security zones are used by networks to protect resources and to combat malware on networks. Set up rules so that only appropriate traffic can enter and leave a security zone. Listed below are the predefined Security Zones, along with their intended purpose:
 
WirelessZone : The network that is accessible via wireless connections by users and applications.

ExternalZone : Unsecured networks, such as the Internet and external networks.

DMZZone : Demilitarized zones (DMZ) are sometimes called perimeter networks. It contains servers accessible from insecure sources, such as the Internet or external sources.

InternalZone : Company networks containing sensitive data that needs to be protected and accessed only by authenticated users.
43 .
Explain IKE and IPSec.
For managing encryption keys and sending encrypted packets, CheckPoint VPNs (Virtual Private Networks) utilize two secure VPN protocols as follows :
 
IKE (Internet Key Exchange) : It is a standard key management protocol that establishes a secure, authenticated communication channel between two devices. Using IKE, a secure VPN communication channel between VPN peers is established over the Internet. 

IPSec : As part of "IPsec," "IP" stands for "Internet Protocol" and "sec" stands for "secure". ​IPsec provides secure encrypted communication between two computers over an IP network by authenticating and encrypting data packets. It is commonly used in virtual private networks (VPNs).
44 .
Explain Bastion Host?
A bastion host is a dedicated system that we intentionally expose on a public network. From a secured network point-of-view, it is the only node that we expose to the outside world, and thus, it is very vulnerable to attack. We place it outside the firewall in one firewall system, or if the system has two firewalls, we place it between two firewalls.
 
Bastion Host filters and processes the incoming traffic and averts the vicious traffic from entering the network, serving as a gateway. General examples for bastion host are domain name system, mail.
45 .
What is Application Level Gateway?
Application-level gateway is a feature of ScreenOS gateways that allows the gateway for parsing the application-layer payloads. Even though we have other ScreenOS features like deep inspection, in which gateway checks traffic at the application layer.
 
We use application-level gateways for supporting the applications, which use the application layer payload for interacting with the dynamic Transmission Control Protocol(TCP) or the User Datagram Protocol(UDP) on which applications open data connections. The dynamic UDP, TCP, or the other ports which we open through the ScreenOS gateway for allowing the secondary or data channels. 
46 .
How Virtual Corporations manage confidentiality?
By using encryption, virtual corporations manage confidentiality.
47 .
Which environments are supported by the Test CheckPoint?
Test Checkpoint supports all the add-in environments.
48 .
Will IPSEC make firewalls Updated
IPSEC(IP Security) applies to a group of standards that the Internet Engineering Task Force(IETF) develops. We have various documents that mutually specify what is “IPSEC.” IPSEC resolves two problems that plague the IP protocol group for a long time.
49 .
Explain SIC working and different ports of SIC?
Secure Internal Communication(SIC) enables CheckPoint platforms and products to validate with each other. The SIC process produces a trusted status between management servers, gateways, and CheckPoint components. SIC installs the policies on the gateways for sending the logs between management servers and gateways. 
 
The security measures of SIC assure the safety of :
* Authentication Certificates
* Triple DES for Encryption
* Standards-based SSL for secure channel creation.

ICA(Internal Certificate Authority) : We create the ICA(Internal Certificate Authority) during the Security Management Server Installation process. ICA issues the certificates for Authentication. For instance, ICA issues certificates like SIC certificates for authentication reasons to VPN certificates and administrators to gateways and users.
 
Starting the Trust Establishment Process : Communication initialization creates trust between the checkpoint gateways and the security management server. This trust allows CheckPoint components to interact securely. We can establish trust when the servers and gateways have SIC certificates.
50 .
Explain Least Privilege?
Designing functional elements of the system will work with the least volume of system privilege. This decreases the authentication degree at which we perform different actions and reduces the probability that a user or a process with maximum privileges may perform unauthorized actions that lead to security breaches.

Sources : Cisco, and more..