Professional Documents
Culture Documents
QA
Number: 156-315.77
Passing Score: 800
Time Limit: 120 min
File Version: 13.2
156-315.77
Check Point Certified Security Expert
Thanks for uploading this, Passed 156-315.77 today and is still valid!!!
Guys!!! By study this, it is very easy to pass exam and get certification. You must got it :)
You can find Excellent Achievement by using this.
Now many Questions differ to previous posted vce exam, it's most reliable and authentic.
Enjoy the real success with nicely written Questions with many corrections inside.
Ensure these dumps bring the highest score in exams. It's an up to dated version.
Sections
1. Volume A
2. Volume B
3. Volume C
Exam A
QUESTION 1
Which process should you debug if SmartDashboard login fails?
A.
B.
C.
D.
sdm
cpd
fwd
fwm
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 2
Paul has just joined the MegaCorp security administration team. Natalie, the administrator, creates a new
administrator account for Paul in SmartDashboard and installs the policy. When Paul tries to login it fails. How
can Natalie verify whether Pauls IP address is predefined on the security management server?
A. Login to Smart Dashboard, access Properties of the SMS, and verify whether Pauls IP address is listed.
B. Type cpconfig on the Management Server and select the option "GUI client List" to see if Pauls IP address
is listed.
C. Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether
Pauls IP address is listed.
D. Access the WEBUI on the Security Gateway, and verify whether Pauls IP address is listed as a GUI client.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 3
MultiCorp has bought company OmniCorp and now has two active AD domains. How would you deploy Identity
Awareness in this environment?
A.
B.
C.
D.
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 4
Which of the following is the preferred method for adding static routes in GAiA?
A. In the CLI with the command "route add"
vpn crladmin
cpstop/cpstart
vpn crl_zap
vpn flush
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 6
Which of the following is NOT an advantage of SmartLog?
A. SmartLog has a "Top Results" pane showing things like top sources, rules, and users.
B. SmartLog displays query results across multiple log files, reducing the need to open previous files to view
results.
C. SmartLog requires less disk space by consolidating log entries into fewer records.
D. SmartLog creates an index of log entries, increasing query speed.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 7
How could you compare the Fingerprint shown to the Fingerprint on the server? Run cpconfig and select:
Exhibit:
A.
B.
C.
D.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 8
Control connections between the Security Management Server and the Gateway are not encrypted by the VPN
Community. How are these connections secured?
A.
B.
C.
D.
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 9
If Bob wanted to create a Management High Availability configuration, what is the minimum number of Security
Management servers required in order to achieve his goal?
A. Two
B. One
C. Four
D. Three
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 10
David wants to manage hundreds of gateways using a central management tool. What tool would David use to
accomplish his goal?
A.
B.
C.
D.
SmartDashboard
SmartBlade
SmartLSM
SmartProvisioning
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 11
Exhibit:
From the following output of cphaprob state, which ClusterXL mode is this?
A.
B.
C.
D.
Unicast mode
Multicast mode
New mode
Legacy mode
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 12
Which of the following is NOT a feature of ClusterXL?
A. Transparent upgrades
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 14
You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of 40, and the Default
Rule with a weight of 10. If the only traffic passing through your QoS Module is HTTP traffic, what percent of
bandwidth will be allocated to the HTTP traffic?
A.
B.
C.
D.
80%
50%
40%
100%
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 15
You have pushed a policy to your firewall and you are not able to access the firewall. What command will allow
you to remove the current policy from the machine?
A.
B.
C.
D.
fw purge active
fw purge policy
fw fetch policy
fw unloadlocal
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 16
How do you verify the Check Point kernel running on a firewall?
A.
B.
C.
D.
fw ver -k
fw ctl pstat
fw ctl get kernel
fw kernel
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 17
What process is responsible for transferring the policy file from SmartCenter to the Gateway?
A.
B.
C.
D.
CPD
FWM
CPRID
FWD
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 18
What firewall kernel table stores information about port allocations for Hide NAT connections?
A.
B.
C.
D.
NAT_dst_any_list
NAT_alloc
NAT_src_any_list
fwx_alloc
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
Answer is modified
QUESTION 19
Where do you define NAT properties so that NAT is performed either client side or server side? In
SmartDashboard under:
A. Gateway Setting
B. NAT Rules
CPD
FWSYNC
CPLMD
FWM
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 21
_________ is the called process that starts when opening SmartView Tracker application.
A.
B.
C.
D.
FWM
CPLMD
logtrackerd
fwlogd
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 22
Anytime a client initiates a connection to a server, the firewall kernel signals the FWD process using a trap.
FWD spawns the ________ child service, which runs the security server.
A.
B.
C.
D.
FWSD
FWD
In.httpd
FWSSD
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 23
Security server configuration settings are stored in _______________ .
A.
B.
C.
D.
$FWDIR/conf/fwauthd.conf
$FWDIR/conf/AMT.conf
$FWDIR/conf/fwopsec.conf
$FWDIR/conf/Fwauth.c
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 24
You need to back up the routing, interface, and DNS configuration information from your R77 GAiA Security
Gateway. Which backup-and-restore solution do you use?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 25
Which of the following methods will provide the most complete backup of an R77 configuration?
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 26
When restoring R77 using the command upgrade_import, which of the following items are NOT restored?
A.
B.
C.
D.
Route tables
Gateway topology
Licenses
User db
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 27
When upgrading a cluster in Full Connectivity Mode, the first thing you must do is see if all cluster members
have the same products installed. Which command should you run?
A.
B.
C.
D.
fw fcu
cpconfig
cphaprob fcustat
fw ctl conn a
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 28
A Minimal Effort Upgrade of a cluster:
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 29
A Zero Downtime Upgrade of a cluster:
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 30
A Full Connectivity Upgrade of a cluster:
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 31
How does Check Point recommend that you secure the sync interface between gateways?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 32
How would you set the debug buffer size to 1024?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 33
Steve is troubleshooting a connection problem with an internal application. If he knows the source IP address is
192.168.4.125, how could he filter this traffic?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 34
Check Point support has asked Tony for a firewall capture of accepted packets. What would be the correct
syntax to create a capture file to a filename called monitor.out?
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 35
What is NOT a valid LDAP use in Check Point SmartDirectory?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 36
There are several SmartDirectory (LDAP) features that can be applied to further enhance SmartDirectory
(LDAP) functionality, which of the following is NOT one of those features?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 37
Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.
A. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.
B. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit,
UserAuthority server
RADIUS server
Account Management Client server
LDAP server
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 39
Your users are defined in a Windows 2008 Active Directory server. You must add LDAP users to a Client
Authentication rule. Which kind of user group do you need in the Client Authentication rule in R77?
A.
B.
C.
D.
LDAP group
All Users
External-user group
A group with a generic user
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 40
Which of the following commands do you run on the AD server to identify the DN name before configuring
LDAP integration with the Security Gateway?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 41
In SmartDirectory, what is each LDAP server called?
A.
B.
C.
D.
Account Server
LDAP Unit
Account Unit
LDAP Server
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 42
When defining SmartDirectory for High Availability (HA), which of the following should you do?
A.
B.
C.
D.
Configure Secure Internal Communications with each server and fetch branches from each.
Replicate the same information on multiple Active Directory servers.
Configure a SmartDirectory Cluster object.
Configure the SmartDirectory as a single object using the LDAP cluster IP. Actual HA functionality is
configured on the servers.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 43
The set of rules that governs the types of objects in the directory and their associated attributes is called thE.
A.
B.
C.
D.
Schema
SmartDatabase
Access Control List
LDAP Policy
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 44
When using SmartDashboard to manage existing users in SmartDirectory, when are the changes applied?
A. At database synchronization
B. Instantaneously
C. Never, you cannot manage users through SmartDashboard
D. At policy installation
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 45
Where multiple SmartDirectory servers exist in an organization, a query from one of the clients for user
information is made to the servers based on a priority. By what category can this priority be defined?
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 46
Each entry in SmartDirectory has a unique _______________ ?
A.
B.
C.
D.
Container
Distinguished Name
Organizational Unit
Schema
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 47
With the User Directory Software Blade, you can create R77 user definitions on a(n) _________ Server.
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 48
Which describes the function of the account unit?
A. An Account Unit is the Check Point account that SmartDirectory uses to access an (LDAP) server
B. An Account Unit is a system account on the Check Point gateway that SmartDirectory uses to access an
(LDAP) server
C. An Account Unit is the administration account on the LDAP server that SmartDirectory uses to access to
(LDAP) server
D. An Account Unit is the interface which allows interaction between the Security Management server and
Security Gateways, and the SmartDirectory (LDAP) server.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 49
Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO). Which of
the following is NOT a recommended use for this method?
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
100% Valid answer.
QUESTION 50
Which of the following access options would you NOT use when configuring Captive Portal?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 51
Where do you verify that SmartDirectory is enabled?
A. Global properties > Authentication> Use SmartDirectory(LDAP) for Security Gateways is checked
B. Gateway properties > Smart Directory (LDAP) > Use SmartDirectory(LDAP) for Security Gateways is
checked
C. Gateway properties > Authentication> Use SmartDirectory(LDAP) for Security Gateways is checked
D. Global properties > Smart Directory (LDAP) > Use SmartDirectory(LDAP) for Security Gateways is checked
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 52
Remote clients are using IPSec VPN to authenticate via LDAP server to connect to the organization. Which
gateway process is responsible for the authentication?
A.
B.
C.
D.
fwm
fwd
vpnd
cvpnd
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 53
Remote clients are using SSL VPN to authenticate via LDAP server to connect to the organization. Which
gateway process is responsible for the authentication?
A.
B.
C.
D.
vpnd
cvpnd
fwm
fwd
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 54
Which of the following is NOT a LDAP server option in SmartDirectory?
A.
B.
C.
D.
Standard_DS
Novell_DS
Netscape_DS
OPSEC_DS
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 55
An Account Unit is the interface between the __________ and the __________.
A.
B.
C.
D.
System, Database
Clients, Server
Users, Domain
Gateway, Resources
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 56
Which of the following is a valid Active Directory designation for user John Doe in the Sales department of
AcmeCorp.com?
A.
B.
C.
D.
Cn=john_doe,ca=Sales,ou=acmecorp,dc=com
Cn=john_doe,ou=Sales,ou=acmecorp,dc=com
Cn=john_doe,ou=Sales,dc=acmecorp,dc=com
Cn=john_doe,ca=Sales,dc=acmecorp,dc=com
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 57
Which of the following is a valid Active Directory designation for user Jane Doe in the MIS department of
AcmeCorp.com?
A.
B.
C.
D.
Cn=jane_doe,ou=MIS,dc=acmecorp,dc=com
Cn= jane_doe,ou=MIS,cn=acmecorp,dc=com
Cn= jane_doe,ca=MIS,dc=acmecorp,dc=com
Cn= jane_doe,ca=MIS,cn=acmecorp,dc=com
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 58
You can NOT use SmartDashboards SmartDirectory features to connect to the LDAP server.
What should you investigate?
1. Verify you have read-only permissions as administrator for the operating system.
2. Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP
server.
3. Check that the login Distinguished Name configured has at least write permission in the access control
configuration of the LDAP server.
A.
B.
C.
D.
2 and 3
1, 2, and 3
1 and 2
1 and 3
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 59
If you are experiencing LDAP issues, which of the following should you check?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 60
How are cached usernames and passwords cleared from the memory of a Security Gateway?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Super valid.
QUESTION 61
When an Endpoint user is able to authenticate but receives a message from the client that it is unable to
enforce the desktop policy, what is the most likely scenario?
A. The gateway could not locate the user in SmartDirectory and is allowing the connection with limitations
based on a generic profile.
B. The users rights prevent access to the protected network.
C. A Desktop Policy is not configured.
D. The user is attempting to connect with the wrong Endpoint client.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 62
When using a template to define a user in SmartDirectory, the users password should be defined in the
______________ object.
A.
B.
C.
D.
VPN Community
LDAP
Template
User
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Reliable answer.
QUESTION 63
When configuring an LDAP Group object, select the option ____________ if you want the gateway to reference
all groups defined on the LDAP server for authentication purposes.
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 64
When configuring an LDAP Group object, select option _______________ if you want the gateway to reference
a specific group defined on the LDAP server for authentication purposes.
A.
B.
C.
D.
Group Agnostic
All Account-Unit's Users
Only Sub Tree
Only Group in Branch
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 65
fwm
vpnd
cpd
cvpnd
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 66
The process __________ is responsible for the authentication for Remote Access clients.
A.
B.
C.
D.
fwm
vpnd
cvpnd
cpd
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 67
__________ is a proprietary Check Point protocol. It is the basis for Check Point ClusterXL inter-module
communication.
A.
B.
C.
D.
CPP
CPHA
CKPP
CCP
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 68
In ClusterXL, _______ is defined by default as a critical device.
A.
B.
C.
D.
fw.d
vpnd
Filter
cpd
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 69
When synchronizing clusters, which of the following statements is NOT true?
A. Client Authentication or Session Authentication connections through a cluster member will be lost if the
cluster member fails.
B. In the case of a failover, accounting information on the failed member may be lost despite properly working
synchronization.
C. Only cluster members running on the same OS platform can be synchronized.
D. The state of connections using resources is maintained by a Security Server, so these connections cannot
be synchronized.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 70
When synchronizing clusters, which of the following statements is NOT true?
A. In the case of a failover, accounting information on the failed member may be lost despite a properly
working synchronization.
B. An SMTP resource connection using CVP will be maintained by the cluster.
C. User Authentication connections will be lost by the cluster.
D. Only cluster members running on the same OS platform can be synchronized.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 71
When a failed cluster member recovers, which of the following actions is NOT taken by the recovering
member?
A. It will not check for any updated policy and load the last installed policy with a warning message indicating
that the Security Policy needs to be installed from the Security Management Server.
B. It will try to take the policy from one of the other cluster members.
C. It compares its local policy to the one on the Security Management Server.
D. If the Security Management Server has a newer policy, it will be retrieved, else the local policy will be
loaded.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 72
Organizations are sometimes faced with the need to locate cluster members in different geographic locations
that are distant from each other. A typical example is replicated data centers whose location is widely separated
for disaster recovery purposes. What are the restrictions of this solution?
A. There are two restrictions: 1. The synchronization network must guarantee no more than 100ms latency and
no more than 5% packet loss. 2. The synchronization network may only include switches and hubs.
B. There is one restriction: The synchronization network must guarantee no more than 150 ms latency (ITU
Standard G.114).
C. There is one restriction: The synchronization network must guarantee no more than 100 ms latency.
D. There are no restrictions.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 73
You are the MegaCorp Security Administrator. This company uses a firewall cluster, consisting of two cluster
members. The cluster generally works well but one day you find that the cluster is behaving strangely. You
assume that there is a connectivity problem with the cluster synchronization link (cross-over cable). Which of
the following commands is the BEST for testing the connectivity of the crossover cable?
A.
B.
C.
D.
ifconfig -a
arping <IP address of the synchronization interface on the other cluster member>
telnet <IP address of the synchronization interface on the other cluster member>
ping <IP address of the synchronization interface on the other cluster member>
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 74
You have a High Availability ClusterXL configuration. Machines are not synchronized. What happens to
connections on failover?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 75
When using ClusterXL in Load Sharing, what is the default sharing method based on?
A.
B.
C.
D.
IPs
IPs, SPIs
IPs, Ports
IPs, Ports, SPIs
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 76
If ClusterXL Load Sharing is enabled with state synchronization enabled, what will happen if one member goes
down?
A. The processing of all connections handled by the faulty machine is immediately taken over by the other
member(s).
B. The processing of all connections handled by the faulty machine is dropped, so all connections need to be
re-established through the other machine(s).
C. There is no state synchronization on Load Sharing, only on High Availability.
D. The connections are dropped as Load Sharing does not support High Availability.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 77
What is a Sticky Connection?
A.
B.
C.
D.
A Sticky Connection is one in which a reply packet returns through the same gateway as the original packet.
A Sticky Connection is a connection that remains the same.
A Sticky Connection is a VPN connection that remains up until you manually bring it down.
A Sticky Connection is a connection that always chooses the same gateway to set up the initial connection.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 78
Review the R77 configuration. Is it correct for Management High Availability? Exhibit:
A.
B.
C.
D.
No, the Security Management Servers must reside on the same network.
No, the Security Management Servers do not have the same number of NICs.
No, the Security Management Servers must be installed on the same operating system.
No, a R77 Security Management Server cannot run on Red Hat Linux 9.0.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 79
Check Point New Mode HA is a(n) _________ solution.
A.
B.
C.
D.
primary-domain
hot-standby
acceleration
load-balancing
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 80
What is the behavior of ClusterXL in a High Availability environment?
A. The active member responds to the virtual address and is the only member that passes traffic.
B. Both members respond to the virtual address and both members pass traffic.
C. Both members respond to the virtual address but only the active member is able to pass traffic.
D. The active member responds to the virtual address and, using sync network forwarding, both members
pass traffic.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 81
Review the cphaprob state command output from one New Mode High Availability ClusterXL member.
Which member will be active after member 192.168.1.2 fails over and is rebooted?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 82
Review the cphaprob state command output from a New Mode High Availability cluster member.
Which machine has the highest priority?
Exhibit:
A. This output does not indicate which machine has the highest priority.
B. 192.168.1.1, because it is <local>
C. 192.168.1.2, because its state is active
0.5 second.
1 second.
5 seconds.
0.1 second.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 84
You have just upgraded your Load Sharing gateway cluster (both members) from NGX R65 to R77. cphaprob
stat shows:
Cluster Mode: New High Availability (Active Up)
Member Unique Address Assigned Load State
1 (local) 172.16.185.21 100% Active
2 172.16.185.22 0% Ready
Which of the following is NOT a possible cause of this?
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 85
In Management High Availability, what is an Active SMS?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 86
For Management High Availability, if an Active SMS goes down, does the Standby SMS automatically take
over?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 87
For Management High Availability synchronization, what does the Advance status mean?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 88
Which of the following would be a result of having more than one active Security Management Server in a
Management High Availability (HA) configuration?
A. An error notification will popup during SmartDashboard login if the two machines can communicate
indicating Collision status.
B. The need to manually synchronize the secondary Security Management Server with the Primary Security
Management Server is eliminated.
C. Allows for faster seamless failover: from active-to-active instead of standby-to-active.
D. Creates a High Availability implementation between the Gateways installed on the Security Management
Servers.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 89
When Load Sharing Multicast mode is defined in a ClusterXL cluster object, how are packets being handled by
cluster members?
A. Only one member at a time is active. The active cluster member processes all packets.
B. All members receive all packets. All members run an algorithm which determines which member processes
packets further and which members delete the packet from memory.
C. The pivot machine will handle it.
D. All cluster members process all packets and members synchronize with each other.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 90
Which of the following does NOT happen when using Pivot Mode in ClusterXL?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 91
When distributing IPSec packets to gateways in a Load Sharing Multicast mode cluster, which valid Load
Sharing method will consider VPN information?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 92
By default, the Cluster Control Protocol (CCP) uses this to send delta sync messages to other cluster
members.
A. Multicast
B. Unicast
C. Anycast
D. Broadcast
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 93
Exhibit:
HA (New mode).
3rd party cluster
Load Sharing (multicast mode)
Load Sharing Unicast (Pivot) mode
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 94
Exhibit:
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 95
Which load-balancing method below is NOT valid?
A. Domain
B. They are all valid
C. Round Trip
D. Random
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 96
Which method of load balancing describes "Round Robin"?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 97
State Synchronization is enabled on both members in a cluster, and the Security Policy is successfully installed.
No protocols or services have been unselected for selective sync.
Review the fw tab -t connections -s output from both members. Is State Synchronization working properly
between the two members?
A.
B.
C.
D.
Members A and B are synchronized, because ID for both members is identical in the connections table.
Members A and B are not synchronized, because #VALS in the connections table are not close.
Members A and B are synchronized, because #SLINKS are identical in the connections table.
Members A and B are not synchronized, because #PEAK for both members is not close in the connections
table.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 98
You want to upgrade a cluster with two members to R77. The Security Management Server and both members
are version NGX R65, with the latest Hotfix Accumulator. What is the correct upgrade procedure?
1. Change the version in the General Properties of the Gateway-cluster object.
2. Upgrade the Security Management Server, and reboot.
3. Run cpstop on one member, while leaving the other member running. Upgrade one member at a time and
reboot after upgrade.
4. Install the Security Policy.
A.
B.
C.
D.
3, 2, 1, 4
2, 4, 3, 1
2, 3, 1, 4
1, 3, 2, 4
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 99
Included in the clients network are some switches, which rely on IGMP snooping. You must find a solution to
work with these switches. Which of the following answers does NOT lead to a successful solution?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
Accurate Answer.
QUESTION 100
The customer wishes to install a cluster. In his network, there is a switch which is incapable of forwarding
multicast. Is it possible to install a cluster in this situation?
A. No, the customer needs to replace the switch with a new switch, which supports multicast forwarding.
B. Yes, you can toggle on ClusterXL between broadcast and multicast using the command cphaconf set_ccp
broadcast/multicast.
C. Yes, the ClusterXL changes automatically to the broadcast mode if the multicast is not forwarded.
D. Yes, you can toggle on ClusterXL between broadcast and multicast by setting the multicast mode using the
command cphaconf set_ccp multicast onoff. The default setting is broadcast.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Still valid.
QUESTION 101
What could be a reason why synchronization between primary and secondary Security Management Servers
does not occur?
A. If the set of installed products differ from each other, the Security Management Servers do not synchronize
the database to each other.
B. You have installed both Security Management Servers on different server systems (e. g. one machine on
HP hardware and the other one on DELL).
C. You are using different time zones.
D. You did not activate synchronization within Global Properties.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 102
What is the proper command for importing users into the R77 User Database?
A.
B.
C.
D.
fwm importusrs
fwm dbimport
fwm import
fwm importdb
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 103
You are establishing a ClusterXL environment, with the following topology:
VIP internal cluster IP = 172.16.10.3; VIP external cluster IP = 192.168.10.3 Cluster Member 1: 4 NICs, 3
enableD. hme0: 192.168.10.1/24, hme1: 10.10.10.1/24, qfe2:
172.16.10.1/24
Cluster Member 2: 5 NICs, 3 enabled; hme3: 192.168.10.2/24, hme1: 10.10.10.2/24, hme2:
172.16.10.2/24
External interfaces 192.168.10.1 and 192.168.10.2 connect to a VLAN switch. The upstream router connects to
the same VLAN switch. Internal interfaces 172.16.10.1 and 172.16.10.2 connect to a hub. 10.10.10.0 is the
synchronization network. The Security Management Server is located on the internal network with IP
172.16.10.3. What is the problem with this configuration?
A. The Cluster interface names must be identical across all cluster members.
B. Cluster members cannot use the VLAN switch. They must use hubs.
C. The Security Management Server must be in the dedicated synchronization network, not the internal
network.
D. There is an IP address conflict.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 104
What is the reason for the following error?
Exhibit:
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 105
In which ClusterXL Load Sharing mode, does the pivot machine get chosen automatically by ClusterXL?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 106
What configuration change must you make to change an existing ClusterXL cluster object from Multicast to
Unicast mode?
A.
B.
C.
D.
Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.
Change the cluster mode to Unicast on each of the cluster-member objects.
Run cpstop and cpstart, to re-enable High Availability on both objects. Select Pivot mode in cpconfig.
Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 107
In a R77 ClusterXL Load Sharing configuration, which type of ARP related problem can force the use of Unicast
Mode (Pivot) configuration due to incompatibility on some adjacent routers and switches?
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 108
How do new connections get established through a Security Gateway with SecureXL enabled?
A. New connections are always inspected by the firewall and if they are accepted, the subsequent packets of
the same connection will be passed through SecureXL
B. New connection packets never reach the SecureXL module.
C. The new connection will be first inspected by SecureXL and if it does not match the drop table of SecureXL,
then it will be passed to the firewall module for a rule match.
D. If the connection matches a connection or drop template in SecureXL, it will either be established or
dropped without performing a rule match, else it will be passed to the firewall module for a rule match.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 109
Your customer asks you about the Performance Pack. You explain to him that a Performance Pack is a
software acceleration product which improves the performance of the Security Gateway. You may enable or
disable this acceleration by either:
1) the commanD. cpconfig
To test if connection templates are enabled, use the command fwacel templates.
D. To enhance connection-establishment acceleration, a mechanism attempts to "group together" all
connections that match a particular service and whose sole discriminating element is the destination port.
To test if connection templates are enabled, use the command fw ctl templates.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 111
The CoreXL SND (Secure Network Distributor) is responsible for:
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 112
Which of the following services will cause SecureXL templates to be disabled?
A.
B.
C.
D.
HTTPS
LDAP
FTP
TELNET
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 113
How do you enable SecureXL (command line) on GAiA?
A.
B.
C.
D.
fwaccel on
fw securexl on
fw accel on
fwsecurexl on
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 114
The following graphic illustrates which command being issued on GAiA? Exhibit:
A.
B.
C.
D.
fwsecurexl stats
fwaccel stats
fw securexl stats
fw accel stats
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 115
Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 116
Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?
A. VTIs can use an already existing physical-interface IP address
1, 2, and 4
2 and 3
1, 2, 3 and 4
1, 3, and 4
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 118
How do you verify a VPN Tunnel Interface (VTI) is configured properly?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 119
What is used to validate a digital certificate?
A.
B.
C.
D.
IPsec
CRL
PKCS
S/MIME
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 120
Which statement defines Public Key Infrastructure? Security is provided:
A.
B.
C.
D.
by authentication.
via both private and public keys, without the use of digital Certificates.
by Certificate Authorities, digital certificates, and public key encryption.
by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 121
You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner.
Which of the following activities should you do first?
A. Exchange exported CA keys and use them to create a new server object to represent your partners
Certificate Authority (CA).
B. Create a new logical-server object to represent your partners CA.
C. Manually import your partners Access Control List.
D. Manually import your partners Certificate Revocation List.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 122
You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security
Gateway bound for all site-to-site VPN Communities, including Remote Access Communities. How should you
configure the VPN match rule?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 123
Review the following list of actions that Security Gateway R75 can take when it controls packets. The Policy
Package has been configured for Simplified Mode VPN. Select the response below that includes the available
actions:
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 124
Your organization maintains several IKE VPNs. Executives in your organization want to know which mechanism
Security Gateway R77 uses to guarantee the authenticity and integrity of messages. Which technology should
you explain to the executives?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 125
There are times when you want to use Link Selection to manage high-traffic VPN connections.
With Link Selection you can:
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 126
There are times when you want to use Link Selection to manage high-traffic VPN connections.
With Link Selection you can:
A. Assign links to use Dynamic DNS.
B. Use Load Sharing to distribute VPN traffic.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 128
There are times when you want to use Link Selection to manage high-traffic VPN connections.
With Link Selection you can:
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 129
What type of object may be explicitly defined as a MEP VPN?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 130
MEP VPNs use the Proprietary Probing Protocol to send special UDP RDP packets to port ____ to discover if
an IP is accessible.
A.
B.
C.
D.
259
256
264
201
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 131
Which of the following statements is TRUE concerning MEP VPNs?
A. The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first
connection fail.
B. MEP VPNs are not restricted to the location of the gateways.
C. MEP Security Gateways cannot be managed by separate Management Servers.
D. State synchronization between Secruity Gateways is required.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 132
Which of the following statements is TRUE concerning MEP VPNs?
A. MEP Security Gateways can be managed by separate Management Servers.
B. The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first
connection fail.
C. State synchronization between Secruity Gateways is required.
D. MEP VPNs are restricted to the location of the gateways.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 133
Which of the following statements is TRUE concerning MEP VPNs?
A. State synchronization between Security Gateways is NOT required.
B. The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first
connection fail.
The VPN Client selects which Security Gateway takes over, should the first connection fail.
MEP VPNs are restricted to the location of the gateways.
State synchronization betweened Secruity Gateways is required.
MEP Security Gateways cannot be managed by separate Management Servers.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 135
At what router prompt would you save your OSPF configuration?
A.
B.
C.
D.
localhost.localdomain(config-router-ospf)#
localhost.localdomain(config-if)#
localhost.localdomain(config)#
localhost.localdomain#
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 136
What is the command to show OSPF adjacencies?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 137
A VPN Tunnel Interface (VTI) is defined on GAiA as:
vpn shell interface add numbered 10.10.0.1 10.10.0.2 madrid.cp What do you know about this VTI?
A. 10.10.0.1 is the local Gateways internal interface, and 10.10.0.2 is the internal interface of the remote
Gateway.
B. The peer Security Gateways name is madrid.cp.
C. The VTI name is madrid.cp.
D. The local Gateway's object name is madrid.cp.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 138
Which type of VPN routing relies on a VPN Tunnel Interface (VTI) to route traffic?
A.
B.
C.
D.
Host-based VPN
Route-based VPN
Domain-based VPN
Subnet-based VPN
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 139
You have three Gateways in a mesh community. Each gateways VPN Domain is their internal network as
defined on the Topology tab setting All IP Addresses behind Gateway based on Topology information.
You want to test the route-based VPN, so you created VTIs among the Gateways and created static route
entries for the VTIs. However, when you test the VPN, you find out the VPN still go through the regular domain
IPsec tunnels instead of the routed VTI tunnels. What is the problem and how do you make the VPN use the
VTI tunnels?
A. Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, remove the
Gateways out of the mesh community and replace with a star community
B. Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty
group object as each Gateways VPN Domain
C. Route-based VTI takes precedence over the Domain VPN. To make the VPN go through VTI, use dynamicrouting protocol like OSPF or BGP to route the VTI address to the peer instead of static routes
D. Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route entries to insure
that they are correctly pointing to the VTI gateway IP.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 140
When configuring a Permanent Tunnel between two gateways in a Meshed VPN community, in what object is
the tunnel managed?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 141
Which of the following log files contains information about the negotiation process for encryption?
A.
B.
C.
D.
iked.elg
ike.elg
vpn.elg
vpnd.elg
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 142
Which of the following log files contains verbose information regarding the negotiation process and other
encryption failures?
A.
B.
C.
D.
ike.elg
vpn.elg
iked.elg
vpnd.elg
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 143
What is the most common cause for a Quick mode packet 1 failing with the error "No Proposal Chosen" error?
A.
B.
C.
D.
The encryption strength and hash settings of one peer does not match the other.
The previously established Permanent Tunnel has failed.
There is a network connectivity issue.
The OS and patch level of one gateway does not match the other.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 144
Which component receives events and assigns severity levels to the events; invokes any defined automatic
reactions, and adds the events to the Events Data Base?
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 145
The ______________ contains the Events Data Base.
A.
B.
C.
D.
SmartEvent Server
SmartEvent DataServer
SmartEvent Client
SmartEvent Correlation Unit
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 146
The SmartEvent Correlation Unit:
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 147
The SmartEvent Server:
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 148
The SmartEvent Client:
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 149
The SmartEvent Correlation Unit:
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 150
The SmartEvent Correlation Unit:
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 151
The SmartEvent Server:
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 152
What are the 3 main components of the SmartEvent Software Blade?
1) Correlation Unit
2) Correlation Client
3) Correlation Server
4) Analyzer Server
5) Analyzer Client
6) Analyzer Unit
A.
B.
C.
D.
1, 3, 4
1, 4, 5
1, 2, 3
4, 5, 6
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 153
How many Events can be shown at one time in the Event preview pane?
A.
B.
C.
D.
5,000
15,000
30,000
1,000
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 154
You are reviewing computer information collected in ClientInfo. You can NOT:
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 155
Which of the following is NOT a SmartEvent Permission Profile type?
A.
B.
C.
D.
No Access
Events Database
View
Read/Write
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 156
What is the SmartEvent Correlation Units function?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 157
What access level cannot be assigned to an Administrator in SmartEvent?
A.
B.
C.
D.
Read only
Write only
No Access
Events Database
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 158
_______________ manages Standard Reports and allows the administrator to specify automatic uploads of
reports to a central FTP server.
A.
B.
C.
D.
SmartReporter Database
SmartReporter
SmartDashboard Log Consolidator
Security Management Server
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 159
_____________ generates a SmartEvent Report from its SQL database.
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 160
Which SmartReporter report type is generated from the SmartView Monitor history file?
A.
B.
C.
D.
Standard
Traditional
Express
Custom
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 161
Which Check Point product is used to create and save changes to a Log Consolidation Policy?
A.
B.
C.
D.
SmartEvent Server
SmartDashboard Log Consolidator
SmartReporter Client
Security Management Server
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 162
Which Check Point product implements a Consolidation Policy?
A.
B.
C.
D.
SmartLSM
SmartView Tracker
SmartView Monitor
SmartReporter
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 163
You have selected the event Port Scan from Internal Network in SmartEvent, to detect an event when 30 port
scans have occurred within 60 seconds. You also want to detect two port scans from a host within 10 seconds
of each other. How would you accomplish this?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 164
When do modifications to the Event Policy take effect?
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 165
To back up all events stored in the SmartEvent Server, you should back up the contents of which folder(s)?
A.
B.
C.
D.
$FWDIR/distrib
$FWDIR/distrib_db and $FWDIR/events
$RTDIR/distrib and $RTDIR/events_db
$RTDIR/events_db
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 166
To clean the system of all events, you should delete the files in which folder(s)?
A.
B.
C.
D.
$RTDIR/events_db
$FWDIR/distrib_db and $FWDIR/events
$RTDIR/distrib and $RTDIR/events_db
$FWDIR/distrib
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 167
What SmartConsole application allows you to change the SmartReporter Policy?
A.
B.
C.
D.
SmartDashboard
SmartReporter
SmartEvent Server
SmartUpdate
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 168
Where is it necessary to configure historical records in SmartView Monitor to generate Express reports in
SmartReporter?
A.
B.
C.
D.
In SmartDashboard, the SmartView Monitor page in the R77 Security Gateway object
In SmartReporter, under Express > Network Activity
In SmartReporter, under Standard > Custom
In SmartView Monitor, under Global Properties > Log and Masters
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 169
In a UNIX environment, SmartReporter Data Base settings could be modified in:
A.
B.
C.
D.
$CPDIR/Database/conf/conf.C
$RTDIR/Database/conf/my.cnf
$ERDIR/conf/my.cnf
$FWDIR/Eventia/conf/ini.C
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 170
In a Windows environment, SmartReporter Data Base settings could be modified in:
A.
B.
C.
D.
$FWDIR/Eventia/conf/ini.C
$ERDIR/conf/my.cnf
%RTDIR%\Database\conf\my.ini
$CPDIR/Database/conf/conf.C
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 171
Which specific R77 GUI would you use to view the length of time a TCP connection was open?
A.
B.
C.
D.
SmartReporter
SmartView Status
SmartView Monitor
SmartView Tracker
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 172
SmartReporter reports can be used to analyze data from a penetration-testing regimen in all of the following
examples, EXCEPT:
A. Analyzing traffic patterns against public resources.
SmartReporter-Standard Reports
SmartView Tracker
Smartview Monitor
SmartReporter-Express Reports
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 174
If Jack was concerned about the number of log entries he would receive in the SmartReporter system, which
policy would he need to modify?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 175
Your company has the requirement that SmartEvent reports should show a detailed and accurate view of
network activity but also performance should be guaranteed. Which actions should be taken to achieve that?
1) Use same hard drive for database directory, log files, and temporary directory.
2) Use Consolidation Rules.
3) Limit logging to blocked traffic only.
4) Use Multiple Database Tables.
A.
B.
C.
D.
2, 4
1, 3, 4
1, 2, 4
1, 2
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 176
To help organize events, SmartReporter uses filtered queries. Which of the following is NOT an SmartEvent
event property you can query?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 177
Your expanding network currently includes ClusterXL running Multicast mode on two members, as shown in
this topology:
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 179
MegaCorps' disaster recovery plan is past due for an update to the backup and restore section to enjoy the
benefits of the new distributed R77 installation. You must propose a plan that meets the following required and
desired objectives:
RequireD. Security Policy repository must be backed up no less frequently than every 24 hours. DesireD. Back
up R77 components enforcing the Security Policies at least once a week.
DesireD. Back up R77 logs at least once a week.
You develop a disaster recovery plan proposing the following:
* Use the utility cron to run the command upgrade_export each night on the Security Management Servers.
* Configure the organization's routine backup software to back up files created by the command
upgrade_export.
* Configure GAiA back up utility to back up Security Gateways every Saturday night.
* Use the utility cron to run the command upgrade_export each Saturday night on the log servers.
* Configure an automatic, nightly logswitch.
* Configure the organization's routine back up software to back up the switched logs every night.
The corporate IT change review committee decides your plan:
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 180
Match the VPN-related terms with their definitions. Each correct term is only used once.
Exhibit:
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 181
You can set Acceleration to ON or OFF using command syntax ___________ .
Explanation/Reference:
QUESTION 187
What is the correct command and syntax used to view a connection table summary on a Check Point Firewall?
Correct Answer: fw tab -t connections -s
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 188
Write the full fw command and syntax that you would use to troubleshoot ClusterXL sync issues.
Correct Answer: fw tab -s -t connections
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 189
Type the full cphaprob command and syntax that will show full synchronization status.
Correct Answer: cphaprob -i list
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 190
Type the full fw command and syntax that will show full synchronization status.
Correct Answer: fw ctl pstat
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 191
Type the full fw command and syntax that allows you to disable only sync on a cluster firewall member.
Correct Answer: fw ctl setsync off
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 192
Type the command and syntax you would use to verify that your Check Point cluster is functioning correctly.
Correct Answer: cphaprob state
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 193
Type the command and syntax that you would use to view the virtual cluster interfaces of a ClusterXL
environment.
Correct Answer: cphaprob -a if
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 194
Type the command and syntax to view critical devices on a cluster member in a ClusterXL environment.
Correct Answer: cphaprob -ia list
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 195
Type the command and syntax to configure the Cluster Control Protocol (CCP) to use Broadcast.
Correct Answer: cphaconf set_ccp broadcast
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 196
In New Mode HA, the internal cluster IP VIP address is 10.4.8.3. The internal interfaces on two members are
10.4.8.1 and 10.4.8.2 Internal host 10.4.8.108 pings 10.4.8.3, and receives replies.
Review the ARP table from the internal Windows host 10.4.8.108. According to the output, which member is the
standby machine?
Correct Answer: 10.4.8.1
Section: Volume A
Explanation
Explanation/Reference:
Absolutely correct answer.
QUESTION 197
In New Mode HA, the internal cluster IP VIP address is 10.4.8.3. An internal host 10.4.8.108 successfully pings
its Cluster and receives replies.
Review the ARP table from the internal Windows host 10.4.8.108. Based on this information, what is the active
cluster members IP address?
Correct Answer: 10.4.8.2
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 198
In Load Sharing Unicast mode, the internal cluster IP address is 10.4.8.3. The internal interfaces on two
members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies. The following
is the ARP table from the internal Windows host 10.4.8.108.
Review the exhibit and type the IP address of the member serving as the pivot machine in the space below.
Correct Answer: 10.4.8.2
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 199
To stop acceleration on a GAiA Security Gateway, enter command:
Correct Answer: fwaccel off
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 200
To verify SecureXL statistics, you would use the command ________ .
Correct Answer: fwaccel stats
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 201
To verify the SecureXL status, you would enter command _____________ .
Correct Answer: fwaccel stat
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 202
To enter the router shell, use command __________ .
Correct Answer: cligated
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 203
In a zero downtime scenario, which command do you run manually after all cluster members are upgraded?
Correct Answer: cphaconf set_ccp multicast
Section: Volume C
Explanation
Explanation/Reference:
Answer is updated.
QUESTION 204
Complete this statement. To save interface information before upgrading a Windows Gateway, use command
Correct Answer: ipconfig -a > [filename].txt
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 205
In the following cluster configuration; if you reboot sglondon_1 which device will be active when sglondon_1 is
back up and running? Why?
A.
B.
C.
D.
sglondon_1 because it the first configured object with the lowest IP.
sglondon_2 because sglondon_1 has highest IP.
sglondon_1, because it is up again, sglondon_2 took over during reboot.
sglondon_2 because it has highest priority.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 206
How many pre-defined exclusions are included by default in SmartEvent R77 as part of the product installation?
A.
B.
C.
D.
5
0
10
3
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 207
What is the purpose of the pre-defined exclusions included with SmartEvent R77?
A. To allow SmartEvent R77 to function properly with all other R71 devices.
B. To avoid incorrect event generation by the default IPS event definition; a scenario that may occur in
deployments that include Security Gateways of versions prior to R71.
C. As a base for starting and building exclusions.
D. To give samples of how to write your own exclusion.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 208
MegaCorp is using SmartCenter Server with several gateways. Their requirements result in a heavy log load.
Would it be feasible to add the SmartEvent Correlation Unit and SmartEvent Server to their SmartCenter
Server?
A. No. SmartCenter SIC will interfere with the function of SmartEvent.
B. No. If SmartCenter is already under stress, the use of a separate server for SmartEvent is recommended.
C. No, SmartEvent and Smartcenter cannot be installed on the same machine at the same time.
D. Yes. SmartEvent must be installed on your SmartCenter Server.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 209
Which Check Point tool allows you to open a debug file and see the VPN packet exchange details.
A.
B.
C.
D.
PacketDebug.exe
VPNDebugger.exe
IkeView.exe
IPSECDebug.exe
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 210
When a packet is flowing through the security gateway, which one of the following is a valid inspection path?
A.
B.
C.
D.
Acceleration Path
Small Path
Firewall Path
Medium Path
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 211
To run GAiA in 64bit mode, which of the following is true?
1) Run set edition default 64-bit.
2) Install more than 4 GB RAM.
3) Install more than 4 TB of Hard Disk.
A.
B.
C.
D.
1 and 3
1 and 2
2 and 3
1, 2, and 3
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 212
Fill in the blank with a numeric value. The default port number for standard TCP connections with the LDAP
server is
Correct Answer: 389
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 213
Fill in the blank with a numeric value. The default port number for Secure Sockets Layer (SSL) connections with
the LDAP Server is
Correct Answer: 636
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 214
The command useful for debugging by capturing packet information, including verifying LDAP authentication on
all Check Point platforms is
Correct Answer: fw monitor
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 215
What is the primary benefit of using upgrade_export over either backup or snapshot?
A. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and
snapshot will not.
B. upgrade_export is operating system independent and can be used when backup or snapshot is not
available.
C. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and
snapshot will not.
D. The commands backup and snapshot can take a long time to run whereas upgrade_export will take a much
shorter amount of time.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 216
Your primary Security Management Server runs on GAiA. What is the fastest way to back up your Security
Gateway R77 configuration, including routing and network configuration files?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 217
When migrating the SmartEvent data base from one server to another, the first step is to back up the files on
the original server. Which of the following commands should you run to back up the SmartEvent data base?
A.
B.
C.
D.
migrate export
eva_db_backup
snapshot
backup
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 218
When migrating the SmartEvent data base from one server to another, the last step is to save the files on the
new server. Which of the following commands should you run to save the SmartEvent data base files on the
new server?
A.
B.
C.
D.
cp
restore
migrate import
eva_db_restore
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 219
Which file defines the fields for each object used in the file objects.C (color, num/string, default value...)?
A.
B.
C.
D.
$FWDIR/conf/classes.C
$FWDIR/conf/scheam.C
$FWDIR/conf/fields.C
$FWDIR/conf/table.C
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 220
Match the ClusterXL modes with their configurations.
Exhibit:
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 221
You are troubleshooting a HTTP connection problem. You've started fw monitor -o http.pcap. When you open
http.pcap with Wireshark there is only one line. What is the most likely reason?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 222
Which two processes are responsible on handling Identity Awareness?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 223
Which three of the following are ClusterXL member requirements?
1) same operating systems
2) same Check Point version
3) same appliance model
4) same policy
A.
B.
C.
D.
1, 3, and 4
1, 2, and 4
2, 3, and 4
1, 2, and 3
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 224
You run cphaprob -a if. When you review the output, you find the word DOWN. What does DOWN mean?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 225
fwd
fw gen
cpd
fwm
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 226
Which of the following is NOT part of the policy installation process?
A.
B.
C.
D.
Initiation
Validation
Code compilation
Code generation
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 227
When, during policy installation, does the atomic load task run?
A.
B.
C.
D.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 228
To save your OSPF configuration in GAiA, enter the command ___________ .
Correct Answer: save config
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 229
Which is NOT a method through which Identity Awareness receives its identities?
A.
B.
C.
D.
AD Query
Group Policy
Identity Agent
Captive Portal
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 230
If using AD Query for seamless identity data reception from Microsoft Active Directory (AD), which of the
following methods is NOT Check Point recommended?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 231
When using Captive Portal to send unidentified users to a Web portal for authentication, which of the following
is NOT a recommended use for this method?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 232
A SmartProvisioning Gateway could be a member of which VPN communities?
1) Center in Star Topology
2) Satellite in Star Topology
3) Center in Remote Access Community
4) Meshed Community
A. 2 only
B. 2 and 3
C. 1, 2 and 3
D. All
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 233
What process manages the dynamic routing protocols (OSPF, RIP, etc.) on GAiA?
A.
B.
C.
D.
gated
There's no separate process, but the Linux default router can take care of that.
routerd
arouted
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 234
Which statement is TRUE for route-based VPNs?
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 235
VPN routing can also be configured by editing which file?
A.
B.
C.
D.
$FWDIR/VPN/route_conf.c
$FWDIR/conf/vpn_route.conf
$FWDIR/bin/vpn_route.conf
$FWDIR/conf/vpn_route.c
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 236
The challenges to IT involve deployment, security, management, and what else?
A.
B.
C.
D.
Assessments
Maintenance
Transparency
Compliance
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 237
If your firewall is performing a lot of IPS inspection and the CPUs assigned to fw_worker_thread are at or near
100%, which of the following could you do to improve performance?
A.
B.
C.
D.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 238
Which of the following CLISH commands would you use to set the admin user's shell to bash?
A.
B.
C.
D.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 239
What is Check Point's CoreXL?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 240
Does Check Point recommend generating an upgrade_export on standby SmartCenters?
A.
B.
C.
D.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
Corrected.
QUESTION 241
To bind a NIC to a single processor when using CoreXL on GAiA, you would use the command
Correct Answer: sim affinity
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 242
User definitions are stored in ________________ .
A.
B.
C.
D.
$FWDIR/conf/users.NDB
$FWDIR/conf/fwmuser.conf
$FWDIR/conf/fwusers.conf
$FWDIR/conf/fwauth.NDB
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 243
MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways with R60.
Management wants to upgrade to the most comprehensive IPv6 support. What should the administrator do
first?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 244
If you need strong protection for the encryption of user data, what option would be the BEST choice?
A. Use Diffie-Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in Quick Mode
and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.
B. When you need strong encryption, IPsec is not the best choice. SSL VPNs are a better choice.
C. Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.
D. Disable Diffie-Hellman by using stronger certificate based key-derivation. Use AES-256 bit on all encrypted
channels and add PFS to QuickMode. Use double encryption by implementing AH and ESP as protocols.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 245
Your R7x-series Enterprise Security Management Server is running abnormally on Windows Server 2008 R2.
You decide to try reinstalling the Security Management Server, but you want to try keeping the critical Security
Management Server configuration settings intact (i.e., all Security Policies, databases, SIC, licensing etc.) What
is the BEST method to reinstall the Server and keep its critical configuration?
A. 1. Insert the R77 CD-ROM and select the option to export the configuration using the latest upgrade utilities.
2. Follow steps suggested by upgrade_verification and re-export the configuration if needed.
3. Save the exported file *.tgz to a local directory c:/temp.
4. Uninstall all packages using Add/Remove Programs and reboot.
5. Install again using the R77 CD-ROM as a primary Security Management Server and reboot..
6. Run upgrade_import to import the configuration.
B. 1. Create a data base revision control back up using SmartDashboard.
2. Create a compressed archive of the directories %FWDIR%/conf and %FWDIR%/lib and copy them to
another networked machine.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Install again as a primary Security Management Server using the R77 CD-ROM.
5. Reboot and restore the two archived directories over the top of the new installation, choosing to overwrite
existing files.
C. 1. Download the latest utility upgrade_export and run from a local directory c:/temp to export the
configuration into a *.tgz file.
2. Skip any upgrade_verification warnings since you are not upgrading.
3. Transfer the file *.tgz to another networked machine.
4. Download and run the utility cpclean and reboot.
5. Use the R77 CD-ROM to select option upgrade_import to import the configuration.
D. 1. Download the latest utility upgrade_export and run from directory c:/temp to export the configuration into
a *.tgz file.
2. Follow steps suggested by upgrade_verification.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Use SmartUpdate to reinstall the Security Management Server and reboot.
5. Transfer file *.tgz back to local directory /temp.
6. Run upgrade_import to import the configuration.
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
Answer is Valid.
QUESTION 246
Can you implement a complete IPv6 deployment without IPv4 addresses?
A.
B.
C.
D.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 247
MicroCorp experienced a security appliance failure. (LEDs of all NICs are off.) The age of the unit required that
the RMA-unit be a different model. Will a revert to an existing snapshot bring the new unit up and running?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
Updated.
QUESTION 248
The process ___________ is responsible for all other security server processes run on the Gateway.
A.
B.
C.
D.
CPD
FWM
FWD
FWSSD
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 249
The process ________ is responsible for GUIClient communication with the SmartCenter.
A. CPGUI
B. CPD
C. FWD
D. FWM
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 250
The process ________ is responsible for Policy compilation.
A.
B.
C.
D.
FWM
CPD
FWCMP
CPLMD
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 251
MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new Appliance with R77.
Which migration tool is recommended?
A.
B.
C.
D.
Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.
Use already installed Migration Tool.
Use Migration Tool from CD/ISO
Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 252
What happens in relation to the CRL cache after a cpstop;spstart has been initiated?
A.
B.
C.
D.
The gateway continues to use the old CRL even if it is not valid, until a new CRL is cached
The gateway continues to use the old CRL, as long as it is valid.
The gateway issues a crl_zap on startup, which empties the cache and forces Certificate retrieval.
The gateway retrieves a new CRL on startup, then discards the old CRL as invalid.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 253
Exhibit:
You work as a network administrator at TestKing.com. You study the exhibit carefully.
Which of the following would be a valid conclusion?
A. Changing the setting Perform IPsec data encryption with from AES-128 to 3DES will increase the encryption
overhead.
B. The VPN community will perform IKE phase 1 key-exchange encryption, using the longest key VPN-1 NGX
R65 supports.
C. Changing the setting Perform key exchange encryption with from 3DES to DES will enhance the VPN
Community`s security, and reduce encryption overhead.
D. Change the date-integrity settings for this VPN Community because MD5 is incompatible with AES.
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 254
Public-key cryptography is considered which of the following?
A. two-key/symmetric
B. one-key/asymmetric
C. two-key/asymmetric
D. one-key/symmetric
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 255
What is the greatest benefit derived from VPNs compared to frame relay, leased lines any other types of
dedicated networks?
A.
B.
C.
D.
lower cost
stronger authentication
Less failure/downtime
Greater performance
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 256
What is the bit size of DES?
A.
B.
C.
D.
E.
F.
56
112
168
128
32
64
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 257
You set up a mesh VPN Community, so your internal networks can access your partner's network, and vice
versa. What is the best method to configure your Security Policy to encrypt only FTP and HTTP traffic through a
VPN tunnel but all other traffic among your internal and partner networks is sent in clear text?
A. Disable accept all encrypted traffic, and put FTP and HTTP in the Excluded services in the Community
object. Add a rule in the Security Policy for services FTP and HTTP, with the Community object in the VPN
field.
B. Put all services except for FTP and HTTP in the Excluded Services of the Community object. Then add a
rule in the Security Policy to allow ANY as the service with the Community object in the VPN field.
C. Put ftp and http in the Excluded Services of the Community object. Then add a rule in the Security Policy to
allow ANY as the service with the Community object in the VPN field.
D. Disable accept all encrypted traffic in the Community. Then add FTP and HTTP services to a Security Policy
rule with the Community object in the VPN field. Add a second rule below the first that accept all non-HTTP
and non-FTP services without the Community object in the VPN field.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 258
In cryptography, the Rivest, Shamir, Adelman (RSA) scheme has which of the following? Select all that apply.
A.
B.
C.
D.
A symmetric-cipher system
A secret-key encryption-algorithm system
A public-key encryption-algorithm system
An asymmetric-cipher system
Correct Answer: CD
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 259
Which of the following are supported with the office mode? Select all that apply.
A.
B.
C.
D.
E.
SecureClient
L2TP
Transparent Mode
Gopher
SSL Network Extender
QUESTION 261
Which network port does PPTP use for communication?
A.
B.
C.
D.
1723/tcp
1723/udp
25/udp
25/tco
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 262
VPN access control would fall under which VPN component?
A.
B.
C.
D.
QoS
Performance
Management
Security
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 263
In ClusterXL, which of the following processes are defined by default as critical devices?
A.
B.
C.
D.
fwm
cphad
fw.d
fwd.proc
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 264
If a digital signature is used to achieve both data-integrity checking and verification of sender, digital signatures
are only used when implementing:
A.
B.
C.
D.
A symmetric-encryption algorithm
CBL-DES
Triple DES
An asymmetric-encryption algorithm
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 265
Which of the following is supported with Office Mode?
A.
B.
C.
D.
SecuRemote
SecureClient
SSL Network Extender
Connect Mode
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 266
Exhibit:
You study the exhibit carefully. You are preparing computers for a new ClusterXL deployment. For your cluster,
you plan to use three machines with the configurations in the exhibit.
After these machines correctly configured for a ClusterXL deployment?
A.
B.
C.
D.
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 267
When synchronizing clusters, which of the following statements are true?
Select all that apply.
A. Only cluster members running on the same OS platform can be synchronized.
B. Client Auth or Session Auth connections through a cluster member will be lost of the cluster member fails.
C. The state of connections using resources is maintained by a Security Server, so these connections cannot
be synchronized.
D. In the case of a failover, accounting information on the failed member may be lost despite a properly
Correct Answer: ABC
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 268
Your primary SmartCenter Server is installed on a SecurePlatform Pro Machine, which is also a VPN-1 Power
Gateway. You want to implement Management High Availability (HA). You have a spare machines to configure
as the secondary SmartCenter server. How do you configure the new machine to be the standby SmartCenter
Server?
A. Use cpprod_util to reconfigure the primary SmartCenter to become the secondary on the VPN-1 Power
Gateway. Install a new primary SmartCenter on the spare machine and set to standb. Synchronize the
active secondary to the standby primary in order to migrate the configuration.
B. You cannot configure Management HA, when either the primary or secondary SmartCenter is running on a
VPN-1 Pro Gateway.
C. Install the secondary Server on the spare machine. Add the new machine to any network routable to the
primary Server. Synchronize the machines.
D. Install the secondary Server on the spare machine. Add the new machine to the same network as the
primary server. Synchronize the machines.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 269
VPN traffic control would fall under which VPN component?
A.
B.
C.
D.
Performance
Management
Security
QoS
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 270
Which of the following is an example of the hash function?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 271
You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways
at five geographically separated locations.
What is the best method to implement this HFA?
A.
B.
C.
D.
Send a CDROM with the HFA to each location and have local personnel install it.
Send a Certified Security Engineer to each site to perform the update.
Use SmartUpdate to install the packages to each of the Security Gateways remotely.
Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiated remote
installation command and monitor the installation progress with SmartView Monitor.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 272
When configuring site-to-site VPN High Availability (HA) with MEP, which of the following is correct?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 273
Consider the following actions that VPN-1 NGX can take when it control packets. The Policy Package has been
configured for Traditional Mode VPN. Identify the options that includes the available actions. Select four.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Allow
Reject
Client auth
Decrypt
Accept
Drop
Encrypt
Hold
Proxy
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 276
Which of the following does IPSec use during IPSec key negotiation?
A.
B.
C.
D.
IPSec SA
RSA Exchange
ISAKMP SA
Diffie-Hellman exchange
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 277
You are using SmartUpdate to fetch data and perform a remote upgrade of an NGX Security Gateway.
Which of the following statements are true? Select all that apply.
A.
B.
C.
D.
SmartUpdate can query license information running locally on the VPN-1 Gateway
If SmartDashboard is open during package upload and upgrade, the upgrade will fail.
SmartUpdate can query the SmartCenter Server and VPN-1 Gateway for product information
A remote installation can be performed without the SVN Foundation package installed on a remote NG with
Application Intelligence Security Gateway
C. If an interface is not configured, it is not recognized. Assign an IP and subnet mask using the Web UI,
D. Your NIC driver is installed but was not recognized. Apply the latest SecurePlatform R65 Hotfix Accumulator
(HFA).
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 280
Which of the following provides a unique user ID for a digital Certificate?
A.
B.
C.
D.
Username
User-message digest
User e-mail
User organization
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 281
For object-based VPN routing to succeed, what must be configured?
A. A single rule in the Rule Base must cover traffic in both directions, inbound and outbound on the central
(HUB) Security Gateway.
B. No rules need to be created, implied rules that cover inbound and outbound traffic on the central (HUB)
Gateway are already in place from Policy > Properties > Accept VPN-1 Control Connections.
C. At least two rules in the Rule Base must created, one to cover traffic inbound and the other to cover traffic
outbound on the central (HUB) Security Gateway.
D. VPN routing is not configured in the Rule Base or Community objects. Only the native-routing mechanism
on each Gateway can direct the traffic via its VTI configured interfaces.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 282
What proprietary Check Point protocol is the basis of the functionality of Check Point ClusterXL inter-module
communication?
A.
B.
C.
D.
E.
RDP
IPSec
CCP
HA OPCODE
CKPP
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 283
Which of the following is part of the PKI? Select all that apply.
A.
B.
C.
D.
User certificate
Attribute Certificate
Certificate Revocation Lists
Public-key certificate
mesh architecture
Bridge architecture
Gateway architecture
Hierarchical architecture
You see a more logical way to organize your rules and objects
You want to keep your Check Point configuration.
Your Security Policy includes rules and objects whose purpose you do not know.
Objects and rules` naming conventions have changed over time.
A.
B.
C.
D.
nonrepudiation
Data integrity
Availability
Authentication
dynamic encryption
Certificate-based encryption
static encryption
Symmetric encryption
Asymmetric encryption
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 289
Which of the following can be said about numbered VPN Tunnel Interfaces (VTIs)?
A.
B.
C.
D.
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 290
What is the command to upgrade an NG with Application Intelligence R55 SmartCenter running on
SecurePlatform to VPN-1 NGX R65?
A.
B.
C.
D.
fw install_mgmt
upgrade_mgmt
patch add cd
fwm upgrade_tool
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 291
What can be said about RSA algorithms? Select all that apply.
A.
B.
C.
D.
1 second
2 seconds
5 seconds
0.1 seconds
0.5 seconds
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 293
What is the most typical type of configuration for VPNs with several externally managed Gateways?
A. star community
B.
C.
D.
E.
mesh community
domain community
Hybrid community
SAT community
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 294
Exhibit:
You study the Advanced Properties exhibit carefully. What settings can you change to reduce the encryption
overhead and improve performance for your mesh VPN Community?
A.
B.
C.
D.
Change the Renegotiate IPsec security associations every 3600 seconds to 7200
Check the box Use aggressive mode
Change the box Use Perfect Forward Secrecy
Change the setting Use Diffie-Hellman group: to Group 5 (1536 bit)
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 295
A VPN Tunnel Interface (VTI) is defined on SecurePlatform Pro as:
vpn shell interface add numbered 10.10.0.1 10.10.0.2 Helsinki.cp
What do you know about this VTI?
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Topic 2, More (144 Questions)
QUESTION 296
You work a network administrator for TestKing.com. You configure a Check Point QoS Rule Base with two
rules: an H.323 rule with a weight of 10, and the Default Rule with a weight of 10. The H.323 rule includes a
per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee
is for four connections, and no additional connections are allowed in the Action properties. If traffic passing
through the QoS Module matches both rules, which of the following is true?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 297
TestKing.com has many VPN-1 Edge gateways at various branch offices, to allow VPN-1 SecureClient users to
access TestKing.com resources. For security reasons, TestKing.com's Secure policy requires all Internet traffic
initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security
Gateway.
How do you configure VPN routing in this star VPN Community?
A. To the Internet an other targets only
B. To the center and other satellites, through the center
C. To the center only
D. To the center, or through the center to other satellites, then to the Internet and other VPN targets
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
This configuration option can be found in the properties window under Advanced Settings > VPN Routing for a
Star Community VPN Object (see screenshot)
From the help file on this properties page:
Three options are available:
To center only. No VPN routing actually occurs. Only connections between the Satellite Gateways and Central
Gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center. Use VPN routing for connection between satellites. Every
packet passing from a Satellite Gateway to another Satellite Gateway is routed through the Central Gateway.
Connection between Satellite Gateways and Gateways that do not belong to the community are routed in the
normal way.
To center, or through the center to other satellites, to internet and other VPN targets. Use VPN routing for every
connection a Satellite Gateway handles. Packets sent by a Satellite Gateway pass through the VPN tunnel to
the Central Gateway before being routed to the destination address.
QUESTION 298
You are preparing to configure your VoIP Domain Gatekeeper object. Which two other object should you have
created first?
A. An object to represent the IP phone network, AND an object to represent the host on which the proxy is
installed.
B. An object to represent the PSTN phone network, AND an object to represent the IP phone network
C. An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper
is installed.
D. An object to represent the Q.931 service origination host, AND an object to represent the H.245 termination
host
E. An object to represent the call manager, AND an object to represent the host on which the transmission
router is installed.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 299
Which Check Point QoS feature is used to dynamically allocate relative portions of available bandwidth?
A.
B.
C.
D.
E.
Guarantees
Differentiated Services
Limits
Weighted Fair Queuing
Low Latency Queing
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Bandwidth Allocation and Rules
A rule can specify three factors to be applied to bandwidth allocation for classified connections:
Weight
Weight is the relative portion of the available bandwidth that is allocated to a rule. To calculate what portion of
the bandwidth the connections matched to a rule receive, use the following formula:
this rule's portion = this rule's weight / total weight of all rules with open connections For example, if this rule`s
weight is 12 and the total weight of all the rules under which connections are currently open is 120, then all the
connections open under this rule are allocated 12/120 (or 10%) of the available bandwidth.
In practice, a rule may get more than the bandwidth allocated by this formula, if other rules are not using their
maximum allocated bandwidth.
Unless a per connection limit or guarantee is defined for a rule, all connections under a rule receive equal
weight.
Allocating bandwidth according to weights ensures full utilization of the line even if a specific class is not using
all of its bandwidth. In such a case, the left over bandwidth is divided among the remaining classes in
accordance with their relative weights. Units are configurable, see Defining QoS Global Properties on page 94.
Default Rule
Chapter 4 Basic QoS Policy Management 35
Guarantees
A guarantee allocates a minimum bandwidth to the connections matched with a rule.
Guarantees can be defined for:
the sum of all connections within a rule
A total rule guarantee reserves a minimum bandwidth for all the connections under a rule combined. The actual
bandwidth allocated to each connection depends on the number of open connections that match the rule. The
total bandwidth allocated to the rule can be no less than the guarantee, but the more connections that are open,
the less bandwidth each one receives.
individual connections within a rule
A per connection guarantee means that each connection that matches the particular rule is guaranteed a
minimum bandwidth.
Although weights do in fact guarantee the bandwidth share for specific connections, only a guarantee allows
you to specify an absolute bandwidth value.
Limits
A limit specifies the maximum bandwidth that is assigned to all the connections together. A limit defines a point
beyond which connections under a rule are not allocated bandwidth, even if there is unused bandwidth
available.
Limits can also be defined for the sum of all connections within a rule or for individual connections within a rule.
QUESTION 300
Exhibit:
Tess King tries to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have
the option to see the Directional Match. Tess King sees the screen displayed in the exhibit.
What is the problem?
A.
B.
C.
D.
E.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Reference: VPN.pdf page 145
QUESTION 301
Where can a Security Administator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS
bandwidth?
A.
B.
C.
D.
E.
Global Properties
QoS Class objects
Check Point gateway object properties
$CPDIR/conf/qos_props.pf
Advanced Action options in each QoS rule.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
Reference: Surf to that location in Smart Dashboard
QUESTION 303
You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security
Gateway, bound for all site-to-site VPN Communities, including Remote Access Communities.
How should you configure the VPN match rule?
A.
B.
C.
D.
E.
internal_clear>All-GwToGw
Communities>Communities
Internal_clear>External_Clear
Internal_clear>Communities
Internal_clear>All_communities
Correct Answer: E
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
The ability to configure the directional match suggested in this question firstly depends on VPN Directional
Match being enable in the Global Properties VPN Advanced screen. When this is enabled you have the
Directional Match Condition available on the VPN column of the rule base (see screenshot).
'A' is not correct because you want traffic for all communities, not just the Gateway-to-Gateway traffic.
'B' is not a valid option.
'C' is not correct because you don't want a directional match for traffic outside the community.
'D' is not a valid option
'E' is a directional match for traffic between local domains within the community and all communities
QUESTION 304
You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts.
How do you block the connection in real time and verify the connection is successfully blocked?
A. Highlight the suspicious connection in SmartView Tracker>Active mode. Block the connection using
Tools>Block Intruder menu. Use the active mode to confirm that the suspicious connection does not
reappear.
B. Highlight the suspicious connection in SmartView Tracker>Log mode. Block the connection using
Tools>Block Intruder menu. Use the Log mode to confirm that the suspicious connection does not
reappear.
C. Highlight the suspicious connection in SmartView Tracker>Active mode. Block the connection using
Tools>Block Intruder menu. Use the active mode to confirm that the suspicious connection is dropped.
D. Highlight the suspicious connection in SmartView Tracker>Log mode. Block the connection using
Tools>Block Intruder menu. Use the Log mode to confirm that the suspicious connection is dropped.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Block Intruder
SmartView Tracker allows you to terminate an active connection and block further connections from and to
specific IP addresses. Proceed as follows:
1 Select the connection you wish to block by clicking it in the Active mode's Records pane.
2 From the Tools menu, select Block Intruder.
The Block Intruder window is displayed.
3 In Blocking Scope, select the connections that you would like to block:
Block all connections with the same source, destination and service - block the selected connection or any
other connection with the same service, source or destination.
Block access from this source - block access from this source. Block all connections that are coming from the
machine specified in the Source field.
Block access to this destination - block access to this destination. Block all connections that are headed to the
machine specified in the Destination field.
4 In Blocking Timeout, select one of the following:
Indefinite blocks all further access
For... minutes blocks all further access attempts for the specified number of minutes 5 In Force this blocking,
select one of the following:
Only on... blocks access attempts through the indicated VPN-1 Pro module.
On any VPN-1 & FireWall-1 Module blocks access attempts through all VPN-1 Pro modules defined as
gateways or hosts on the Log Server.
6 Click OK.
QUESTION 305
Exhibit:
Tess King is using a mesh VPN Community to create a site-to-site VPN. The VPN properties in this mesh
Community is displayed in the exhibit.
Which of the following statements are true?
A. If Tess changes the settings, Perform key exchange encryption with from 3DES to DES, she will enhance
the VPN Community`s security and reduce encryption overhead.
B. Mrs King must change the data-integrity settings for this VPN Community. MD5 is incompatible with AES.
C. If Tess King changes the setting Perform IPSec data encryption with from AES-128 to 3DES, Tess will
increase the encryption overhead.
D. Her VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1 NGX
supports.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 306
Exhibit:
You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three
machines with the configurations displayed in the exhibit.
Are these machines correctly configured for a ClusterXL deployment?
A.
B.
C.
D.
E.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Extract from Check Point Security Administration NGX II 1.1 Student Handbook page 436:
The following restrictions apply to Cluster XL configurations:
1. Only NGX Gateways running on the same operating system can be synchronized.
2. NGX Gateways must be on the same version and feature pack.
3. The Gateways must have the same Policy installed.
4. The SmartCenter Server of a ClusterXL Gateway cannot be running on the same host as a gateway cluster
object (made up of a group of Gateways with many properties in common). A distributed environment is
required.
QUESTION 307
You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly
between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?
A.
B.
C.
D.
Direct
Direct and Call Setup
Call Setup
Call Setup and Call Control
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
From the help section:
QUESTION 308
Tess King is concerned that a denial-of-service (DoS) attack may affect her VPN Communities. She decides to
implement IKE DoS protection. Tess needs to minimize the performance impact of implementing this new
protection.
Which of the following configurations is MOST appropriate for Mrs. King?
A. Set Support IKE DoS protection from identified source to Puzzles, and Support IKE DoS protection from
unidentified source to Stateless
B. Set Support IKE DoS protection from identified source, and Support IKE DoS protection from unidentified
soruce to Puzzles
C. Set Support IKE DoS protection from identified source to Stateless, and Support IKE DoS protection from
unidentified source to Puzzles.
D. Set Support IKE DoS protection from identified source, and Support IKE DoS protection from unidentified
source to Stateless.
E. Set Support IKE DoS protection from identified source to Stateless, and Support IKE DoS protection from
unidentified source to None.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
From the online HELP for NGX R60, (see screen capture below)
The options for DOS on IKE for both identified and unidentified connections are...
Puzzles best protection, but performance intensive
Stateless less protection, but not as performance intensive
None no protection for DOS on IKE
Therefore, answer C will have impact on unidentified IKE connections. To provide protection with less
performance hit, use stateless` so answer D is correct, not C.
QUESTION 309
You have a production implementation of Management High Availability, at Version VPN-1 NG with application
Intelligence R55.
You must upgrade two SmartCenter Servers to VPN-1.
What is the correct procedure?
A. 1. Synchronize the two SmartCenter Servers
2. Upgrade the secondary SmartCenter Server.
3. Upgrade the primary SmartCenter Server.
4. Configure both SmartCenter Server host objects version to VPN-1 NGX
5. Synchronize the Servers again.
B. 1. Synchronize the two SmartCenter Servers
2. Perform an advanced upgrade the primary SmartCenter Server.
3. Upgrade the secondary SmartCenter Server.
4. Configure both SmartCenter Server host objects to version VPN-1 NGX.
Correct Answer: E
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 311
Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following
options will end the intruder's access, after the next Phase 2 exchange occurs?
A. Phase 3 Key Revocation
B. Perfect Forward Secrecy
C. MD5 Hash Completion
Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.
Restart Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.
Run cpstop and cpstart, to re-enable High Availability on both projects. Select Pivot mode in cpconfig.
Change the cluster mode to Unicast on the cluster-member object.
Switch the internal network`s default Security Gateway to the pivot machine`s IP address.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 314
Tess King is notified by blacklist.org that her site has been reported as a spam relay, due to her SMTP server
being unprotected. Mrs. King decides to implement an SMTP Security Server, to prevent the server from being
a spam relay.
Which of the following is the most efficient configuration method?
A. Configure the SMTP Security Server to perform MX resolving.
B.
C.
D.
E.
Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.
Configure the SMTP Security Server to work with an OPSEC based product, for content checking.
Configure the SMTP Security Server to apply a generic from address to all outgoing mail.
Configure the SMTP Security Server to allow only mail to or from names, within Tess`s corporate domain.
Correct Answer: E
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
The following screen shot is from the Check Point Secure knowledge base.
It states that
To correct the open SMTP relay issue, you must create a SMTP resource and use the Match option. You must
then create a rule that uses the SMTP service with this resource.
Under recipient type your e-mail domain with a leading and ending '*' (ie. *@4bilu.com*), and click OK.
Once this has been completed the firewall should no longer act as an open relay.
Therefore, you are using a match resource on the corporate domain, not filtering which makes the correct
answer E.
QUESTION 315
You have an internal FTP server, and you allow downloading, but not uploading. Assume Network Address
Translation is set up correctly, and you want to add an inbound rule with:
Source: Any
Destination: FTP Server
Service: an FTP resource object.
How do you configure the FTP resource object and the action column in the rule to achieve this goal?
A. Enable only the Get method in the FTP Resource Properties, and use this method in the rule, with action
accept.
B. Enable only the Get method in the FTP Resource Properties, and use it in the rule, with action drop.
C. Enable both Put and Get methods in the FTP Resource Properties and use them in the rule, with action
drop.
D. Disable Get and Put methods in the FTP Resource Properties and use it in the rule, with action accept.
E. Enable only the Put method in the FTP Resource Properties and use it in the rule, with action accept.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 316
If you check the box "Use Aggressive Mode", in the IKE properties dialog box:
A.
B.
C.
D.
E.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 317
Which of the following commands shows full synchronization status?
A.
B.
C.
D.
E.
cphaprob -i list
chpastop
fw ctl pstat
cphaprob -a if
fw hastat
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Monitoring Synchronization (fw ctl pstat)
To monitor the synchronization mechanism on ClusterXL or third-party OPSEC
certified clustering products, run the following command on a cluster member:
The output of this command is a long list of statistics for the VPN-1 Pro Gateway. At the end of the list there is a
section called Synchronization that applies per Gateway Cluster member. Many of the statistics are counters
that can only increase. A typical output is as follows:
The meaning of each line in this printout is explained below.
This line must appear if synchronization is configured. It indicates that new sync is working (as opposed to old
sync from version 4.1).
If sync is unable to either send or receive packets, there is a problem. Sync may be temporarily unable to send
or receive packets during boot, but this should not happen during normal operation. When performing full sync,
sync packet reception may be interrupted.
fw ctl pstat
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 3976, retransmitted : 0, retrans reqs : 58, acks : 97
Sync packets received:
total : 4290, were queued : 58, dropped by net : 47
retrans reqs : 0, received 0 acks
retrans reqs for illegal seq : 0
Callback statistics: handled 3 cb, average delay : 1, max delay : 2
Delta Sync memory usage: currently using XX KB mem
Callback statistics: handled 322 cb, average delay : 2, max delay : 8
Number of Pending packets currently held: 1
Packets released due to timeout: 18
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 3976, retransmitted : 0, retrans reqs : 58, acks : 97
Monitoring Synchronization (fw ctl pstat)
The total number of sync packets sent is shown. Note that the total number of sync packets is non-zero and
increasing.
The cluster member sends a retransmission request when a sync packet is received out of order. This number
may increase when under load.
Acks are the acknowledgements sent for received sync packets, when an
acknowledgement was requested by another cluster member.
The total number of sync packets received is shown. The queued packets figure increases when a sync packet
is received that complies with one of the following conditions:
1 The sync packet is received with a sequence number that does not follow the previously processed sync
packet.
2 The sync packet is fragmented. This is done to solve MTU restrictions.
This figure never decreases. A non-zero value does not indicate a problem.
The dropped by net number may indicate network congestion. This number may
increase slowly under load. If this number increases too fast, a networking error may interfere with the sync
protocol. In that case, check the network.
This message refers to the number of received retransmission requests, in contrast to the transmitted
retransmission requests in the section above. When this number grows very fast, it may indicate that the load
on the machine is becoming too high for sync to handle.
Acks refer to the number of acknowledgements received for the cb request sync packets, which are sync
packets with requests for acknowledgments.
Retrans reqs for illegal seq displays the number of retransmission requests for packets which are no longer in
this member`s possession. This may indicate a sync problem.
Callback statistics relate to received packets that involve Flush and Ack. This statistic only appears for a nonzero value.
Sync packets received:
total : 4290, were queued : 58, dropped by net : 47
retrans reqs : 0, received 0 acks
retrans reqs for illegal seq : 0
star
mesh
Remote access
Map
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 319
The following rule contains an FTP resource object in the Service field:
Source: local_net
Destination: Any
Service: FTP-resource object
Action: Accept
How do you define the FTP Resource Properties>Match tab to prevent internal users from sending corporate
files to external FTP servers, while allowing users to retrieve files?
A. Enable the Get method on the match tab.
B. Disable Get and Put methods on the Match tab.
C. Enable the Put and Get methods.
Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged.
VoIP protocol-specific log fields are not included in SmartView Tracker entries.
The log field setting in rules for VoIP protocols are ignored.
IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.
The SmartCenter Server stops importing logs from VoIP servers.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Help file:
QUESTION 321
Exhibit:
The exhibit is a cphaprob state command output from a ClusterXL New mode high Availability member.
When a member 192.168.1.2 fails over and restarts, which member will become active?
A.
B.
C.
D.
192.168.1.2
192.168.1.1
Both members` state will be standby.
Both members` state will be active.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 322
Which of the following actions is most likely to improve the performance of Check Point QoS?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
The complete section 'Optimizing Check Point QOS' on page 402 of the NGX II 1.1 book states:
Check Point QoS performance can be improved by following the suggestions below:
* Upgrade to the newest Check Point QoS version available
* Install Check Point QoS only on the external interfaces of the QoS Module. Unless you are using limits for
inbound traffic, installing Check Point QoS only in the outbound direction will provide you the most functionality
and improvements.
* Put more frequent rules at the top of your Rule Base. You can use SmartView Monitor to analyze how much a
rule is used
* Turn per-connection limits into per-rule limits.
*Turn per-connection guarantees into per-rule guarantees.
QUESTION 323
How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_A to end point Net_B,
through an NGX Security Gateway?
A.
B.
C.
D.
Net_A/Net_B/sip/accept
Net_A/Net_B/sip and sip_any/accept
Net_A/Net_B/VoIP_any/accept
Net_A/Net_B/VoIP /accept
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
SIP Based Communications without a Proxy
If the SIP environment does not include proxies, only one rule is require. To configure a Policy that will enable
traffic from one SIP environment without a proxy to another, you must create a rule that allows the services sip
or sip_any traffic from network object (or IP address range) to the other. The following Rule Base is an example
of the configuration for this scenario:"
Be aware that if the question mentioned a single proxy on one side of the transmission the rule would define a
VoIP domain SIP object, for example:
If the question mentioned dual proxies, one on each side of the transmission the rule would look like this:
3, 2, 1, 4
2, 4, 3, 1
1, 3, 2, 4
2, 3, 1, 4
1, 2, 3, 4
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 325
How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?
A. Run the command vpn tu on the Security Gateway, and choose the option Delete all IPSec+IKE SAs for
ALL peers and users.
B. Run the command vpn tu on the SmartCenter Server, and choose the option Delete all IPSec+IKE SAs for
ALL peers and users.
C. Run the command vpn tu on the Security Gateway, and choose the option Delete all IPSec+IKE SAs for a
given peer (GW).
D. Run the command vpn tu on the Security Gateway, and choose the option Delete all IPSec SAs for a given
user (Client).
E. Run the command vpn tu on the Security Gateway, and choose the option Delete all IPSec SAs for ALL
peers and users.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Not A: The question is how to tear down a specific VPN tunnel.
Reference. See Checkpoint PDF file named Checkpoint_NGX_CLI_Guide.pdf on page 129.
QUESTION 326
You are preparing to deploy a VPN-1 Pro Gateway for VPN-1 NGX. You have five systems to choose from for
the new Gateway, and you must conform to the following requirements:
* Operating-System vendor's license agreements
* Check Point's license agreement
* Minimum operating-system hardware specification
* Minimum Gateway hardware specification
* Gateway installed on a supported operating system (OS)
Which machine meets ALL of the requirements?
A. Processor 1.1 GHz
RAM: 512 MB
Hard disk: 10 GB
OS: Windows 2000 Workstation
B. Processor 2.0 GHz
RAM: 512 MB
Hard disk: 10 GB
OS: Windows ME
C. Processor 1.5 GHz
RAM: 256 MB
Hard disk: 20 GB
OS: Red Hat Linux 8.0
D. Processor 1.67 GHz
RAM: 128 MB
Hard disk: 5 GB
OS: FreeBSD
E. Processor 2.2 GHz
RAM: 256 MB
Hard disk: 20 GB
OS: Windows 2000 Server
Correct Answer: E
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 327
You are configuring the VoIP Domain object for an H.323 environment, protected by VPN-1 NGX.
Which VoIP Domain object type can you use?
A.
B.
C.
D.
E.
Transmission Router
Gatekeeper
Call Manager
Proxy
Call Agent
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 328
Tess King has configured a Common Internet File System (CIFS) resource to allow access to the public
partition of TestKing.com's file server, on \\testking13\logigame\files\public. Mrs. King receives reports that
users are unable to access the shared partition, unless they use the file server's IP address.
Which of the following is a possible cause?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 329
Tess King is creating rules and objects to control VoIP traffic in her organization (TestKing.com), through a
VPN-1 NGX Security Gateway. Mrs. King creates VoIP Domain SIP objects to represent each of
TestKing.com's three SIP gateways. Tess then creates a simple group to contain the VoIP Domain SIP objects.
When Tess attempts to add the VoIP Domain SIP objects to the group, they are not listed.
What is the problem?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 330
You have two Nokia Appliances: one IP530 and on IP380. Both appliances have IPSO 3.9 and VPN-1 Pro NGX
installed in a distributed deployment.
Can they be members of a gateway cluster?
A.
B.
C.
D.
E.
No, because the Gateway versions must be the same on both security gateways.
Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
No, because members of a security gateway cluster must be in installed as stand-alone deployments.
Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not.
No, because the appliances must be of the same model (Both should be IP530 or IP380).
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 331
Exhibit:
You work as a network administrator at TestKing.com. Your network includes ClusterXL running Multicast
mode on two members, as shown in this topology exhibit.
Your network is expanding, and you need to add new interfaces: 10.10.10.1/24 on Member A, and
10.10.10.2/24 on Member B. The virtual IP address for interface 10.10.10.0/24 is 10.10.10.3.
Load Sharing based on IP addresses, ports, and serial peripheral interfaces (SPI)
Load Sharing based on SPIs only.
Load Sharing based on IP addresses only
Load Sharing based on SPIs and ports only
Load Sharing based on IP addresses and ports
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
From the Help file:
Tell me about the fields...
Use sharing method based on
-IPs, Ports, SPIs (default) provides the best sharing distribution, and is recommended for use. It is the least
"sticky" sharing configuration.
-IPs, Ports should be used only if problems arise when distributing IPSec packets to a few machines although
they have the same source and destination IP addresses.
-IPs should be used only if problems arise when distributing IPSec packets or different port packets to a few
machines although they have the same source and destination IP addresses. It is the most "sticky" sharing
configuration, in other words, it increases the probability that a certain connection will pass through a single
cluster member on both inbound and outbound directions.
Getting here - Gateway Cluster Properties > ClusterXL > Advanced
QUESTION 333
Exhibit:
State synchronization is enabled on both members in a cluster, and the Security Policy is successfully installed.
No protocols or services have been unselected for "selective sync". The exhibit is the fw tab t connections s
output from both members.
Is State synchronization working properly between the two members?
A. Members TestKing1 and TestKing2 are synchronized, because ID for both members are identical in the
connection table
B. The connections-table output is incomplete. You must run the cphaprob state command, to determine if
members TestKing1 and TestKing2 are synchronized.
C. Members TestKing1 and TestKing2 are not synchronized, because #PEAK for both members is not close in
the connections table.
D. Members TestKing1 and TestKing2 are synchronized, because #SLINKS are identical in the connections
table.
E. Members TestKing1 and TestKing2 are not synchronized, because #VALS in the connection table are not
close.
Correct Answer: E
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Debugging State Synchronization
To monitor the synchronization mechanism on ClusterXL or third-party OPSEC certified clustering products, run
the following commands on a cluster member.
FW TAB -T CONNECTIONS - S
One quick test to verify if State Synchronization is working properly is by running the fw tab -t connections -s
command from cluster members. If the #VALS numbers are very close between cluster members, cluster
members are synchronizing properly.
Here is a sample output of fw tab -t connections -s:
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 4 22 4
If the #VALS numbers are very close between cluster members, it is safe to say State Synchronization is
working properly.
-----------------------------------------The key line is "If the #VALS numbers are very close between cluster members, it is safe to say State
Synchronization is working properly."
Reference. http://www.checkpoint.com/services/education/training/samples/ClusterXL_Sample_Chapter.pdf
QUESTION 334
Exhibit:
The exhibit illustrates how a VPN-1 SecureClient user tries to establish a VPN host in the external_net and
internal_net from the Internet. How is the Security Gateway VPN Domain created?
A. Internal Gateway VPN domain = internal_net,
External VPN Domain = external net + external gateway object + internal_net.
B. Internal Gateway VPN domain = internal_net,
External Gateway VPN Domain = external net + internal gateway object
C. Internal Gateway VPN domain = internal_net,
External Gateway VPN Domain = internal_net + external net
D. Internal Gateway VPN domain = internal_net,
External Gateway VPN Domain = internal VPN domain + internal gateway object + external net
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
For the remote-access client to make it through to the internal-net, he must first connect to the corporate_gw.
From there, he must route and have access to talk with the internal_gw or he will never get into the internal net.
Answer A does not include the internal_gw in the external vpn domain, so the connection would never make it
in!
Just like the internal gateway vpn domain does NOT include the gateway protecting it, the external gateway vpn
domain doe not need the corporate_gw either.
QUESTION 335
Regarding QoS guarantees and limits, which of the following statements is FALSE?
A.
B.
C.
D.
The guarantee of a sub-rule cannot be greater than the guarantee defined for the rule above it.
If the guarantee is defined in a sub-rule, a guarantee must be defined for the rule above it.
A rule guarantee must not be less than the sum defined in the guarantees` sub-rules.
If both a rule and per-connection limit are defined for a rule, the per-connection limit must not be greater
than the rule limit.
E. If both a limit and guarantee per rule are defined in a QoS rule, the limit must be smaller than the guarantee.
Correct Answer: E
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 336
You plan to install a VPN-1 Pro Gateway for VPN-1 NGX at TestKing.com's headquarters. You have a single
Sun SPARC Solaris 9 machines for VPN-1 Pro enterprise implementation. You need this machine to inspect
traffic and keep configuration files.
Which Check Point software package do you install?
A.
B.
C.
D.
E.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 337
By default, a standby SmartCenter Server is automatically synchronized by an active SmartCenter Server,
when:
A.
B.
C.
D.
E.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 338
Your primary SmartCenter Server is installed on a SecrePlatform Pro machine, which is also a VPN- 1 Pro
Gateway. You want to implement Management High Availability (HA). You have a spare machine to configure
as the secondary SmartCenter Server. How do you configure the new machine to be the standby SmartCenter
Server, without making any changes to the existing primary SmartCenter Server? Changes can include
The Security Server Rule is after the general HTTP Accept Rule.
The Security Server is not communicating with the CVP server.
The Security Server is not configured correctly.
The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
Explanation: Since the rules defined in the correct order (otherwise the policy could not be installed) and the
packet did pass (according to the question) hence the CVP server is passing the traffic.
Not A since putting general HTTP accept rule will result hidden rule error since it will hide the http resource rule
and the policy will not be able to installed.
Not B if the CVP server is down the match traffic will not pass.
Not C too general answer.
QUESTION 340
You must set up SIP with proxy for your network. IP phones are in the 172.16.100.0 network. The Rigistrar and
proxy are installed on host 172.16.100.100. To allow handover enforcement for outbound calls from SIP-net to
network Net_B on the Internet, you have defined the following object:
* Network object: SIP-net 172.16.100.0/24
* SIP-gateway: 172.16.100.100
* VoIP Domain Object: VoIP_domain_A
SIP-Gateway/Net_B/sip_any/accept
VoIP_domain/Net_B/sip/accept
SIP-Gateway/Net_B/sip/accept
VoIP_domain_A/Net_B/sip_any; and sip/accept
VoIP_Gateway_A/Net_B/sip_any/accept
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
Not E: VoIP_Gateway_A" is not actually referenced in the question.
QUESTION 341
How does a standby SmartCenter Server receive logs from all Security Gateways, when an active SmartCenter
Server fails over?
A. The remote Gateways must set up SIC with the secondary SmartCenter Server, for logging.
B. Establish Secure Internal Communictions (SIC) between the primary and secondary Servers. The
secondary Server can then receive logs from the Gateways, when the active Server fails over.
C. On the Log Server screen (from the Logs and Master tree on the gateway object`s General Properties
screen), add the secondary SmartCenter Server object as the additional log server. Reinstall the Security
Policy.
D. Create a Check Point host object to represent the standby SmartCenter Server. Then select Secondary
SmartCenter Server and Log Server, from the list of Check Point Products on the General properties
screen.
E. The secondary Server`s host name and IP address must be added to the Masters file, on the remote
Gateways.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 342
Exhibit:
You are preparing a lab for a ClusterXL environment, with the topology shown in the exhibit.
* Vip internal cluster IP = 172.16.10.1; Vip external cluster IP = 192.168.10.3
* Cluster Member 1: four NICs, three enabled: qfe0: 192.168.10.1/24, qfe1: 10.10.10.1/24, qfe2:
172.16.10.1/24
* Cluster Member 2: five NICs, three enabled: hme0: 192.168.10.2/24, eth1: 10.10.10.2/24, eth2:
172.16.10.2/24
*Member Network tab on internal-cluster interfaces: is 10.10.10.0, 255.255.255.0
* SmartCenter Pro Server: 172.16.10.3
External interfaces 192.168.10.1 and 192.168.10.2 connect to a Virtual Local Area Network (VLAN) switch. The
upstream router connects to the same VLAN switch. Internal interfaces 10.10.10.1 and 10.10.10.2 connect to a
hub. There is no other machine in the 10.10.01.0 network. 172.19.10.0 is the synchronization network.
What is the problem with this configuration?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 343
Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as
a VPN Domain. You must test the VPN-1 NGX route-based VPN feature, without stopping the VPN. What is the
correct order of steps?
QUESTION 344
How does ClusterXL Unicast mode handle new traffic?
A. The pivot machine receives and inspects all new packets, and synchronizes the connections with other
members.
B. Only the pivot machine receives all packets. It runs an algorithm to determine which member should
process the packets.
C. All members receive packets. The SmartCenter Server decides which member will process the packets.
Other members simply drop the packets.
D. All cluster members process all packets, and members synchronize with each other.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 345
You are configuring the VoIP Domain object for a SIP environment, protected by VPN-1 NGX.
Which VoIP Domain object type can you use?
A.
B.
C.
D.
E.
Call Manager
Gateway
Call Agent
Gatekeeper
Proxy
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 346
VPN-1 NGX supports VoIP traffic in all of the following environments, EXCEPT which environment?
A.
B.
C.
D.
E.
H.323
SIP
MEGACO
SCCP
MGCP
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 347
You plan to incorporate OPSEC servers, such as Websense and Trend Micro, to do content filtering. Which
segments is the BEST location for these OPSEC servers, when you consider Security Server performance and
data security?
A.
B.
C.
D.
E.
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Deploying OPSEC Servers
OPSEC solutions, such as CVP and UFP servers are deployed on dedicated servers. These servers are
typically either placed in the DMZ, or on a private network segment. This allows fast, secure connections
between the CVP servers and the VPN-1 Pro Gateway.
Performing scanning at the network perimeter is both safer and more efficient than performing the scanning at
the desktop or the application servers.
FTP, HTTP & SMTP servers are typically placed in the DMZ - Checkpoint help depicts dedicated subnet for
CVP 7 UFP servers.
QUESTION 348
You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule.
What causes the Connection Rejection?
A. No QoS rule exist to match the rejected traffic.
B. The number of guaranteed connections is exceeded. The rule`s properties are not set to accept additional
connections.
C. The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal
Delay is set below requirements.
D. Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.
E. The guarantee of one of the rule`s sub-rules exceeds the guarantee in the rule itself.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
QoS rules with the track field set to Log can generate the following types of log events:
Connection Rejection
QoS rejects a connection when the number of guaranteed connections is exceeded, and/or when the rule`s
action properties are not set to accept additional connections.
359, accel_ccse_ngx
QUESTION 349
Which of the following QoS rule-action properties is an Advanced action type, only available in Traditional
mode?
A.
B.
C.
D.
E.
Guarantee Allocation
Rule weight
Apply rule only to encrypted traffic
Rule limit
Rule guarantee
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Create a new policy package and compare.
QOS Action Properties for QOS Express
QUESTION 350
Which Check Point QoS feature marks the Type of Service (ToS) byte in the IP header?
A.
B.
C.
D.
E.
Guarantees
Low Latency Queuing
Differentiated Services
Weighted Fair Queing
Limits
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 351
Which of the following TCP port numbers is used to connect the VPN-1 Gateway to the Content Vector Protocol
(CVP) server?
A.
B.
C.
D.
E.
18182
18180
18181
17242
1456
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 352
VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS).
However, this service only provides a limited level of actions for CIFs security.
Which of the following services is NOT provided by a CIFS resource?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Create a new CIFS resource.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
"FloodGate-1 Low
In Check Points PDF CheckPoint_R61_QoS_UserGuide.pdf, on page 95, paragraph 4 it says Latency Queuing
makes it possible to define special Classes of Service for "delay sensitive" applications like voice and video."
This we believe indicates that Low Latency Classes is the best option.
QUESTION 354
Tess King is a Security Administrator preparing to implement a VPN solution for her multi-site organization
TestKing.com. To comply with industry regulations, Mrs. King's VPN solution must meet the following
requirements:
* Portability: standard
* Key management: Automatic, external PKI
* Session keys: Changed at configured times during a connection's lifetime
* key length: No less than 128-bit
* Data integrity: Secure against inversion and brute-force attacks
What is the most appropriate setting Tess should choose?
A.
B.
C.
D.
E.
IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 ash
IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash
IKE VPNs: CAST encryption for IKE Phase 1, and SHA1 encryption for Phase 2; DES hash
IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash
IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 355
Your current VPN-1 NG Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway and SmartCenter
Server run on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the
existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only. You
need to migrate the NG with AI R55 SmartCenter Server configuration, including such items as Internal
Certificate Authority files, databases, and Security Policies.
How do you request a new license for this VPN-1 NGX upgrade?
A. Request a VPN-1 NGX SmartCenter Server license, using the new machine`s IP addres. Request a new
local license for the NGX VPN-1 Pro Gateway.
B. Request a VPN-1 NGX SmartCenter Server license, using the new machine`s IP addres. Request a new
central license for the NGX VPN-1 Pro Gateway.
C. Request a new VPN-1 NGX SmartCenter Server license, using the NG with AI SmartCenter Server IP
address. Request a new central license for the NGX VPN-1 Pro Gateway.
D. Request a VPN-1 NGX SmartCenter Server license, using the NG with AI SmartCenter Server IP address.
Request a new central license for the NGX VPN-1 Pro Gateway, licenses for the existing SmartCenter
Server IP address.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 356
Tess King is a Security Administrator for TestKing.com. TestKing.com has two sites using pre-shared secrets in
its VPN. The two sites are Boston and New York. Tess has just been informed that a new office is opening in
Houston, and she must enable all three sites to connect via the VPN to each other. Three Security Gateways
are managed by the same SmartCenter Server, behind the New York Security Gateway. Mrs. King decides to
switch from a pre-shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating
the Houston gateway object with the proper VPN domain, what are Tess King's remaining steps?
1. Disable "Pre-shared Secret" on the Boston and New York gateway objects.
2. Add the Houston gateway object into the New York and Boston's mesh VPN Community.
3. Manually generate ICA Certificates for all three Security Gateways.
4. Configure "Traditional mode VPN configuration" in the Houston gateway object's VPN screen.
5. Reinstall the Security Policy on all three Security Gateways
A.
B.
C.
D.
E.
1, 2, 5
1, 3, 4, 5
1, 2, 3, 5
1, 2, 4, 5
1, 2, 3, 4
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
Explanation: VPN routing is done through simple vpns not traditional, therefore the answer is C.
QUESTION 357
Which component functions as the Internal Cerrificate Authority for VPN-1 NGX R65?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 358
Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?
A.
B.
C.
D.
E.
FTP
SMTP
Telnet
HTTP
rlogin
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Reference: Page 105 of the Check Point Security Administration NGX II 1.1
QUESTION 359
TestKing.com has two headquarters, one in Los Angeles and one in Mumbai. Each headquarter includes
several branch offices. The branch office only need to communicate with the headquarter in their country, not
with each other, and only the headquarters need to communicate directly.
What is the BEST configuration for VPN communities among the branch offices and their headquarters, and
between the two headquarters?
VNP communities comprised of:
A. two star and one mesh community; each start Community is set up for each site, with headquartes as the
center of the Community, and branches as satellites. The mesh Communities are between Mumbai and Los
Angeles headquarters.
B. Three mesh Communities: one for Los Angeles and its branches, one for Mumbai headquarters and its
branches, and one for Los Angeles and Mumbai headquarters.
C. Two mesh Communities, one for each headquarters; and one start Community, in which Los Angeles is the
center of the Community and Mumbai is the satellite.
D. Two mesh Communities, one for each headquarters; and one start Community, in which Mumbai is the
center of the Community and Los Angeles is the satellite.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 360
Tess King wants to protect internal users from malicious Java code, but tess does not want to strop Java
scripts.
Which is the best configuration option?
A.
B.
C.
D.
E.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 361
Exhibit:
You want to block corporate-internal-net and localnet from accessing Web sites containing inappropriate
content. You are using WebTrends for URL filtering. You have disabled VPN-1 Control connections in the
Global properties. Review the diagram and the Security Policies for TestKing1 and TestKing2 in the exhibit
provided.
Corporate users and localnet users receive message "Web cannot be displayed". In SmartView Tracker, you
see the connections are dropped with the message "content security is not reachable".
What is the problem, and how do you fix it?
A. The connection from TestKing2 to the internal WebTrends server is not allowed in the Policy.
Fix: Add a rule in TestKing1`s Policy to allow source WebTrendsServer, destination TestKing2, service TCP
port 18182, and action accept.
B. The connection from TestKing2 to the WebTrends server is not allowed in the Policy.
Fix: Add a rule in TestKing2`s Policy with Source TestKing2, destination WebTrends server, service TCP
port 18182, and action accept.
C. The connection from TestKing1 to the internal WebTrends server is not allowed in the Policy.
Fix: Add a rule in TestKing2`s Policy with source WebTrendsServer, destination TestKing1, service TCP
port 18182, and action accept.
D. The connection from TestKing1 to the internal WebTrends server is not allowed in the Policy.
Fix: Add a rule in TestKing2`s Policy with source TestKing1, destination WebTrends server, service TCP
port 18182, and action accept.
E. The connection from TestKing1 to the internal WebTrends server is not allowed in the Policy.
Fix: Add a rule in TestKing1`s Policy to allow source TestKing1, destination WebTrends server, service TCP
port 18182, and action accept.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Not C,D,E because the connection to WebTrends must get through FW
named TestKing2.
No A because only FW named TestKing2 must have the rules enabled on.
You must add a rule as consequence of disablig Control connection in
global Properties.
QUESTION 362
Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?
A.
B.
C.
D.
E.
Telnet
HTTP
rlogin
FTP
SMTP
Correct Answer: AC
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 363
Which service type does NOT invoke a Security Server?
A.
B.
C.
D.
E.
HTTP
FTP
Telnet
CIFS
SMTP
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
NGX II 1.1 book P/N 701768 page 105.
Telnet, rlogin, FTP, HTTP, SMTP are Security Servers. CIF is not.
Also on page 123 of NGX II 1.1 book P/N 701768 - the first line reads:
"CIFS resources do not invoke Security Servers"
QUESTION 364
You have two Nokia Appliances one IP530 and one IP380. Both Appliances have IPSO 39 and VPN-1 Pro NGX
installed in a distributed deployment Can they be members of a gateway cluster?
A. No, because the Gateway versions must not be the same on both security gateways
B. Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
C. No, because members of a security gateway cluster must be installed as stand-alone deployments
D. Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not
E. No, because the appliances must be of the same model (Both should be IP530orIP380.)
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 365
Review the following rules and note the Client Authentication Action properties screen, as shown in the exhibit.
After being authenticated by the Security Gateway when a user starts an HTTP connection to a Web site the
user tries to FTP to another site using the command line. What happens to the user?
The....
A. FTP session is dropprd by the implicit Cleanup Rule.
B. User is prompted from the FTP site only, and does not need to enter username nad password for the Client
Authentication.
print TESTKING
fw licprint TESTKING
fw tab -t fwlic TESTKING
cplic print TESTKING
fw lic print TESTKING
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
cplic print prints details of Check Point licenses on the local machine. On a Module, this command will print all
licenses that are installed on the local
machine -- both Local and Central licenses.
P456, .
NG COMMAND LINE INTERFACE
Advanced Technical Reference Guide -- NG FP3
QUESTION 367
Ophelia is the security Administrator for a shipping company. Her company uses a custom application to update
the distribution database. The custom application includes a service used only to notify remote sites that the
distribution database is malfunctioning. The perimeter Security Gateways Rule Base includes a rule to accept
this traffic. Ophelia needs to be notified, via atext message to her cellular phone, whenever traffic is accepted
on this rule. Which of the following options is MOST appropriate for Ophelia's requirement?
A.
B.
C.
D.
E.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 368
Choose the BEST sequence for configuring user management on SmartDashboard, for use with an LDAP
server:
A. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an
LDAP server using an OPSEC application.
B. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an
LDAP resource object.
C. Enable LDAP in Global Properties, configure a host-node object for the LDAP Server, and configure a
server object for the LDAP Account Unit.
D. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.
E. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit,
and enable LDAP in Global Properties.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
A' is incorrect because you do not create an LDAP Server using an OPSEC Application. The LDAP server is a
host node. Also not that the question asks for the BEST sequence. Logically, the first thing to do when
configuring LDAP is to enable it in Global Properties.
`B' is incorrect because you cannot create an LDAP Resource Object.
`C' is correct. Logic says you enable LDAP in Global Properties first, then create the host node that will be
defined on the LDAP Account Unit properties window as the LDAP Server and then create the LDAP Account
unit as a Server object not an OPSEC Application. See screenshot.
`D' is incorrect because you cannot create an LDAP Resource Object.
`E' is incorrect because Workstation is not the correct object name for an LDAP server, it is a host node.
QUESTION 369
Which of the following is the final step in an NGXbackup?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
B.
C.
D.
E.
CPLogManager
LEA
SmartViewTracker
ELA
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
Explanation; Check Point has made an API (Application Programming Interface) available for these companies
to use to communicate with Check Point`s product line.The SDK (Software Development Kit) requires
knowledge of the C programming language.
The SDK contains software to integrate with the following interfaces:
CVP The Content Vectoring Protocol allows antivirus solutions to talk to FireWall-1.
UFP The URI Filtering Protocol allows Web filtering to integrate.
LEA The Log Export API enables you to export log files to third-party log servers. ELA The Event Logging API
allows Check Point to receive logs from third-party software.
338, Configuring Check Point NGX VPN-1/FireWall-1, Syngress, 1597490318
QUESTION 371
In NGX, what happens if a Distinguished Name (ON) is NOT found in LADP?
A. NGX takes the common-name value from the Certificate subject, and searches the LADP account unit for a
matching user id
B. NGX searches the internal database for the username
C. The Security Gateway uses the subject of the Certificate as the ON for the initial lookup
D. If the first request fails or if branches do not match, NGX tries to map the identity to the user id attribute
E. When users authenticate with valid Certificates, the Security Gateway tries to map the identities with users
registered in the extemal LADP user database
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Retrieving Information from a SmartDirectory (LDAP) server
When a Gateway requires user information for authentication purposes, it searches for this information in three
different places:
1 The first place that is queried is the internal users database.
2 If the specified user is not defined in this database, the Gateway queries the SmartDirectory (LDAP) servers
defined in the Account Unit one at a time, and according to their priority. If for some reason the query against a
specified SmartDirectory (LDAP) server fails, for instance the SmartDirectory (LDAP) connection is lost, the
SmartDirectory (LDAP) server with the next highest priority is queried. If there is more than one Account Unit,
the Account Units are queried concurrently. The results of the query are either taken from the first Account Unit
to meet the conditions, or from all the Account Units which meet the conditions. The choice between taking the
result of one Account Unit as opposed to many is a matter of Gateway configuration.
3 If the information still cannot be found, the Gateway uses the external users template to see if there is a
match against the generic profile. This generic profile has the default attributes applied to the specified user.
QUESTION 372
Which command allows you to view the contents of an NGX table?
A.
B.
C.
D.
E.
fw tab s <tablename>fw tab -t <tablename>fw tab -u <tablename>fw tab -a <tablename>fw tab -x <tablename>-
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 373
Jack's project is to define the backup and restore section of his organization's disaster recovery plan for his
organization's distributed NGX installation. Jack must meet the following required and desired objectives.
* Required Objective The security policy repository must be backed up no less frequent~ than every 24 hours
* Desired Objective The NGX components that enforce the Security Policies should be backed up no less
frequently than once a week
* Desired Objective Back up NGX logs no less frequently than once a week
Jack's disaster recovery plan is as follows. See exhibit.
Jack's plan:
A.
B.
C.
D.
Meets the required objective but does not meet either desired objective
Does not meet the required objective
Meets the required objective and only one desired objective
Meets the required objective and both desired objectives
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
Explanation: Logs can be viewed after exported.
QUESTION 374
The following is cphaprob state command output from a New Mode High Availability cluster member:
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 375
What do you use to view an NGX Security Gateway's status, including CPU use, amount of virtual memory,
percent of free hard-disk space, and version?
A.
B.
C.
D.
E.
SmartLSM
SmartViewTracker
SmartUpdate
SmartViewMonitor
SmartViewStatus
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 376
Which of the following commands is used to restore NGX configuration information?
A.
B.
C.
D.
E.
cpcontig
cpinfo-i
restore
fwm dbimport
upgrade_import
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 377
Eric wants to see all URLs' ful destination path in the SmartView Tracker logs, not just the fully qualified domain
name of the web servers. For Example, the information field of a log entry displays the URL http://hp.msn.com/
css/home/hpcl1012.css. How can Eric best customize SmartView Tracker to see the logs he wants? Configure
the URl resource, and select
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 378
Which of the following commands shows full synchronization status?
A.
B.
C.
D.
E.
cphaprob -i list
cphastop
fw ctl pstat
cphaprob -a if
fw hastat
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 379
Which VPN Community object is used to configure VPN routing within the SmartDashboard?
A.
B.
C.
D.
Star
Mesh
Remote Access
Map
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 380
If you are experiencing LDAP issues, which of the following should you check?
A.
B.
C.
D.
B.
C.
D.
E.
Windows XP SP2
Windows 2000 Professional
RedHat Linux 7 0
MacOS X
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 383
Which Check Point QoS feature issued to dynamically allocate relative portions of available bandwidth?
A.
B.
C.
D.
E.
Guarantees
Differentiated Services
Limits
Weighted Fair Queueing
Low Latency Queueinq
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 384
You are running a VPN-1 NG with Application Intelligence R54 SecurePlatform VPN-1 Pro Gateway. The
Gateway also serves as a Policy Server. When you run patch add cd from the NGX CD, what does this
command allow you to upgrade?
A.
B.
C.
D.
E.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 385
Amanda is compiling traffic statistics for TestKing.com's Internet activity during production hours.
How could she use SmartView Monitor to find this information? By
A. using the "Traffic Counters" settings and SmartView Monitor to generate a graph showing the total HTTP
traffic for the day
B. monitoring each specific user`s Web traffic use.
C. Viewing total packets passed through the Security Gateway
D. selecting the "Tunnels" view, and generating a report on the statistics
E. configuring a Suspicious Activity Rule which triggers an alert when HTTP traffic passes through the
Gateway
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 386
ASecurity Administrator is notified that some long-lasting Telnet connections to a mainframe are dropped every
time after an hour. The Administrator suspect that the the Security Gateway might be blocking these
connections. As she reviews the Smart Tracker the Administrator sees the packet is dropped with the error
"Unknown established connection". How can she resolve this problem without causing other security issues?
Choose the BEST answer. She can:
A. increase the session time-out in the mainframe's Object Properties
B. create a new TCP service object on port 23, and increase the session time-out for this object She only uses
this new object in the rule that allows the Telnet connections to the mainframe
C. increase the session time-out in the Service Properties of the Telnet service
D. increase the session time-out in the Global Properties
E. ask the mainframe users to reconnect every time this error occurs
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Explanation; It is better to change the "Session Timeout" for a specific service than to set it globally for ALL
Services.
Checkpoint KBase:
To specify a timeout for a TCP servce that is different from the global TCP timeout (defined in the Stateful
Inspection page of the Global Properties window), proceed as follows:
1. Open the TCP Service Properties window for the specific service.
2. Click "Advanced".
3. In the Advanced TCP Service Properties window, select "Other".
4. Specify the timeout.
5. Install the policy.
QUESTION 387
Tess King is the Security Administrator for a software-development company. To isolate the corporate network
from the developer's network, Tess King installs an internal Security Gateway.
Tess wants to optimize the performance of this Gateway.
Which of the following actions is most likely to improve the Gateway's performance?
A.
B.
C.
D.
E.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 388
Tess King is the Security Administrator for a chain of grocery stores. Each grocery store is protected by a
Security Gateway. Tess King is generating a report for the information-technology audit department. The report
must include the name of the Security Policy installed on each remote Security Gateway, the date and time the
Security Policy was installed, and general performance statistics (CPU Use, average CPU time, active real
memory, etc.).
Which SmartConsole application should Tess King use to gather this information?
A.
B.
C.
D.
E.
SmartUpdate
SmartView Status
SmartView Tracker
SmartLSM
SmartView Monitor
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 389
How can you reset Secure Internal Communications (SIC) between a SmartCenter Server and Security
Gateway?
A. Run the command fwm sic_reset to reinitialize the Internal Certificate Authority (ICA) of the SmartCenter
Server. Then retype the activation key on the Security-Gateway from SmartDashboard
B. From cpconfig on the SmartCenter Server, choose the Secure Internal Communication option and retype
the actrvation key Next, retype the same key in the gateway object in SmartDashboard and reinitialize
Secure Internal Communications (SIC)
C. From the SmartCenter Server's command line type fw putkey -p <shared key>- <IP Address of SmartCenter
Server>-.
D. From the SmartCenter Server's command line type fw putkey -p <shared key>- <IP Address of security
Gateway>-.
E. Re-install the Security Gateway
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 390
Which NGX feature or command allows Security Administrators to revert to earlier versions of the Security
Policy without changing object configurations?
A.
B.
C.
D.
E.
upgrade_export/upgrade_import
Policy Package management
fwm dbexport/fwm dbimport
cpconfig
Database Revision Control
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 391
Tess King is the Security Administrator for TestKing.com's large geographically distributed network. The
internet connection at one of her remote sites failed during the weekend, and the Security Gateway logged
locally for over 48 hours. Tess King is concerned that the logs may have consumed most of the free space on
the Gateway's hard disk.
Which SmartConsole application should Tess King use, to view the percent of free hard-disk space on the
remote Security Gateway?
A.
B.
C.
D.
E.
SmartView Status
SmartView Tracker
SmartUpdate
SmartView Monitor
SmartLSM
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 392
What is a Consolidation Policy?
A.
B.
C.
D.
E.
The collective name of the Security Policy, Address Translation, and SmartDefense Policies
The specific Policy used by Eventia Reporter to configure log-management practices
The state of the Policy once installed on a Security Gateway
A Policy created by Eventia Reporter to generate logs
The collective name of the logs generated by Eventia Reporter
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 393
To change an existing ClusterXL cluster object from Multicast to Unicast mode, what configuration change
must be made?
A.
B.
C.
D.
E.
Change the cluster mode to Unicast on the cluster object Reinstall the Security Policy
Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy
Run cpstop and cpstart, to reenable High Availability on both objects. Select Pivot mode in cpconfig
Change the cluster mode to Unicast on the cluster-member object
Switch the internal network's default Security Gateway to the pivot machine's IP address
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 394
After you add new interfaces to this cluster, how can you check if the new interfaces and associated virtual IP
address are recognized by ClusterXL?
A.
B.
C.
D.
E.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 395
From the following output of cphaprob state, which ClusterXL mode is this?
A.
B.
C.
D.
E.
Legacy mode
Multicast mode
Load Balancing Mode
New mode
Unicast mode
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 396
Stephanie wants to reduce the encryption overhead and improve performance for her mesh VPN Community.
The Advanced VPN Properties screen below displays adjusted page settings:What can Stephanie do to
achieve her goal?
A.
B.
C.
D.
E.
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 397
Your network traffic requires preferential treatment by other routers on the network, in addition to the QoS
Module, which Check Point QoS feature should you use?
A.
B.
C.
D.
E.
Limits
Low Latency Queuing
Differentiated Services
Weighted Fair Queuing
Guarantees
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 398
You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with an external partner.
Which of the following activities should you do first?
A. Manually import your partner's Certificate Revocation List.
B. Create a new logical-server object, to represent your partner's CA.
C. Exchange exported CA keys and use them to create a new server object, to represent your partner's
Certificate Authority (CA).
D. Exchange a shared secret, before importing Certificates.
E. Manually import your partner's Access Control List.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 399
Exhibit:
In a Management High Availability (HA) configuration, you can configure synchronization to occur automatically.
Please refer to the exhibit.
Select the BEST response for the synchronization sequence. Choose one.
A.
B.
C.
D.
E.
1,3,4
1,2,4
1,2,3,4
1,2,3
1,2,5
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 400
In a Load Sharing Unicast mode scenario, the internal-cluster IP address is 10.4.8.3. The internal interfaces on
two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies. The
following is the ARP table from the internal Windows host 10.4.8.108: c:> arp According to the output, which
member is the Pivot?
A.
B.
C.
D.
10.4.8.3
10.4.8.108
10.4.8.2
10.4.8.1
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 401
DShield is a Check Point feature used to block which of the following threats?
A.
B.
C.
D.
E.
Buffer overflows
SQL injection
Cross Site Scripting
DDOS
Trojan horses
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 402
How do you control the maximum mail messages in a spool directory?
A.
B.
C.
D.
E.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 403
A cluster contains two members, with external interfaces 172.28.108.1 and 172.28.108.2. The internal
interfaces are 10.4.8.1 and 10.4.8.2. The external cluster's IP address is 172.28.108.3, and the internal cluster's
IP address is 10.4.8.3. The synchronization interfaces are 192.168.1.1 and 192.168.1.2. The Security
Administrator
discovers State Synchronization is not working properly. cphaprob if command output displays as follows:
What is causing the State Synchronization problem?
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 405
Your current stand-alone VPN-1 NG with Application Intelligence (AI) R55 installation is running on
SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine
will be the VPN-1 Pro Gateway. An additional machine will serve as the SmartCenter Server. The new machine
runs on a Windows Server 2003. You need to upgrade the NG with AI R55 SmartCenter Server configuration to
VPN-1 NGX.
How do you upgrade to VPN-1 NGX?
A. Run the backup command in the existing SecurePlatform machine, to create a backup file. Copy the file to
the Windows Server 2003. Uninstall all Check Point products on SecurePlatform by running rpm CPsuiteR55 command. Reboot. Install new VPN-1 NGX on the existing SecurePlatform machine. Run sysconfig,
select VPN-1 Pro Gateway, and reboot. Use VPN-1 NGX CD to install primary SmartCenter Server on the
Windows Server 2003. Import the backup file.
B. Copy the $FWDIR\conf and $FWDIR\lib files from the existing SecurePlatform machine. Create a tar.gz file,
and copy it to the Windows Server 2003. Use VPN-1 NGX CD on the existing SecurePlatform machine to
do a new installation. Reboot. Run sysconfig and select VPN-1 Pro Gateway. Reboot. Use the NGX CD to
install the
primary SmartCenter Server on the Windows Server 2003. On the Windows Server 2003, run
upgrade_import command to import $FWDIR\conf and $FWDIR\lib from the SecurePlatform machine.
C. Insert the NGX CD in the existing NG with AI R55 SecurePlatform machine, and answer yes to backup the
configuration. Copy the backup file to the Windows Server 2003. Continue the upgrade process. Reboot
after upgrade is finished. After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and
finish the
sysconfig process. Reboot again. Use the NGX CD to install the primary SmartCenter on the Windows
Server 2003. Import the backup file.
D. Run backup command on the existing SecurePlatform machine to create a backup file. Copy the file to the
Windows Server 2003. Uninstall the primary SmartCenter Server package from NG with AI R55
SecurePlatform using sysconfig. Reboot. Install the NGX primary SmartCenter Server and import the
backup file. Open the NGX SmartUpdate, and select "upgrade all packages" on the NG with AI R55 Security
Gateway.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 406
What is the behavior of ClusterXL in a High Availability environment?
A. The active member responds to the virtual IP address,nd both members pass traffic when using their
physical addresses.
B. Both members respond to the virtual IP address, but only the active member is able to pass traffic.
C. The passive member responds to the virtual IP address, and both members route traffic when using their
physical addresses.
D. Both members respond to the virtual IP address, and both members pass traffic when using their physical
addresses.
E. The active member responds to the virtual IP address,nd is the only member that passes traffic
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 407
You plan to migrate a VPN-1 NG with Application Intelligence (AI) R55 SmartCenter Server to VPN-1 NGX.
You also plan to upgrade four VPN-1 Pro Gateways at remote offices, and one local VPN-1 Pro Gateway at
your company's headquarters. The SmartCenter Server configuration must be migrated. What is the correct
procedure to migrate the configuration?
A. 1. From the VPN-1 NGX CD in the SmartCenter Server, select "advance upgrade".
2. After importing the SmartCenter configuration into the new NGX SmartCenter, reboot.
3. Upgrade all licenses and software on all five remote Gateways via SmartUpdate.
B. 1. Copy the $FWDIR\conf directory from the SmartCenter Server.
2. Save directory contents to another directory.
3. Uninstall the SmartCenter Server, and install a new SmartCenter Server.
4. Move directory contents to $FWDIR\conf.
5. Reinstall all gateways using NGX and install a policy.
C. 1. Upgrade the five remote Gateways via SmartUpdate.
2. Upgrade the SmartCenter Server, using the VPN-1 NGX CD.
D. 1. Upgrade the SmartCenter Server, using the VPN-1 NGX CD.
2. Reinstall and update the licenses of the five remote Gateways.
E. Upgrade the SmartCenter Server and the five remote Gateways via SmartUpdate, at the same time.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
Adapted.
QUESTION 408
What is a requirement for setting up Management High Availability?
A.
B.
C.
D.
E.
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 409
Which type of service should a Security Administrator use in a Rule Base to control access to specific shared
partitions on target machines?
A.
B.
C.
D.
E.
HTTP
FTP
URI
Telnet
CIFS
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 410
You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of 40, and the Default
Rule with a weight of 10. If the only traffic passing through your QoS Module is HTTP traffic, what percent of
bandwidth will be allocated to the HTTP traffic?
A.
B.
C.
D.
E.
80%
50%
40%
10%
100%
Correct Answer: E
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 411
VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS).
However, this service only provides a limited level of actions for CIFS security. Which of the following services
is provided by a CIFS resource?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
Explanation:
Create a new CIFS resource.
QUESTION 412
When Load Sharing Multicast mode is defined in a ClusterXL cluster object, how are packets being handled by
cluster members?
A. All cluster members process all packets, and members synchronize with each other.
B. Only one member at a time is active. The active cluster member processes all packets.
C. All members receive all packets. An algorithm determines which member processes packets, and which
member drops packets.
D. All members receive all packets. The SmartCenter Server decides which member will process the packets.
Other members simply drop the packets.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 413
The following configuration is for VPN-1 NGX:Is this configuration correct for Management High Availability
(HA)?
A. No, A VPN-1 NGX SmartCenter Server can only be in a Management HA configuration, if the operating
system is Solaris.
B. No, the SmartCenter Servers must be installed on the same operating system.
C. No, the SmartCenter Servers must reside on the same network.
D. No, the SmartCenter Servers do not have the same number of NICs.
E. No, a VPN-1 NGX SmartCenter Server cannot run on Red Hat Linux 7.3.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 414
Damon enables an SMTP resource for content protection. He notices that mail seems to slow down on
occasion, sometimes being delivered late. Which of the following might improve throughput performance?
A. Configuring the SMTP resource to only allow mail with Damon's company's domain name in the header
B. Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server,
without waiting for a response from the Security Gateway
C. Increasing the Maximum number of mail messages in the Gateway's spool directory
D. Configuring the SMTP resource to bypass the CVP resource
E. Configuring the CVP resource to return the mail to the Gateway
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 415
When you add a resource service to a rule, which ONE of the following actions occur?
A. VPN-1 SecureClient users attempting to connect to the object defined in the Destination column of the rule
will
receive a new Desktop Policy from the resource.
B. Users attempting to connect to the destination of the rule will be required to authenticate.
C. All packets that match the resource in the rule will be dropped.
D. All packets matching the resource service rule are analyzed or authenticated, based on the resource
properties.
E. All packets matching that rule are either encrypted or decrypted by the defined resource.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 416
What is the command to upgrade a SecurePlatform NG with Application Intelligence (AI) R55 SmartCenter
Server to VPN-1 NGX using a CD?
A.
B.
C.
D.
E.
fwm upgrade_tool
patch add cd
patch add
cd patch add
cppkg add
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
Corrected.
QUESTION 417
You are trying to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have
the option to see the Directional Match. You see the following window.
What must you enable to see the Directional Match?
Exhibit:
A.
B.
C.
D.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 418
Which is the lowest Gateway version manageable by SmartCenter R77?
A.
B.
C.
D.
R65
S71
R55
R60A
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 419
A ClusterXL configuration is limited to ___ members.
A. There is no limit.
B. 16
C. 6
D. 2
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 420
Select the command set best used to verify proper failover function of a new ClusterXL configuration.
A.
B.
C.
D.
reboot
cphaprob -d failDevice -s problem -t 0 register / cphaprob -d failDevice unregister
clusterXL_admin down / clusterXL_admin up
cpstop/cpstart
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 421
Which three of the following components are required to get a SmartEvent up and running?
1) SmartEvent SIC
2) SmartEvent Correlation Unit
3) SmartEvent Server
4) SmartEvent Analyzer
5) SmartEvent Client
A.
B.
C.
D.
2, 3, and 5
1, 2, and 4
1, 2, and 3
3, 4, and 5
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 422
What is the correct policy installation process order? 1.Verification
2.Code generation and compilation
3.Initiation
4.Commit
5. Conversion
6. CPTA
A. 1, 2, 3, 4, 5, 6
B. 3, 1, 5, 2, 6, 4
C. 4, 2, 3, 5, 6, 1
D. 6, 5, 4, 3, 2, 1
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 423
What is the offline CPSIZEME upload procedure?
A. Find the cpsizeme_of_<gwname>.pdf, attach it to an e-mail and send it to
cpsizeme_upload@checkpoint.com
B. Use the webbrowser version of cpsizeme and fax it to Check Point.
C. Find the cpsizeme_of_<gwname>.xml, attach it to an e-mail and send it to
cpsizeme_upload@checkpoint.com
D. There is no offline upload method.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 424
How frequently does CPSIZEME run by default?
A.
B.
C.
D.
weekly
12 hours
24 hours
1 hour
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 425
How do you run "CPSIZEME" on SPLAT?
A.
B.
C.
D.
[expert@HostName]#>./cpsizeme -h
[expert@HostName]# ./cpsizeme -R
This is not possible on SPLAT
[expert@HostName]# ./cpsizeme
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 426
How do you check the version of "CPSIZEME" on GAiA?
A.
B.
C.
D.
[expert@HostName]# ./cpsizeme.exe v
[expert@HostName]# ./cpsizeme.exe version
[expert@HostName]# ./cpsizeme V
[expert@HostName]# ./cpsizeme version
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 427
How do you upload the results of "CPSIZEME" to Check Point when using a PROXY server with
authentication?
A.
B.
C.
D.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 428
By default, what happens to the existing connections on a firewall when a new policy is installed?
A.
B.
C.
D.
All existing data connections will be kept open until the connections have ended.
Existing connections are always allowed
All existing control and data connections will be kept open until the connections have ended.
All existing connections not allowed under the new policy will be terminated.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 429
Which protocol can be used to provide logs to third-party reporting?
A.
B.
C.
D.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 430
Can the smallest appliance handle all Blades simultaneously?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 431
The process _______ provides service to access the GAIA configuration database.
A.
B.
C.
D.
configdbd
confd
fwm
ipsrd
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 432
Which CLI tool helps on verifying proper ClusterXL sync?
A.
B.
C.
D.
fw stat
fw ctl sync
fw ctl pstat
cphaprob stat
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 433
The connection to the ClusterXL member ,,A breaks. The ClusterXL member ,,A status is now ,,down.
Afterwards the switch admin set a port to ClusterXL member ,,B to ,,down. What will happen?
A. ClusterXL member ,,B also left the cluster.
fw tab -t connections -s
fw tab -t connections -u
fw tab -t connections
fw tab
Correct Answer: A
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 435
Which statements about Management HA are correct?
1) Primary SmartCenter describes first installed SmartCenter
2) Active SmartCenter is always used to administrate with SmartConsole
3) Active SmartCenter describes first installed SmartCenter
4) Primary SmartCenter is always used to administrate with SmartConsole
A.
B.
C.
D.
1 and 4
2 and 3
1 and 2
3 and 4
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
Answer is Modified.
QUESTION 436
You are running a R77 Security Gateway on GAiA. In case of a hardware failure, you have a server with the
exact same hardware and firewall version installed. What backup method could be used to quickly put the
secondary firewall into production?
A.
B.
C.
D.
backup
snapshot
migrate_import
manual backup
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 437
An administrator has installed the latest HFA on the system for fixing traffic problems after creating a backup
file. A large number of routes were added or modified, causing network problems. The Check Point
configuration has not been changed. What would be the most efficient way to revert to a working configuration?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 438
Your R77 enterprise Security Management Server is running abnormally on Windows 2008 Server. You decide
to try reinstalling the Security Management Server, but you want to try keeping the critical Security Management
Server configuration settings intact (i.e., all Security Policies, databases, SIC, licensing etc.) What is the BEST
method to reinstall the Server and keep its critical configuration?
A. 1. Insert the R77 CD-ROM and select the option to export the configuration using the latest upgrade utilities.
2. Complete steps suggested by upgrade_verification and re-export the configuration if needed.
3. Save the exported file *.tgz to a local directory c:/temp.
4. Uninstall all packages using Add/Remove Programs and reboot.
5. Install again using the R77 CD-ROM as a primary Security Managment Server and reboot.
6. Run upgrade_import to import configuration.
B. 1. Download the latest utility upgrade_export and run from directory c:\temp to export the configuration to a
*.tgz file.
2. Complete steps suggested by upgrade_verification.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Use SmartUpdate to reinstall the Security Management Server and reboot.
5. Transfer file *.tgz back to local directory /temp.
6. Run upgrade_import to import configuration.
C. 1. Download the latest utility upgrade_export and run from directory c:\temp to export the configuration to a
*.tgz file.
2. Skip upgrade_verification warnings since you are not upgrading.
3. Transfer file *.tgz to another networked machine.
4. Download and run utility cpclean and reboot.
5. Use the R77 CD-ROM to select option upgrade_import to import the configuration.
D. 1. Create a data base revision control back up using SmartDashboard.
2. Creae a compressed archive of the directories %FWDIR%/conf and %FWDIR%/lib and copy them to
another networked machine.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Install again using the R77 CD-ROM as a primary Security Managment Server and reboot.
5. Restore the two archived directories over the top of the new installation, choosing to overwirte existing
files.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
Super Valid Answer.
QUESTION 439
Check Point recommends that you back up systems running Check Point products. Run your back ups during
maintenance windows to limit disruptions to services, improve CPU usage, and simplify time allotment. Which
back up method does Check Point recommend before major changes, such as upgrades?
A.
B.
C.
D.
upgrade_export
migrate export
snapshot
backup
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 440
Check Point recommends that you back up systems running Check Point products. Run your back ups during
maintenance windows to limit disruptions to services, improve CPU usage, and simplify time allotment. Which
back up method does Check Point recommend every couple of months, depending on how frequently you
make changes to the network or policy?
A.
B.
C.
D.
migrate export
upgrade_export
snapshot
backup
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 441
Check Point recommends that you back up systems running Check Point products. Run your back ups during
maintenance windows to limit disruptions to services, improve CPU usage, and simplify time allotment. Which
back up method does Check Point recommend anytime outside a maintenance window?
A.
B.
C.
D.
snapshot
backup
backup_export
migrate export
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 442
The file snapshot generates is very large, and can only be restored to:
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 443
Restoring a snapshot-created file on one machine that was created on another requires which of the following
to be the same on both machines?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 444
When restoring a Security Management Server from a backup file, the restore package can be retrieved from
which source?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 445
When using migrate to upgrade a Secure Management Server, which of the following is included in the
migration?
A. System interface configuration
B. SmartEvent database
C. classes.C file
D. SmartReporter database
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 446
Typically, when you upgrade the Security Management Server, you install and configure a fresh R77 installation
on a new computer and then migrate the database from the original machine. When doing this, what is required
of the two machines? They must both have the same:
A.
B.
C.
D.
Products installed.
Interfaces configured.
State.
Patch level.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 447
Typically, when you upgrade the Security Management Server, you install and configure a fresh R77 installation
on a new computer and then migrate the database from the original machine. What is the correct order of the
steps below to successfully complete this procedure?
1) Export databases from source.
2) Connect target to network.
3) Prepare the source machine for export.
4) Import databases to target.
5) Install new version on target.
6) Test target deployment.
A.
B.
C.
D.
3, 1, 5, 4, 2, 6
5, 2, 6, 3, 1, 4
3, 5, 1, 4, 6, 2
6, 5, 3, 1, 4, 2
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 448
During a Security Management Server migrate export, the system:
A. Creates a backup file that includes the SmartEvent database.
B. Creates a backup archive for all the Check Point configuration settings.
C. Saves all system settings and Check Point product configuration settings to a file.
D. Creates a backup file that includes the SmartReporter database.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 449
If no flags are defined during a back up on the Security Management Server, where does the system store the
*.tgz file?
A.
B.
C.
D.
/var/backups
/var/CPbackup/backups
/var/opt/backups
/var/tmp/backups
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 450
Which is NOT a valid option when upgrading Cluster Deployments?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 451
John is upgrading a cluster from NGX R65 to R77. John knows that you can verify the upgrade process using
the pre-upgrade verifier tool. When John is running Pre-Upgrade Verification, he sees the warning message:
TitlE. Incompatible pattern.
What is happening?
A. The actual configuration contains user defined patterns in IPS that are not supported in R77. If the patterns
are not fixed after upgrade, they will not be used with R77 Security Gateways.
B. R77 uses a new pattern matching engine. Incompatible patterns should be deleted before upgrade process
to complete it successfully.
C. Pre-Upgrade Verification tool only shows that message but it is only informational.
D. Pre-Upgrade Verification process detected a problem with actual configuration and upgrade will be aborted.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 452
Which command would you use to save the interface information before upgrading a GAiA Gateway?
A.
B.
C.
D.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 453
Which command would you use to save the IP address and routing information before upgrading a GAiA
Gateway?
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 454
Which command would you use to save the routing information before upgrading a Windows Gateway?
A.
B.
C.
D.
cp /etc/sysconfig/network.C [location]
ifconfig > [filename].txt
ipconfig a > [filename].txt
netstat rn > [filename].txt
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 455
The process that performs the authentication for SSL VPN Users is:
A. cpd
B. cvpnd
C. fwm
D. vpnd
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 456
The process that performs the authentication for legacy session authentication is:
A.
B.
C.
D.
cvpnd
fwm
vpnd
fwssd
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 457
While authorization for users managed by SmartDirectory is performed by the gateway, the authentication
mostly occurs in __________.
A.
B.
C.
D.
ldapauth
cpauth
ldapd
cpShared
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 458
When troubleshooting user authentication, you may see the following entries in a debug of the user
authentication process. In which order are these messages likely to appear?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 459
__________ is NOT a ClusterXL mode.
A.
B.
C.
D.
Legacy
Unicast
Broadcast
New
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 460
In a Cluster, some features such as VPN only function properly when:
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 461
What is the supported ClusterXL configuration when configuring a cluster synchronization network on a VLAN
interface?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 462
Which process is responsible for delta synchronization in ClusterXL?
A. fwd on the Security Gateway
B. fw kernel on the Security Gateway
C. Clustering on the Security Gateway
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
Renovated.
QUESTION 464
Which process is responsible for kernel table information sharing across all cluster members?
A.
B.
C.
D.
cpd
fwd daemon
CPHA
fw kernel
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 465
By default, a standby Security Management Server is automatically synchronized by an active Security
Management Server, when:
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 466
The ________ Check Point ClusterXL mode must synchronize the virtual IP and MAC addresses on all
clustered interfaces.
A.
B.
C.
D.
HA Mode Legacy
HA Mode New
Mode Unicast Load Sharing
Mode Multicast Load Sharing
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 467
Which of the following happen when using Pivot Mode in ClusterXL? Select all that apply.
A. The Pivot forwards the packet to the appropriate cluster member.
B. The Security Gateway analyzes the packet and forwards it to the Pivot.
C. The packet is forwarded through the same physical interface from which it originally came, not on the sync
interface.
D. The Pivot`s Load Sharing decision function decides which cluster member should handle the packet.
Correct Answer: ACD
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 468
Central License management allows a Security Administrator to perform which of the following? Select all that
apply.
A.
B.
C.
D.
E.
F.
Attach and/or delete only NGX Central licenses to a remote module (not Local licenses)
Check for expired licenses
Add or remove a license to or from the license repository
Sort licenses and view license properties
Delete both NGX Local licenses and Central licenses from a remote module
Attach both NGX Central and Local licenses to a remote moduel
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 471
What is the benefit to running SmartEvent in Learning Mode?
A.
B.
C.
D.
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 472
______________ is NOT an SmartEvent event-triggered Automatic Reaction.
A.
B.
C.
D.
SNMP Trap
Block Access
Mail
External Script
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 473
You find that Gateway fw2 can NOT be added to the cluster object.
2 or 3
1 or 2
1 or 3
All
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 474
Review the Rule Base displayed.
Rules 2 and 5
Rules 2 through 5
Rule 2 only
All rules except Rule 3
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 475
What is the SmartEvent Clients function?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 476
A tracked SmartEvent Candidate in a Candidate Pool becomes an Event. What does NOT happen in the
Analyzer Server?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 477
Jon is explaining how the inspection module works to a colleague. If a new connection passes through the
inspection module and the packet matches the rule, what is the next step in the process?
A.
B.
C.
D.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 478
Which of the following statements accurately describes the migrate command?
A. upgrade_export is used when upgrading the Security Gateway, and allows certain files to be included or
excluded before exporting.
B. Used primarily when upgrading the Security Management Server, migrate stores all object databases and
the conf directories for importing to a newer version of the Security Gateway.
C. Used when upgrading the Security Gateway, upgrade_export includes modified files, such as in the
directories /lib and /conf.
D. upgrade_export stores network-configuration data, objects, global properties, and the database revisions
prior to upgrading the Security Management Server.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 479
What step should you take before running migrate_export?
A.
B.
C.
D.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 480
A snapshot delivers a complete backup of GAiA. How do you restore a local snapshot named MySnapshot.tgz?
A. Reboot the system and call the start menu. Select option Snapshot Management, provide the Expert
password and select [L] for a restore from a local file. Then, provide the correct file name.
B. As Expert user, type command snapshot - R to restore from a local file. Then, provide the correct file name.
C. As Expert user, type command revert --file MySnapshot.tgz.
D. As Expert user, type command snapshot -r MySnapshot.tgz.
Correct Answer: C
Section: Volume A
Explanation
Explanation/Reference:
Answer is corrected.
QUESTION 481
To remove site-to-site IKE and IPSEC keys you would enter command ____ ___ and select the option to
delete all IKE and IPSec SAs.
Correct Answer: vpn tu
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 482
To provide full connectivity upgrade status, use command
Correct Answer: cphaprob fcustat
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 483
In a zero downtime firewall cluster environment, what command syntax do you run to avoid switching problems
around the cluster for command cphaconf?
Correct Answer: set_ccp broadcast
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 484
An organization may be distributed across several SmartDirectory (LDAP) servers. What provision do you make
to enable a Gateway to use all available resources? Each SmartDirectory (LDAP) server must be:
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 485
In a R75 Management High Availability (HA) configuration, you can configure synchronization to occur
automatically, when:
1. The Security Policy is installed.
2. The Security Policy is saved.
3. The Security Administrator logs in to the seconday Security Management Server and changes its status to
Active.
4. A scheduled event occurs.
5. The user data base is installed.
Select the BEST response for the synchronization trigger.
A.
B.
C.
D.
1, 2, 4
1, 3, 4
1, 2, 5
1, 2, 3, 4
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 486
What is a requirement for setting up R77 Management High Availability?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 487
You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three
machines with the following configurations:
Cluster Member 1: OS - GAiA; NICs - QuadCard; Memory - 1 GB; Security Gateway - version:
R71 and primary Security Management Server installed, version: R77 Cluster Member 2: OS - GAiA; NICs - 4
Intel 3Com; Memory - 1 GB; Security Gateway only, version: R77
Cluster Member 3: OS - GAiA; NICs - 4 other manufacturers; Memory - 512 MB; Security Gateway only,
version: R77
Are these machines correctly configured for a ClusterXL deployment?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 488
You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use four machines
with the following configurations:
Cluster Member 1: OS - GAiA; NICs - QuadCard; Memory - 1 GB; Security Gateway only, version: R77
Cluster Member 2: OS - GAiA; NICs - 4 Intel 3Com; Memory - 1 GB; Security Gateway only, version: R77
Cluster Member 3: OS - GAiA; NICs - 4 other manufacturers; Memory: 512 MB; Security Gateway only, version:
R77
Security Management Server: MS Windows 2008; NIC - Intel NIC (1); Security Gateway and primary Security
Management Server installed, version: R77 Are these machines correctly configured for a ClusterXL
deployment?
A.
B.
C.
D.
Correct Answer: D
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 489
Which operating system is NOT supported by VPN-1 SecureClient?
A.
B.
C.
D.
E.
IPSO 3.9
Windows XP SP2
Windows 2000 Professional
RedHat Linux 8.0
MacOS X
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
Explanation:
RedHat 8 is also not currently supported according to the docs, but A is the most correct answer..
http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf
QUESTION 490
You want to upgrade a SecurePlatform NG with Application Intelligence (AI) R55 Gateway to SecurePlatform
NGX R60 via SmartUpdate.
Which package is needed in the repository before upgrading?
A. SVN Foundation and VPN-1 Express/Pro
B. VNP-1 and FireWall-1
The exhibit displays the cphaprob state command output from a New Mode High Availability cluster member.
Which machine has the highest priority?
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
Reference: ClusterXL.pdf page 76
QUESTION 492
You have three Gateways in a mesh community. Each gateway's VPN Domain is their internal network as
defined on the Topology tab setting "All IP Addresses behind Gateway based on Topology information."
You want to test the route-based VPN, so you created VTIs among the Gateways and created static route
entries for the VTIs. However, when you test the VPN, you find out the VPN still go through the regular domain
IPsec tunnels instead of the routed VTI tunnels.
What is the problem and how do you make the VPN to use the VTI tunnels?
A. Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, remove the
Gateways out of the mesh community and replace with a star community.
B. Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty
group object as each Gateway`s VPN Domain
C. Route-based VTI takes precedence over the Domain VPN. To Make the VPN go through VTI, use dynamicrouting protocol like OSPF or BGP to route the VTI address to the peer instead of static routes.
D. Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route entries to insure
that they are correctly pointing to the VTI gateway IP.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 493
The following configuration is for VPN-1 NGX 65.
:Is this configuration correct for Management High Availability (HA)?
A.
B.
C.
D.
No, a NGX 65 SmartCenter Server cannot run on Red Hat Linux 7.3.
No, the SmartCenter Servers must be installed on the same operating system.
No, the SmartCenter Servers must reside on the same network.
No, the SmartCenter Servers do not have the same number of NICs.
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 494
When distributing IPSec packets to gateways in a Load Sharing Multicast mode cluster, which valid Load
Sharing method will consider VPN information in the decision function?
A.
B.
C.
D.
Correct Answer: D
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 495
Which encryption scheme provides in-place encryption?
A.
B.
C.
D.
DES
SKIP
AES
IKE
Correct Answer: B
Section: Volume A
Explanation
Explanation/Reference:
QUESTION 496
In CoreXL, what process is responsible for processing incoming traffic from the network interfaces, securely
accelerating authorized packets, and distributing non-accelerated packets among kernel instances?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 497
Due to some recent performance issues, you are asked to add additional processors to your firewall. If you
already have CoreXL enabled, how are you able to increase Kernel instances?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 498
Which of the following is NOT supported by CoreXL?
A.
B.
C.
D.
Route-based VPN
SmartView Tracker
IPS
IPV4
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 499
If the number of kernel instances for CoreXL shown is 6, how many cores are in the physical machine?
A.
B.
C.
D.
6
8
3
4
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 500
After Travis added new processing cores on his server, CoreXL did not use them. What would be the most
plausible reason why? Travis did not:
A. edit Gateway Properties and increase the kernel instances.
Route-based
Must be chosen/configured manually by the Administrator in the Policy > Global Properties
Domain-based
Must be chosen/configured manually by the Administrator in the VPN community object
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 502
Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 503
Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?
A.
B.
C.
D.
Correct Answer: A
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 504
Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 505
After you add new interfaces to a cluster, how can you check if the new interfaces and the associated virtual IP
address are recognized by ClusterXL? Exhibit:
A.
B.
C.
D.
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 506
Which of the following is a supported Sticky Decision Function of Sticky Connections for Load Sharing?
A.
B.
C.
D.
Correct Answer: A
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 507
Included in the customers network are some firewall systems with the Performance Pack in use. The customer
wishes to use these firewall systems in a cluster (Load Sharing mode). He is not sure if he can use the Sticky
Decision Function in this cluster. Explain the situation to him.
A. The customer can use the firewalls with Performance Pack inside the cluster, which should support the
Sticky Decision Function. It is just necessary to configure it with the clusterXL_SDF_enable command.
B. ClusterXL always supports the Sticky Decision Function in the Load Sharing mode.
C. The customer can use the firewalls with Performance Pack inside the cluster, which should support the
Sticky Decision Function. It is just necessary to enable the Sticky Decision Function in the SmartDashboard
cluster object in the ClusterXL page, Advanced Load Sharing Configuration window.
D. Sticky Decision Function is not supported when employing either Performance Pack or a hardware-based
accelerator card. Enabling the Sticky Decision Function disables these acceleration products.
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 508
A connection is said to be Sticky when:
A. A copy of each packet in the connection sticks in the connection table until a corresponding reply packet is
received from the other side.
B. A connection is not terminated by either side by FIN or RST packet.
C. All the connection packets are handled, in either direction, by a single cluster member.
D. The connection information sticks in the connection table even after the connection has ended.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 509
How does a cluster member take over the VIP after a failover event?
A. Gratuitous ARP
B. Broadcast storm
C. arp -s
UDP 18184
TCP 8116
UDP 8116
TCP 18184
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 511
A customer called to report one cluster members status as Down. What command should you use to identify
the possible cause?
A.
B.
C.
D.
tcpdump/snoop
cphaprob list
fw ctl pstat
fw ctl debug -m cluster + forward
Correct Answer: B
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 512
A customer calls saying that a Load Sharing cluster shows drops with the error First packet is not SYN.
Complete the following sentence. You will recommend:
A.
B.
C.
D.
Correct Answer: C
Section: Volume B
Explanation
Explanation/Reference:
The correction is added.
QUESTION 513
In ClusterXL, _______ is defined by default as a critical device.
A.
B.
C.
D.
fwm
assld
cpp
fwd
Correct Answer: D
Section: Volume B
Explanation
Explanation/Reference:
QUESTION 514
Frank is concerned with performance and wants to configure the affinities settings. His gateway does not have
the Performance Pack running. What would Frank need to perform in order configure those settings?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 515
You are concerned that the processor for your firewall running R71 SecurePlatform may be overloaded. What
file would you view to determine the speed of your processor(s)?
A.
B.
C.
D.
cat /etc/sysconfig/cpuinfo
cat /proc/cpuinfo
cat /etc/cpuinfo
cat /var/opt/CPsuite-R71/fw1/conf/cpuinfo
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 516
Which of the following is NOT a restriction for connection template generation?
A.
B.
C.
D.
SYN Defender
UDP services with no protocol type or source port mentioned in advanced properties
ISN Spoofing
VPN Connections
Correct Answer: B
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 517
Which of the following is NOT accelerated by SecureXL?
A.
B.
C.
D.
SSH
HTTPS
FTP
Telnet
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
Updated.
QUESTION 518
How can you disable SecureXL via the command line (it does not need to survive a reboot)?
A.
B.
C.
D.
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference:
QUESTION 519
Which of these is a type of acceleration in SecureXL?
A.
B.
C.
D.
QoS
FTP
connection rate
GRE
Correct Answer: C
Section: Volume C
Explanation
Explanation/Reference: