CheckPoint.Actualtests.156-315.75.v2014-04-11.by.LAKISHA ·...

CheckPoint.Actualtests.156-315.75.v2014-04-11.by.LA KISHA.416q

Number: 156-315.75Passing Score: 700Time Limit: 90 minFile Version: 22.5

http://www.gratisexam.com/

Exam Code: 156-315.75

Exam Name: Check Point Certified Security Expert (C CSE) R75 Certification Exam

Sections1. Basics2. Process3. File Locations/ File Modification4. SmartDashboard/ Security Mamagement Server (SMS)5. SMART/ Encryption6. Configuration/ Topology/ Connectra7. Cluster8. ClusterXL9. High Availability - (HA)10.Port/ Port Hardening11.Routing/ NAT12.QoS13.SmartWorkFlow14.VPN/ MEP VPN/ High-Traffic VPN15.SSL-VPN16.VPN VTI17.Performance Pack/ SecureXL/ CoreXL18.LDAP/ Identity Awareness/ Captive Portal19.SmartUpdate

20.Upgrade/ Backup/ Restore21.SmartProvisioning22.SmartCenter/ SmartLSM23.SmartEvent24.SmartReporter25. IPS26.DLP27.VoIP/ CIFS/ FTP/SMTP/ e-mail

Examsoon

QUESTION 1Control connections between the Security Management Server and the Gateway are not encrypted by theVPN Community. How are these connections secured?

A. They are encrypted and authenticated using SIC.B. They are not encrypted, but are authenticated by the GatewayC. They are secured by PPTPD. They are not secured.

Correct Answer: ASection: VPN/ MEP VPN/ High-Traffic VPNExplanation

Explanation/Reference:Explanation:I have added some answers with references, hope you will find it usefull,

[email protected]

btw, this answer ( Answer A) is correct, if you don't know this, you need to seriously re-assess where u r!!!

QUESTION 2From the following output of cphaprob state, which ClusterXL mode is this?

A. New modeB. Multicast modeC. Legacy modeD. Unicast mode

Correct Answer: DSection: ClusterXLExplanation

Explanation/Reference:Explanation:

QUESTION 3Which of the following is NOT a feature of ClusterXL?

A. Enhanced throughput in all ClusterXL modes (2 gateway cluster compared with 1 gateway)B. Transparent failover in case of device failuresC. Zero downtime for mission-critical environments with State SynchronizationD. Transparent upgrades

Correct Answer: ASection: ClusterXLExplanation

Explanation/Reference:Explanation: by [email protected] 1

PP22 in CP_R75.20_ClusterXL_AdminGuide

Introduction to High Availability and Load Sharing

ClusterXL is a software-based Load Sharing and High Availability solution that distributes network trafficbetween clusters of redundant Security Gateways.

ClusterXL provides:

-- Enhanced throughput (in Load Sharing modes) --------------------XXX------------------------------>A is wrong,throughput is not enhanced in ALL clusterXL modes , this happens only in LoadSharing or Active/ Active modes, so A is wrong-- Transparent failover in case of machine failures ---------------------------------------------------------------------------------->B-- Zero downtime for mission-critical environments (when using State Synchronization)----------------------------->C-- Transparent upgrades------------------------------------------------------------------------------------------------------------------------>D

All machines in the cluster are aware of the connections passing through each of the other machines. The cluster members synchronize their connection and status information across a secure synchronizationnetwork.

The glue that binds the machines in a ClusterXL cluster is the Cluster Control Protocol (CCP), which isused to pass synchronization and other information between the cluster members.

QUESTION 4You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of 40, and the Default Rulewith a weight of 10.

If the only traffic passing through your QoS Module is HTTP traffic, what percent of bandwidth will beallocated to the HTTP traffic?

A. 80%B. 40%C. 100%D. 50%

Correct Answer: DSection: QoSExplanation


QUESTION 5You have pushed a policy to your firewall and you are not able to access the firewall.

What command will allow you to remove the current policy from the machine?


A. fw purge policy

B. fw fetch policyC. fw purge activeD. fw unloadlocal

Correct Answer: DSection: BasicsExplanation


QUESTION 6How do you verify the Check Point kernel running on a firewall?

A. fw ctl get kernelB. fw ctl pstatC. fw kernelD. fw ver -k



QUESTION 7The process ________________ compiles $FWDIR/conf/*.W files into machine language.

A. fw genB. cpdC. fwdD. fwm

Correct Answer: ASection: ProcessExplanation


PP 27 of R75 CCSE under Policy Installation Flow

QUESTION 8When, during policy installation, does the automatic load task run?

A. It is the first task during policy installation.B. It is the last task during policy installation.C. Before CPD runs on the Gateway.D. Immediately after fwm load runs on the SmartCenter.

Correct Answer: BSection: BasicsExplanation


QUESTION 9What process is responsible for transferring the policy file from SmartCenter to the Gateway?

A. FWDB. FWMC. CPRIDD. CPD

Correct Answer: DSection: ProcessExplanation


QUESTION 10What firewall kernel table stores information about port allocations for Hide NAT connections?

A. NAT_dst_any_listB. host_ip_addrsC. NAT_src_any_listD. fwx_alloc

Correct Answer: DSection: Routing/ NATExplanation


QUESTION 11Where do you define NAT properties so that NAT is performed either client side or server side?

A. In SmartDashboard under Gateway settingB. In SmartDashboard under Global Properties > NAT definitionC. In SmartDashboard in the NAT RulesD. In file $DFWDIR/lib/table.def

Correct Answer: BSection: Routing/ NATExplanation


QUESTION 12The process ________ is responsible for GUIClient communication with the SmartCenter.

A. FWDB. FWMC. CPDD. CPLMD

Correct Answer: BSection: ProcessExplanation


QUESTION 13The process ________ is responsible for Policy compilation.

A. FWMB. FwcmpC. CPLMDD. CPD



QUESTION 14The process ________ is responsible for Management High Availability synchronization.

A. CPLMDB. FWMC. FwsyncD. CPD



What is CPLMD Process ?

the cplmd process on Security Management Server, responsible for representing the logs in theGUI, requests the current traffic from the managed Sec urity Gateways ===============================================================================================

What is FireWall-1 Active Logs mechanism in SmartView Tracker ?

Solution ID: sk35485Product: SmartView Tracker, Security Management, Security GatewayVersion: AllPlatform / Model: AllDate Created: 06-Jul-2008Last Modified: 21-May-2013Rate this document[1=Worst,5=Best]

SOLUTION

Upon opening the 'Active' tab in SmartView Tracker, the cplmd process on Security ManagementServer, responsible for representing the logs in th e GUI, requests the current traffic from themanaged Security Gateways . The cplmd process calls the fwd process on the Log Server / SecurityManagement Server to request the information from the fwd process on the managed Security Gateways.

The fwd process on the Security Gateways requests the Connections Table from the Check Point kernel.

The Connection Table's information is forwarded back from the Security Gateways to the Log Server /Security Management Server using the fwd process.

If a system is under heavy load, the fwd process sends a request for active-logs, but the kernel can notreply. When the fwd process makes another request, it causes significant increase in the CPU usage.

Note: This action requires a large amount of resources and bandwidth on Log Server / Security ManagementServer.

The current Active log records and the synchronized information of the ClusterXL both use the same kernelbuffer.

QUESTION 15Security server configuration settings are stored in _______________ .

A. $FWDIR/conf/AMT.confB. $FWDIR/conf/fwrl.confC. $FWDIR/conf/fwauthd.confD. $FWDIR/conf/fwopsec.conf

Correct Answer: CSection: File Locations/ File ModificationExplanation


QUESTION 16User definitions are stored in ________________ .

A. $FWDIR/conf/fwmuserB. $FWDIR/conf/users.NDBC. $FWDIR/conf/fwauth.NDBD. $FWDIR/conf/fwusers.conf



$FWDIR/conf/objects_5_0.C ---> for backing up network objects $FWDIR/conf/*.W and $FWDIR/conf/rulebases.fws ---> for backing up Rule Base $FWDIR/database/fwauth.NDB* ---> for backing up user data base.

QUESTION 17Jon is explaining how the inspection module works to a colleague.

If a new connection passes through the inspection module and the packet matches the rule, what is thenext step in the process?

A. Verify if the packet should be moved through the TCP/IP stack.B. Verify if any logging or alerts are defined.C. Verify if the packet should be rejected.D. Verify if another rule exists.


Explanation/Reference:

Explanation:

QUESTION 18Which of the following statements accurately describes the upgrade_export command?

A. Used primarily when upgrading the Security Management Server, upgrade_export stores all objectdatabases and the conf directories for importing to a newer version of the Security Gateway.

B. Used when upgrading the Security Gateway, upgrade_export includes modified files, such as in thedirectories /lib and /conf.

C. upgrade_export is used when upgrading the Security Gateway, and allows certain files to be included orexcluded before exporting.

D. upgrade_export stores network-configuration data, objects, global properties, and the databaserevisions prior to upgrading the Security Management Server.

Correct Answer: ASection: Upgrade/ Backup/ RestoreExplanation


QUESTION 19What are you required to do before running upgrade_export?

A. Run a cpstop on the Security Gateway.B. Run cpconfig and set yourself up as a GUI client.C. Run a cpstop on the Security Management Server.D. Close all GUI clients.

Correct Answer: DSection: Upgrade/ Backup/ RestoreExplanation


QUESTION 20A snapshot delivers a complete backup of SecurePlatform. The resulting file can be stored on servers or as a local file in /var/CPsnapshot/snapshots.

How do you restore a local snapshot named MySnapshot.tgz?

A. As Expert user, type command snapshot - R to restore from a local file. Then, provide the correct filename.

B. As Expert user, type command revert --file MySnapshot.tgz.C. As Expert user, type command snapshot -r MySnapshot.tgz.D. Reboot the system and call the start menu. Select option Snapshot Management, provide the Expert

password and select [L] for a restore from a local file. Then, provide the correct file name.

Correct Answer: BSection: Upgrade/ Backup/ RestoreExplanation


QUESTION 21What is the primary benefit of using upgrade_export over either backup or snapshot?

A. The commands backup and snapshot can take a long time to run whereas upgrade_export will take a

much shorter amount of time.B. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup

and snapshot will not.C. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and

snapshot will not.D. upgrade_export is operating system independent and can be used when backup or snapshot is not

available.



QUESTION 22You have a dual member Your R7x-series Enterprise Security Management Server cluster, consisting of two members and, runningabnormally on Windows Server 2003 R2. You decide to try reinstalling the Security Management Server, but you want to try keeping the criticalSecurity Management Server configuration settings intact (i.e., all Security Policies, databases, SIC, licensing etc.)

What is the BEST method to reinstall the Server and keep its critical configuration?

A. 1. Run cpstop one one member, and configure the new interface via sysconfig2. Run cpstart on the cluster member. Repeat the same steps on another member.3. Update the new topology in the cluster object from SmartDashboard4. Install Security Policy

B. 1. Use the ifconfig command to configure and enable the new interface on both members2. Run cprestart on both members3. Update the topology in the cluster object and both members4. Install the Security Policy

C. 1. Use sysconfig to configure the new interface on both members2. Update the topology in the cluster object3. Install the Security Policy

D. 1. Disable "cluster membership" from one gateway via cpconfig2. Configure the new interface via sysconfig from "non-member" gateway3. Re-enable "cluster memebrship" on the gateway4. Perform the same steps on the other gateway5. Update the topology in the cluster object6. Install the Security Policy



QUESTION 23Your primary Security Management Server runs on SecurePlatform.

What is the easiest way to back up your Security Gateway R75 configuration, including routing and networkconfiguration files?

A. Using the native SecurePlatform back up utility from command line or in the Web-based user interface.B. Using the command upgrade_export.C. Run the command pre_upgrade_verifier and save the file *.tgz to the directory c:/temp.D. Copying the directories $FWDIR/conf and $FWDIR/lib to another location.



QUESTION 24You need to back up the routing, interface, and DNS configuration information from your R75SecurePlatform Security Gateway.

Which backup-and-restore solution do you use?

A. SecurePlatform back up utilitiesB. Manual copies of the directory $FWDIR/confC. Database Revision ControlD. Commands upgrade_export and upgrade_import



The Backup Utility backups the 1. CP configuration 2. Networking 3. OS Parameters 4. Routing <-----------------------------Question

REF: PP54 CCSE R75 under BACK and RESTORE

QUESTION 25Which of the following methods will provide the most complete backup of an R75 configuration?

A. Database Revision ControlB. Policy Package ManagementC. Copying the directories $FWDIR\conf and $CPDIR\conf to another serverD. upgrade_export command



QUESTION 26Which of the following commands can provide the most complete restore of an R75 configuration?

A. upgrade_importB. fwm dbimport -p <export file>C. cpconfigD. cpinfo -recover



QUESTION 27When restoring R75 using the command upgrade_import, which of the following items are NOT restored?

A. Global propertiesB. Route tablesC. LicensesD. SIC Certificates



QUESTION 28Your organization's disaster recovery plan needs an update to the backup and restore section to reap thebenefits of the new distributed R75 installation.

Your plan must meet the following required and desired objectives:

Required Objective : The Security Policy repository mustbe backed up no less frequently than every 24hoursDesired Objective : The R75 components that enforce the Security Policies should be backed up at leastonce a weekDesired Objective : Back up R75 logs at least once a week

Yours disaster recovery plan is as follows:

Use the utility cron to run the command upgrade_export each night on the Security ManagementSerevrsConfigure the oprganization's rouitne back up software to back up the files every Saturday nightUse the utility cron to run the command upgrade_export each Saturday night on the log serversConfigure the oprganization's routine back up software to back up the switched logs every night

Upon evaluation, your plan:

A. Meets the required objective and only one desired objectiveB. Meets the required objective and both desired objectivesC. Meets the required objective but does not meet either desired objectiveD. Does not meet the required objective



QUESTION 29You are running a R75 Security Gateway on SecurePlatform. In case of a hardware failure, you have a server with the exact same hardware and firewall versioninstalled.

What backup method could be used to quickly put the secondary firewall into production?

A. upgrade_exportB. manual backup

C. snapshotD. backup

Correct Answer: CSection: Upgrade/ Backup/ RestoreExplanation


sk54100 : How to back up your system on SecurePlatform ( 2Dec2013)

Snaphots- Snapshot --LARGE as it has Driver infor...etc

The snapshot utility 1. Backs up everything, including the drivers, and is available only on SecurePlatform. 2. Snapshot can be used to backup both your firewall and management modules. 3. The disadvantages of this utility are that the generated file is very big, and can only be restored to thesame device, and exactly the same state (same OS, same Check Point version, same patch level).

4. Performing snapshot can take a long time and could interrupt your services. Thus, it is recommendedto conduct a snapshot during a maintenance window.

Recommended backup scheduleSnapshot - at least once, or before major change (for example: an upgrade), during a maintenancewindow.

-----------------------------Backup - NOT LARGE as it does not have Driver infor...etc wh en compared with Snapshot

The backup utility backs up your Check Point configuration and your networking/OS system parameters(such as routing), and it is only available on SecurePlatform.

1. The backup utility can be used to backup both your firewall and management modules. 2. The resulting file will be smaller than the one generated by snapshot, but still pretty big. 3. Backup does not include the drivers, and can be restored to different machine (as opposed tosnapshot, which cannot). However, it is recommended using the backup for restore to the same machinesince it includes information such as MAC addresses of the NIC interfaces. 4. You only can restore it to the same OS, same Check Point version and patch level. 5. Performing backup can take a long time and could interrupt your services. Thus, it is recommended toconduct a backup during a maintenance window.

Recommended backup schedule

Backup - every couple of months, depending how frequently you perform changes in your network/policy.Also before every major change, during a maintenance window .-------------------------------3. upgrade_export and upgrade_import

1. 'upgrade_export' tool backs up all Check Point configurations, independent of hardware, OS orCheck Point version, but does not include OS information. 2. You can use this utility to backup Check Point configuration on the management station. 3. If you change the Check Point version you can only go up, in other words you can upgrade notdowngrade. 4. The file will be much smaller (depending on the size of your policy), and if the system is not runningon a highly loaded CPU, you can do a backup on a live system without interr uption of the services . 5. This utility can be used only on command line and cannot be scheduled.

Recommended backup scheduleupgrade_export - every month or more often, depending on how frequently you perform changes in yournetwork/policy. Also important before upgrade or migration. Can be run outside a maintenance window.-------------------------------

Recommended backup scheduleSnapshot - at least once, or before major change (for example: an upgrade), during a maintenance window.Backup - every couple of months, depending how frequently you perform changes in your network/policy.Also before every major change, during a maintenance window.upgrade_export - every month or more often, depending on how frequently you perform changes in yournetwork/policy. Also important before upgrade or migration. Can be run outside a maintenance window.

QUESTION 30Before upgrading SecurePlatform, you should create a backup. To save time, many administrators use the command backup.This creates a backup of the Check Point configuration as well as the system configuration.

An administrator has installed the latest HFA on the system for fixing traffic problems after creating abackup file. There is a mistake in the very complex static routing configuration. The Check Point configuration has not been changed.

Can the administrator use a restore to fix the errors in static routing?

A. The restore is not possible because the backup file does not have the same build number (version).B. The restore is done by selecting Snapshot Management from the SecurePlatform boot menu.C. The restore can be done easily by the command restore and selecting the appropriate backup file.D. A back up cannot be restored, because the binary files are missing.



QUESTION 31You intend to upgrade a Check Point Gateway from R65 to R75. To avoid problems, you decide to back up the Gateway.

Which approach allows the Gateway configuration to be completely backed up into a manageable size inthe least amount of time?

A. snapshotB. database revisionC. backupD. upgrade_export



QUESTION 32True or false?

After creating a snapshot of a Windows 2003 SP2 Security Management Server, you can restore it on aSecurePlatform R75 Security Management Server, except you must load interface information manually.

A. True, but only when the snapshot file is restored to a SecurePlatform system running R75.20.B. False, you cannot run the Check Point snapshot utility on a Windows gateway.C. True, but only when the snapshot file is restored to a SecurePlatform system running R75.10.D. False, all configuration information conveys to the new system, including the interface configuration

settings.



QUESTION 33Check Point recommends that you back up systems running Check Point products. Run your back ups during maintenance windows to limit disruptions to services, improve CPU usage, andsimplify time allotment.

Which back up method does Check Point recommend before major changes, such as upgrades?

A. snapshotB. upgrade_exportC. backupD. migrate export




Which back up method does Check Point recommend every couple of months,depending on howfrequently you make changes to the network or policy?

A. backupB. migrate exportC. upgrade_exportD. snapshot




Which back up method does Check Point recommend anytime outside a maintenance window?

A. backupB. migrate exportC. backup_exportD. snapshot

Correct Answer: BSection: Upgrade/ Backup/ Restore

Explanation


This answer is correct, both Backup and snapshot are to be taken within Maintenance Windows and ONLYupgrade_expert is recommended to be taken outside Maint Windows --

Ref : Page 55 R75 CCSE study Guide - Backup Schedul e Recommendations( Jay)

QUESTION 36The file snapshot generates is very large, and can only be restored to:

A. The device that created it, after it has been upgradedB. Individual members of a cluster configurationC. Windows Server class systemsD. A device having exactly the same Operating System as the device that created the file



QUESTION 37When restoring a Security Management Server from a backup file, the restore package can be retrievedfrom which source?

A. HTTP server, FTP server, or TFTP serverB. Disk, SCP server, or TFTP serverC. Local folder, TFTP server, or FTP serverD. Local folder, TFTP server, or Disk



QUESTION 38When upgrading Check Point products in a distributed environment, in which order should you upgradethese components?

1. GUI Client2. Security Management Server3. Security Gateway

A. 3, 2, 1B. 1, 2, 3C. 3, 1, 2D. 2, 3, 1



QUESTION 39When using migrate to upgrade a Secure Management Server, which of the following is included in themigration?

A. SmartEvent databaseB. SmartReporter databaseC. classes.C fileD. System interface configuration



QUESTION 40Typically, when you upgrade the Security Management Server, you install and configure a fresh R75installation on a new computer and then migrate the database from the original machine.

When doing this, what is required of the two machines?

They must both have the same:

A. Products installed.B. Interfaces configured.C. State.D. Patch level.

Correct Answer: ASection: SmartDashboard/ Security Mamagement Server (SMS)Explanation


QUESTION 41Typically, when you upgrade the Security Management Server, you install and configure a fresh R75installation on a new computer and then migrate the database from the original machine.

What is the correct order of the steps below to successfully complete this procedure?

1) Export databases from source.2) Connect target to network.3) Prepare the source machine for export.4) Import databases to target.5) Install new version on target.6) Test target deployment.

A. 6, 5, 3, 1, 4, 2B. 3, 1, 5, 4, 2, 6C. 5, 2, 6, 3, 1, 4D. 3, 5, 1, 4, 6, 2

Correct Answer: DSection: SmartDashboard/ Security Mamagement Server (SMS)Explanation


Explanation:

QUESTION 42During a Security Management Server migrate export, the system:

A. Creates a backup file that includes the SmartEvent database.B. Creates a backup file that includes the SmartReporter database.C. Creates a backup archive for all the Check Point configuration settings.D. Saves all system settings and Check Point product configuration settings to a file.


Explanation/Reference:Explanation: by [email protected]

CP recommends to use upgrade_export to backup configuration settings on the Mgmt Station

Ref : Page 55, CCSE Study Guide under Upgrade Tools

QUESTION 43If no flags are defined during a back up on the Security Management Server, where does the system storethe *.tgz file?

A. /var/opt/backupsB. /var/backupsC. /var/CPbackup/backupsD. /var/tmp/backups



QUESTION 44Which is NOT a valid option when upgrading Cluster Deployments?

A. Full Connectivity UpgradeB. Fast path UpgradeC. Minimal Effort UpgradeD. Zero Downtime

Correct Answer: BSection: ClusterExplanation


QUESTION 45In a "zero downtime" scenario, which command do you run manually after all cluster members areupgraded?

A. cphaconf set_ccp broadcastB. cphaconf set clear_subsC. cphaconf set mc_relod

D. cphaconf set_ccp multicast

Correct Answer: DSection: ClusterExplanation


QUESTION 46Which command provides cluster upgrade status?

A. cphaprob statusB. cphaprob ldstatC. cphaprob fcustatD. cphaprob tablestat

Correct Answer: CSection: ClusterExplanation


QUESTION 47John is upgrading a cluster from NGX R65 to R75. John knows that you can verify the upgrade process using the pre-upgrade verifier tool. When John is running Pre-Upgrade Verification, he sees the warning message: 'Incompatible pattern'.

What is happening?

A. R75 uses a new pattern matching engine. Incompatible patterns should be deleted before upgradeprocess to complete it successfully.

B. Pre-Upgrade Verification process detected a problem with actual configuration and upgrade will beaborted.

C. Pre-Upgrade Verification tool only shows that message but it is only informational.D. The actual configuration contains user defined patterns in IPS that are not supported in R75. If the

patterns are not fixed after upgrade, they will not be used with R75 Security Gateways.



QUESTION 48Which command would you use to save the routing information before upgrading a SecurePlatformGateway?

A. cp /etc/sysconfig/network.C [location]B. netstat rn > [filename].txtC. ifconfig > [filename].txtD. ipconfig a > [filename].txt



Explanation: by [email protected]

General knowledge

In SPLAT edit/copy /etc/sysconfig/network.C file

In Windows edit/copy netstat -rn > <filename>.txt

Similar to Question 49 in Master files

QUESTION 49Which command would you use to save the routing information before upgrading a Windows Gateway?

A. ipconfig a > [filename].txtB. ifconfig > [filename].txtC. cp /etc/sysconfig/network.C [location]D. netstat rn > [filename].txt



General knowledge

In SPLAT edit/copy /etc/sysconfig/network.C file

In Windows edit/copy netstat -rn > <filename>.txt

Similar to Question 48 in Master files

QUESTION 50When upgrading a cluster in Full Connectivity Mode, the first thing you must do is see if all cluster membershave the same products installed.

Which command should you run?

A. fw fcuB. cphaprob fcustatC. cpconfigD. fw ctl conn -a



QUESTION 51A Minimal Effort Upgrade of a cluster:

A. Is only supported in major releases (R70 to R71, R71 to R75).B. Is not a valid upgrade method in R75.C. Treats each individual cluster member as an individual gateway.D. Upgrades all cluster members except one at the same time.

Correct Answer: C

Section: ClusterExplanation


QUESTION 52A Zero Downtime Upgrade of a cluster:

A. Upgrades all cluster members except one at the same time.B. Is only supported in major releases (R70 to R71, R71 to R75).C. Treats each individual cluster member as an individual gateway.D. Is not a valid upgrade method in R75.

Correct Answer: ASection: ClusterExplanation


QUESTION 53A Full Connectivity Upgrade of a cluster:

A. Treats each individual cluster member as an individual gateway.B. Upgrades all cluster members except one at the same time.C. Is only supported in minor version upgrades (R70 to R71, R71 to R75).D. Is not a valid upgrade method in R75.



QUESTION 54A Fast Path Upgrade of a cluster:

A. Upgrades all cluster members except one at the same time.B. Treats each individual cluster member as an individual gateway.C. Is not a valid upgrade method in R75.D. Is only supported in major releases (R70 to R71, R71 to R75).



QUESTION 55How does Check Point recommend that you secure the sync interface between gateways?

A. Configure the sync network to operate within the DMZ.B. Secure each sync interface in a cluster with Endpoint.C. Use a dedicated sync network.D. Encrypt all sync traffic between cluster members.

Correct Answer: CSection: SMART/ EncryptionExplanation


QUESTION 56How would you set the debug buffer size to 1024?

A. Run fw ctl set buf 1024B. Run fw ctl kdebug 1024C. Run fw ctl debug -buf 1024D. Run fw ctl set int print_cons 1024



QUESTION 57Steve is troubleshooting a connection problem with an internal application.

If he knows the source IP address is 192.168.4.125, how could he filter this traffic?

A. Run fw monitor -e "accept dsrc=192.168.4.125;"B. Run fw monitor -e "accept dst=192.168.4.125;"C. Run fw monitor -e "accept ip=192.168.4.125;"D. Run fw monitor -e "accept src=192.168.4.125;"

Correct Answer: DSection: SMART/ EncryptionExplanation


QUESTION 58Check Point support has asked Tony for a firewall capture of accepted packets.

What would be the correct syntax to create a capture file to a filename called monitor.out?

A. Run fw monitor -e "accept;" -f monitor.outB. Run fw monitor -e "accept;" -c monitor.outC. Run fw monitor -e "accept;" -o monitor.outD. Run fw monitor -e "accept;" -m monitor.out

Correct Answer: CSection: BasicsExplanation


QUESTION 59What is NOT a valid LDAP use in Check Point SmartDirectory?

A. Retrieve gateway CRL's

B. External users managementC. Enforce user access to internal resourcesD. Provide user authentication information for the Security Management Server

Correct Answer: CSection: LDAP/ Identity Awareness/ Captive PortalExplanation


QUESTION 60Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.

A. Configure a workstation object for the LDAP server, configure a server object for the LDAP AccountUnit, and enable LDAP in Global Properties.

B. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.C. Enable LDAP in Global Properties, configure a host-node object for the LDAP server, and configure a

server object for the LDAP Account Unit.D. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an

LDAP resource object.



QUESTION 61The User Directory Software Blade is used to integrate which of the following with a R75 Security Gateway?

A. LDAP serverB. RADIUS serverC. Account Management Client serverD. UserAuthority server

Correct Answer: ASection: LDAP/ Identity Awareness/ Captive PortalExplanation


QUESTION 62Your users are defined in a Windows 2008 Active Directory server. You must add LDAP users to a Client Authentication rule.

Which kind of user group do you need in the Client Authentication rule in R75?

A. LDAP groupB. External-user groupC. A group with a generic userD. All Users



Explanation:

QUESTION 63Which of the following commands do you run on the AD server to identify the DN name before configuringLDAP integration with the Security Gateway?

A. query ldap -name administratorB. dsquery user -name administratorC. ldapquery -name administratorD. cpquery -name administrator

Correct Answer: BSection: LDAP/ Identity Awareness/ Captive PortalExplanation


QUESTION 64In SmartDirectory, what is each LDAP server called?

A. Account ServerB. Account UnitC. LDAP ServerD. LDAP Unit



QUESTION 65What is the default port number for standard TCP connections with the LDAP server?

A. 398B. 636C. 389D. 363

Correct Answer: CSection: Port/ Port HardeningExplanation


QUESTION 66What is the default port number for Secure Sockets Layer connections with the LDAP Server?

A. 363B. 389C. 398D. 636

Correct Answer: DSection: Port/ Port HardeningExplanation


QUESTION 67When defining an Organizational Unit, which of the following are NOT valid object categories?

A. DomainsB. ResourcesC. UsersD. Services

Correct Answer: ASection: BasicsExplanation


PP63 of CCSE R75 Under Active Directory OU Structur e

QUESTION 68When defining SmartDirectory for High Availability (HA), which of the following should you do?

A. Replicate the same information on multiple Active Directory servers.B. Configure Secure Internal Communications with each server and fetch branches from each.C. Configure a SmartDirectory Cluster object.D. Configure the SmartDirectory as a single object using the LDAP cluster IP. Actual HA functionality is

configured on the servers.

Correct Answer: ASection: High Availability - (HA)Explanation


QUESTION 69The set of rules that governs the types of objects in the directory and their associated attributes is calledthE.

A. LDAP PolicyB. SchemaC. Access Control ListD. SmartDatabase



QUESTION 70When using SmartDashboard to manage existing users in SmartDirectory, when are the changes applied?

A. InstantaneouslyB. At policy installationC. Never, you cannot manage users through SmartDashboard

D. At database synchronization



QUESTION 71Where multiple SmartDirectory servers exist in an organization, a query from one of the clients for userinformation is made to the servers based on a priority.

By what category can this priority be defined?

A. Gateway or DomainB. Location or Account UnitC. Location or DomainD. Gateway or Account Unit

Correct Answer: DSection: LDAP/ Identity Awareness/ Captive PortalExplanation


QUESTION 72Each entry in SmartDirectory has a unique _______________ ?

A. Distinguished NameB. Organizational UnitC. Port Number AssociationD. Schema



QUESTION 73With the User Directory Software Blade, you can create R75 user definitions on a(n) _________ Server.

A. SecureIDB. LDAPC. NT DomainD. Radius



QUESTION 74Which describes the function of the account unit?

A. An Account Unit is the Check Point account that SmartDirectory uses to access an (LDAP) serverB. An Account Unit is a system account on the Check Point gateway that SmartDirectory uses to access

an (LDAP) serverC. An Account Unit is the administration account on the LDAP server that SmartDirectory uses to access to

(LDAP) serverD. An Account Unit is the interface which allows interaction between the Security Management server and

Security Gateways, and the SmartDirectory (LDAP) server.



QUESTION 75An organization may be distributed across several SmartDirectory (LDAP) servers.

What provision do you make to enable a Gateway to use all available resources? Each SmartDirectory (LDAP) server must be:

A. a member in the LDAP group.B. a member in a group that is associated with one Account Unit.C. represented by a separate Account Unit.D. represented by a separate Account Unit that is a member in the LDAP group.



QUESTION 76Which is NOT a method through which Identity Awareness receives its identities?

A. GPOB. Captive PortalC. AD QueryD. Identity Agent



QUESTION 77When using Captive Portal to send unidentified users to a Web portal for authentication, which of thefollowing is NOT a recommended use for this method?

A. Identity-based enforcement for non-AD users (non-Windows and guest users)B. For deployment of Identity AgentsC. Basic identity enforcement in the internal networkD. Leveraging identity in Internet application control

Correct Answer: CSection: LDAP/ Identity Awareness/ Captive Portal

Explanation


QUESTION 78Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO).

Which of the following is NOT a recommended use for this method?

A. When accuracy in detecting identity is crucialB. Identity based enforcement for non-AD users (non-Windows and guest users)C. Protecting highly sensitive serversD. Leveraging identity for Data Center protection



QUESTION 79Which of the following access options would you NOT use when configuring Captive Portal?

A. Through the Firewall policyB. From the InternetC. Through all interfacesD. Through internal interfaces



QUESTION 80Remote clients are using IPSec VPN to authenticate via LDAP server to connect to the organization.

Which gateway process is responsible for the authentication?

A. vpndB. cvpndC. fwmD. fwd



QUESTION 81Remote clients are using SSL VPN to authenticate via LDAP server to connect to the organization.

Which gateway process is responsible for the authentication?

A. vpnd

B. cvpndC. fwmD. fwd



PP71 CCSE R75 Study Guide Under Troubleshooting Use r Authentication

FWM SmartDashboard Authentic ationVPND Remote Access Authentica tionCVPND SSL VPN User Authenticati onSecurity Servers -- user/client/session Authenti cation

QUESTION 82Which of the following is NOT a LDAP server option in SmartDirectory?

A. Novell_DSB. Netscape_DSC. OPSEC_DSD. Standard_DS



The 4 Default Profiles are 1. OPSEC_DS 2. Netscape_DS 3. Novell_DS 4. Microsoft_DS

PP 68 CCSE R75 under SmartDirectory(LDAP) Profiles

QUESTION 83An Account Unit is the interface between the __________ and the __________.

A. Users, DomainB. Gateway, ResourcesC. System, DatabaseD. Clients, Server



QUESTION 84Which of the following is a valid Active Directory designation for user John Doe in the Sales department ofAcmeCorp.com?

A. Cn=john_doe,ou=Sales,ou=acmecorp,dc=comB. Cn=john_doe,ou=Sales,ou=acme,ou=corp,dc=comC. Cn=john_doe,dc=Sales,dc=acmecorp,dc=comD. Cn=john_doe,ou=Sales,dc=acmecorp,dc=com



QUESTION 85Which utility or command is useful for debugging by capturing packet information, including verifying LDAPauthentication?

A. fw monitorB. pingC. um_core enableD. fw debug fwm

Correct Answer: ASection: SMART/ EncryptionExplanation


QUESTION 86If you are experiencing LDAP issues, which of the following should you check?

A. Secure Internal Communications (SIC)B. Domain name resolutionC. Overlapping VPN DomainsD. Connectivity between the R75 Gateway and LDAP server



QUESTION 87How are cached usernames and passwords cleared from the memory of a R75 Security Gateway?

A. By using the Clear User Cache button in SmartDashboardB. By retrieving LDAP user information using the command fw fetchldapC. Usernames and passwords only clear from memory after they time outD. By installing a Security Policy



QUESTION 88When an Endpoint user is able to authenticate but receives a message from the client that it is unable toenforce the desktop policy, what is the most likely scenario?

A. The user's rights prevent access to the protected network.B. A Desktop Policy is not configured.C. The gateway could not locate the user in SmartDirectory and is allowing the connection with limitations

based on a generic profile.D. The user is attempting to connect with the wrong Endpoint client.



QUESTION 89When using a template to define a SmartDirectory, where should the user's password be defined? In the:

A. Template objectB. VPN Community objectC. User objectD. LDAP object



QUESTION 90When configuring an LDAP Group object, which option should you select if you do NOT want the gatewayto reference the groups defined on the LDAP server for authentication purposes?

A. OU Accept and select appropriate domainB. Only Sub TreeC. Only Group in BranchD. Group Agnostic



QUESTION 91When configuring an LDAP Group object, which option should you select if you want the gateway toreference the groups defined on the LDAP server for authentication purposes?

A. Only Group in BranchB. Only Sub TreeC. OU Auth and select Group NameD. All Account-Unit's Users

Correct Answer: ASection: LDAP/ Identity Awareness/ Captive Portal

Explanation


QUESTION 92The process that performs the authentication for SmartDashboard is:

A. fwmB. vpndC. cvpndD. cpd



QUESTION 93The process that performs the authentication for Remote Access is:

A. cpdB. vpndC. fwmD. cvpnd



PP71 CCSE R75 under Troubleshooting user Authentica tion

QUESTION 94The process that performs the authentication for SSL VPN Users is:

A. cvpndB. cpdC. fwmD. vpnd



QUESTION 95The process that performs the authentication for legacy session authentication is:

A. cvpndB. fwmC. vpndD. fwssd

Correct Answer: DSection: ProcessExplanation


QUESTION 96While authorization for users managed by SmartDirectory is performed by the gateway, the authenticationis mostly performed by the infrastructure in which of the following?

A. ldapdB. cpauthC. cpSharedD. ldapauth



QUESTION 97When troubleshooting user authentication, you may see the following entries in a debug of the userauthentication process.

In which order are these messages likely to appear?

A. make_au, au_auth, au_fetchuser, au_auth_auth, cpLdapCheck, cpLdapGetUserB. cpLdapGetUser, au_fetchuser, cpLdapCheck, make_au, au_auth, au_auth_auth C. make_au, au_auth, au_fetchuser, cpLdapGetUser, cpLdapCheck, au_auth_authD. au_fetchuser, make_au, au_auth, cpLdapGetUser, au_auth_auth, cpLdapCheck

Correct Answer: CSection: ProcessExplanation


PP 71 CCSE R75 under Troubleshooting User Authentic ation

QUESTION 98Which of the following is NOT a ClusterXL mode?

A. MulticastB. LegacyC. BroadcastD. New

Correct Answer: CSection: ClusterXLExplanation


PP26 in ClusterXL Advanced Technical Reference Guid e(16 July 2013) under Mode ComparisonTable

QUESTION 99In an R75 Cluster, some features such as VPN only function properly when:

A. All cluster members have the same policyB. All cluster members have the same Hot Fix Accumulator pack installedC. All cluster members' clocks are synchronizedD. All cluster members have the same number of interfaces configured



QUESTION 100In ClusterXL R75; when configuring a cluster synchronization network on a VLAN interface what is thesupported configuration?

A. It is supported on VLAN tag 4095B. It is supported on VLAN tag 4096C. It is supported on the lowest VLAN tag of the VLAN interface D. It is not supported on a VLAN tag



QUESTION 101Which process is responsible for delta synchronization in ClusterXL?

A. fw kernel on the security gatewayB. fwd process on the security gatewayC. cpd process on the security gatewayD. Clustering process on the security gateway



QUESTION 102Which process is responsible for full synchronization in ClusterXL?

A. fwd on the Security GatewayB. fw kernel on the Security GatewayC. Clustering on the Security GatewayD. cpd on the Security Gateway



QUESTION 103Which process is responsible for kernel table information sharing across all cluster members?

A. fwd daemon using an encrypted TCP connectionB. CPHA using an encrypted TCP connectionC. fw kernel using an encrypted TCP connectionD. cpd using an encrypted TCP connection



PP 83 CCSE R75 Study Guide under Cluster Synchroniz ation

============================State Synchronization works in two modes:

1. Full sync transfers all Security Gateway kernel table information from one cluster member toanother. It is handled by the fwd daemon using an encrypted TCP connection. 2. Delta sync transfers changes in the kernel tables between cluster members. Delta sync is handledby the Security Gateway kernel using UDP multicast or broadcast on port 8116.=============================

QUESTION 104By default, a standby Security Management Server is automatically synchronized by an active SecurityManagement Server, when:

A. The user data base is installed.B. The standby Security Management Server starts for the first time.C. The Security Policy is installed.D. The Security Policy is saved.

Correct Answer: CSection: SmartDashboard/ Security Mamagement Server (SMS)Explanation


QUESTION 105The ________ Check Point ClusterXL mode must synchronize the physical interface IP and MACaddresses on all clustered interfaces.

A. New Mode HAB. Pivot Mode Load SharingC. Multicast Mode Load SharingD. Legacy Mode HA

Correct Answer: DSection: ClusterXL

Explanation


QUESTION 106__________ is a proprietary Check Point protocol.

It is the basis for Check Point ClusterXL inter- module communication.

A. HA OPCODEB. RDPC. CKPPD. CCP



QUESTION 107After you add new interfaces to a cluster, how can you check if the new interfaces and the associatedvirtual IP address are recognized by ClusterXL?

A. By running the command cphaprob state on both membersB. By running the command cpconfig on both membersC. By running the command cphaprob -I list on both membersD. By running the command cphaprob -a if on both members



Explanation:

QUESTION 108Which of the following is a supported Sticky Decision Function of Sticky Connections for Load Sharing?

A. Multi-connection support for VPN-1 cluster membersB. Support for all VPN deployments (except those with third-party VPN peers)C. Support for SecureClient/SecuRemote/SSL Network Extender encrypted connectionsD. Support for Performance Pack acceleration



QUESTION 109A connection is said to be Sticky when:

A. The connection information sticks in the connection table even after the connection has ended.B. A copy of each packet in the connection sticks in the connection table until a corresponding reply packet

is received from the other side.C. A connection is not terminated by either side by FIN or RST packet.D. All the connection packets are handled, in either direction, by a single cluster member.

Correct Answer: DSection: Port/ Port HardeningExplanation


QUESTION 110How does a cluster member take over the VIP after a failover event?

A. Broadcast stormB. iflist -renewC. Ping the sync interfaceD. Gratuitous ARP



QUESTION 111Check Point Clustering protocol, works on:

A. UDP 500B. UDP 8116C. TCP 8116D. TCP 19864



QUESTION 112A customer is calling saying one cluster member's status is Down.

What will you check?

A. cphaprob list (verify what critical device is down)B. fw ctl pstat (check sync)C. fw ctl debug -m cluster + forward (forwarding layer debug)D. tcpdump/snoop (CCP traffic)



QUESTION 113Which of the following commands can be used to troubleshoot ClusterXL sync issues?

A. fw debug cxl connections > file_nameB. fw tab -s -t connections > file_nameC. fw tab -u connections > file_nameD. fw ctl -s -t connections > file_name

Correct Answer: BSection: ClusterXLExplanation


Source : CP_R76_Installation_and_Upgrade_Guide-webA dmin

Display the Connections TableThis command displays the "connection" table.

If everything was synchronized correctly the number of entries in this table and the content itself should beapproximately the same in the old and new cluster members.

This is an approximation because during time that you run the command on the old and new members, newconnections may have been created or old connections were deleted.

Note - Not all connections are synchronized. For example, local connections and services marked as non-synchronized.

Syntax: fw tab -t connections -u [-s] Options: -t - table

-u - unlimited entries

-s - (optional) summary of the num ber of connections

For more on the fw tab -t connections command, see the Command Line Interface Guide.

================

Security Management Server and Firewall Commands

fw tab -s -t connections -s Summary of the number of entries in each table: host name, table name, table ID, and its number ofentries

-t Display only tname table

Example To view the connections table for kernel instance #1 use the following command: fw -i 1 tab -t connections

QUESTION 114Which of the following commands shows full synchronization status?

A. fw hastatB. cphaprob -i listC. cphaprob -a ifD. fw ctl iflist



QUESTION 115Which of the following commands shows full synchronization status?

A. cphaprob -a ifB. fw ctl iflistC. fw hastatD. fw ctl pstat



QUESTION 116John is configuring a new R71 Gateway cluster but he can not configure the cluster as Third Party IPClustering because this option is not available in Gateway Cluster Properties.

What's happening?

A. Third Party Clustering is not available for R71 Security Gateways.B. John is not using third party hardware as IP Clustering is part of Check Point's IP Appliance.C. ClusterXL needs to be unselected to permit 3rd party clustering configuration.D. John has an invalid ClusterXL license.



QUESTION 117In ClusterXL, _______ is defined by default as a critical device.

A. fwdB. fwmC. assldD. cpp

Correct Answer: ASection: ClusterXL

Explanation


QUESTION 118In ClusterXL, _______ is defined by default as a critical device.

A. fw.dB. protect.exeC. PROT_SRV.EXED. Filter



QUESTION 119When synchronizing clusters, which of the following statements is NOT true?

A. User Authentication connections will be lost by the cluster.B. An SMTP resource connection using CVP will be maintained by the cluster.C. In the case of a failover, accounting information on the failed member may be lost despite a properly

working synchronization.D. Only cluster members running on the same OS platform can be synchronized.



QUESTION 120When a failed cluster member recovers, which of the following actions is NOT taken by the recoveringmember?

A. It will try to take the policy from one of the other cluster members.B. It will not check for any updated policy and load the last installed policy with a warning message

indicating that the Security Policy needs to be installed from the Security Management Server.C. If the Security Management Server has a newer policy, it will be retrieved, else the local policy will be

loaded.D. It compares its local policy to the one on the Security Management Server.



QUESTION 121Organizations are sometimes faced with the need to locate cluster members in different geographiclocations that are distant from each other. A typical example is replicated data centers whose location is widely separated for disaster recoverypurposes.

What are the restrictions of this solution?

A. There are no restrictions.B. There is one restriction: The synchronization network must guarantee no more than 150 ms latency

(ITU Standard G.114).C. There is one restriction: The synchronization network must guarantee no more than 100 ms latency.D. There are two restrictions: 1. The synchronization network must guarantee no more than 100ms latency

and no more than 5% packet loss. 2. The synchronization network may only include switches and hubs.

Correct Answer: DSection: Configuration/ Topology/ ConnectraExplanation


QUESTION 122You are the MegaCorp Security Administrator. This company uses a firewall cluster, consisting of two cluster members. The cluster generally works well but one day you find that the cluster is behaving strangely. You assume that there is a connectivity problem with the cluster synchronization cluster link (cross-overcable).

Which of the following commands is the best for testing the connectivity of the crossover cable?

A. telnet <IP address of the synchronization interface on the other cluster member>B. ifconfig -aC. ping <IP address of the synchronization interface on the other cluster member>D. arping <IP address of the synchronization interface on the other cluster member>



CCP works in layer 2, so rule of elimination and arp works in layer 2, answer is D

QUESTION 123You have a High Availability ClusterXL configuration. Machines are not synchronized. What happens toconnections on failover?

A. Connections cannot be established until cluster members are fully synchronized.B. It is not possible to configure High Availability that is not synchronized.C. Old connections are lost but can be reestablished.D. Old connections are lost but are automatically recovered whenever the failed machine recovers.

Correct Answer: CSection: High Availability - (HA)Explanation


QUESTION 124What command will allow you to disable sync on a cluster firewall member?

A. fw ctl syncstat stopB. fw ctl setsync off

C. fw ctl setsync 0D. fw ctl syncstat off



QUESTION 125When using ClusterXL in Load Sharing, what is the default method?

A. IPs, Ports, SPIsB. IPsC. IPs, PortsD. IPs, SPIs



QUESTION 126If ClusterXL Load Sharing is enabled with state synchronization enabled, what will happen if one membergoes down?

A. The connections are dropped as Load Sharing does not support High Availability.B. The processing of all connections handled by the faulty machine is dropped, so all connections need to

be re-established through the other machine(s).C. There is no state synchronization on Load Sharing, only on High Availability.D. The processing of all connections handled by the faulty machine is immediately taken over by the other

member(s).



QUESTION 127What is a "sticky" connection?

A. A Sticky Connection is one in which a reply packet returns through the same gateway as the originalpacket.

B. A Sticky Connection is a VPN connection that remains up until you manually bring it down.C. A Sticky Connection is a connection that remains the same.D. A Sticky Connection is a connection that always chooses the same gateway to set up the initial

connection.

Correct Answer: ASection: Port/ Port HardeningExplanation


QUESTION 128Review the R75 configuration.

Is it correct for Management High Availability?

A. No, the Security Management Servers must reside on the same network.B. No, the Security Management Servers must be installed on the same operating system.C. No, the Security Management Servers do not have the same number of NICs.D. No, a R71 Security Management Server cannot run on Red Hat Linux 9.0.

Correct Answer: BSection: High Availability - (HA)Explanation


QUESTION 129Check Point New Mode HA is a(n) _________ solution.

A. primary-domainB. hot-standbyC. accelerationD. load-balancing



QUESTION 130What is the behavior of ClusterXL in a High Availability environment?

A. The active member responds to the virtual address and is the only member that passes traffic.B. The active member responds to the virtual address and, using sync network forwarding, both members

pass traffic.C. Both members respond to the virtual address but only the active member is able to pass traffic.D. Both members respond to the virtual address and both members pass traffic.



QUESTION 131Review the cphaprob state command output from a New Mode High Availability cluster member.

Which machine has the highest priority?

A. 192.168.1.2, because its state is activeB. 192.168.1.1, because its number is 1C. 192.168.1.1, because it is <local>D. This output does not indicate which machine has the highest priority.



QUESTION 132By default Check Point High Availability components send updates about their state every:

A. 5 seconds.B. 0.5 second.C. 0.1 second.D. 1 second.



QUESTION 133You have just upgraded your Load Sharing gateway cluster (both members) from NGX R65 to R75.cphaprob stat shows:

Which of the following is not a possible cause of this?

A. You have a different number of cores defined for CoreXL between the two membersB. Member 1 has CoreXL disabled and member 2 does notC. Member 1 is at a lower version than member 2D. You have not run cpconfig on member 2 yet.



PP54, CP_R75.20_ClusterXL_AdminGuide Table 8-9 Cluster States

ReadyState Ready means that the machine recognizes itself as a part of the cluster and is literally ready to go intoaction, but, by design, something prevents the machinefromtaking action. Possible reasons that the machine is not yet Active include:

1. Not all required software components were loaded and initialized yet and/or not all configuration stepsfinished successfully yet. Before a cluster member becomes Active, it sends a message to the rest of the cluster members, checking whether it can becomeActive . In High-Availability mode it will check if there is already an Active member and in Load Sharing Unicast mode it will check if there is a Pivot memberalready. The member remains in the Ready state until it receives the response from the rest of the cluster members and decides which state to choose next(Active, Standby, Pivot, or non-Pivot).

2. Software installed on this member has a higher ver sion than the rest of the members in thiscluster. For example, when a cluster is upgraded from on e version of Check Point Security Gateway toanother, and the cluster members have different ver sions of Check Point Security Gateway, themembers with a new version have the Ready state and the member s with the previous version have the Active /Active Attention state.

3. If the software installed on all cluster members includes CoreXL, which is installed by default inversions R70 and higher, a member in Ready state may have a higher number of CoreXL instances than other members. See sk42096 for a solution

So basically, the FW with latest CP release will be in Ready State, so answer is C (Member 2 is inREADY state, so it must be having a higher CP versi on than Member 1)

QUESTION 134In Management High Availability, what is an Active SMS?

A. Active Security Master ServerB. Active Smart Management ServerC. Active Security Management Server

D. Active Smart Master Server



QUESTION 135For Management High Availability synchronization, what does the Advance status mean?

A. The peer SMS has not been synchronized properly.B. The peer SMS is properly synchronized.C. The active SMS and its peer have different installed policies and databases.D. The peer SMS is more up-to-date.

Correct Answer: DSection: High Availability - (HA)Explanation


QUESTION 136Which of the following would be a result of having more than one active Security Management

Server in a Management High Availability (HA) configuration?

A. The need to manually synchronize the secondary Security Management Server with the PrimarySecurity Management Server is eliminated.

B. Allows for faster seamless failover: from active-to-active instead of standby-to-active.C. An error notification will popup during SmartDashboard login if the two machines can communicate

indicating Collision status.D. Creates a High Availability implementation between the Gateways installed on the Security Management

Servers.



QUESTION 137You want to verify that your Check Point cluster is working correctly.

Which command line tool can you use?

A. cphastart -statusB. cphainfo -sC. cphaprob stateD. cphaconf state



QUESTION 138How can you view the virtual cluster interfaces of a Cluster XL environment?

A. cphaprob -ia ifB. cphaprob -a ifC. cphaprob -a listD. cphaprob -ia list



QUESTION 139When Load Sharing Multicast mode is defined in a ClusterXL cluster object, how are packets being handledby cluster members?

A. All members receive all packets. The Security Management Server decides which member will processthe packets. Other members delete the packets from memory.

B. All cluster members process all packets and members synchronize with each other.C. All members receive all packets. All members run an algorithm which determines which member

processes packets further and which members delete the packet from memory.D. Only one member at a time is active. The active cluster member processes all packets.



QUESTION 140Which of the following does NOT happen when using Pivot Mode in ClusterXL?

A. The Security Gateway analyzes the packet and forwards it to the Pivot.B. The packet is forwarded through the same physical interface from which it originally came, not on the

sync interface.C. The Pivot's Load Sharing decision function decides which cluster member should handle the packet.D. The Pivot forwards the packet to the appropriate cluster member.



QUESTION 141When distributing IPSec packets to gateways in a Load Sharing Multicast mode cluster, which valid LoadSharing method will consider VPN information?

A. Load Sharing based on IP addresses, ports, and serial peripheral interfacesB. Load Sharing based on SPIsC. Load Sharing based on ports, VTI, and IP addressesD. Load Sharing based on IP addresses, ports, and security parameter indexes



QUESTION 142To configure the Cluster Control Protocol (CCP) to use Broadcast, the following command is run:

A. set_ccp cpcluster broadcastB. ccp broadcastC. clusterconfig set_ccp broadcastD. cphaconf set_ccp broadcast



QUESTION 143When synchronizing clusters, which of the following statements is NOT true?

1). (local) 172.168.1.1 100$ active2). 172.14*.1.2 0$ standby

A. Load Sharing (multicast mode)B. HA (New mode).C. 3rd party clusterD. Load Sharing Unicast (Pivot) mode



QUESTION 144Which of the listed load-balancing methods is NOT valid?

A. RandomB. DomainC. They are all validD. Round Trip



PP 23 Security Gateway R76 Technical Administration Guide under Load-Balancing Methods

=========================================================================Load-Balancing Methods

ConnectControl distributes network traffic to load- balanced servers according to predefinedbalancing methods, which include:

Server Load: Measures the load on each server to determine which server has the most available resources to service arequest. Each server in the group runs a load measuring agent that automatically reports the currentsystem load to ConnectControl on the Security Gateway. Server Load is a good choice if your servers runother demanding applications in addition to supporting your load-balanced application. See also LoadMeasuring.

Round Trip: Ensures that incoming requests are handled by the server with the fastest response time. ConnectControlascertains the response times of the servers in the group at a user-defined interval, whereupon the gatewayexecutes a series of ICMP echo requests (pings) and reports which server has the shortest average roundtrip time. ConnectControl then directs the service request to that server. The round trip method is a goodchoice if there are large variations in the traffic load on your network or when load balancing over WANconnections.

Round Robin: Assigns service requests to the next server in the sequence. The round robin method provides optimal loadbalancing when the load balanced servers all have similar RAM and CPU and are located on the samesegment.

Random: Assigns service requests to servers at random. The random method provides optimal load balancing whenthe load-balanced servers all have similar RAM and CPU and are located on the same segment.

Domain: Directs service requests based on domain name.

QUESTION 145Which method of load balancing describes "Round Robin"?

A. Assigns service requests to the next server in a series.B. Assigns service requests to servers at random.C. Measures the load on each server to determine which server has the most available resources.D. Ensures that incoming requests are handled by the server with the fastest response time.



QUESTION 146State Synchronization is enabled on both members in a cluster, and the Security Policy is successfullyinstalled. No protocols or services have been unselected for selective sync.

Review the fw tab -t connections -s output from both members.

Is State Synchronization working properly between the two members?

A. Members A and B are not synchronized, because #VALS in the connections table are not close.B. Members A and B are not synchronized, because #PEAK for both members is not close in the

connections table.C. Members A and B are synchronized, because #SLINKS are identical in the connections table.D. Members A and B are synchronized, because ID for both members is identical in the connections table.



QUESTION 147You have two IP Appliances: one IP565 and one IP395. Both appliances have IPSO 6.2 and R75 installed in a distributed deployment.

Can they be members of a Gateway Cluster?

A. No, because the Security Gateways must be installed in a stand-alone installation.B. No, because IP does not have a cluster option.C. Yes, as long as they have the same IPSO and Check Point versions.D. No, because the appliances must be of the same model (both should be IP565 or IP395).



QUESTION 148You want to upgrade a cluster with two members to VPN-1 NGX. The SmartCenter Server and both members are version VPN-1/Firewall-1 NG FP3, with the latest Hotfix.

What is the correct upgrade procedure?

1. Change the version, in the General Properties of the gateway-cluster object.2. Upgrade the SmartCenter Server, and reboot after upgrade.3. Run cpstop on one member, while leaving the other member running. Upgrade one member at a time,and reboot after upgrade.4. Reinstall the Security Policy.

A. 3, 2, 1, 4B. 2, 4, 3, 1C. 1, 3, 2, 4D. 2, 3, 1, 4E. 1, 2, 3, 4

Correct Answer: DSection: SmartCenter/ SmartLSMExplanation


QUESTION 149Included in the client's network are some switches, which rely on IGMP snooping.

You must find a solution to work with these switches.

Which of the following answers does NOT lead to a successful solution?

A. Set the value of fwha_enable_igmp_snooping module configuration parameter to 1.B. Configure static CAMs to allow multicast traffic on specific ports.C. ClusterXL supports IGMP snooping by default. There is no need to configure anything.D. Disable IGMP registration in switches that rely on IGMP packets

Correct Answer: CSection: IPSExplanation


PP30 CP_R75_ClusterAdminGuide

Switch Setting : IGMP and Static CAMs

Explanation :ClusterXL does not support IGMP registration (also known as IGMP Snooping) by default. ===========>This is the right opposite of Answer C, as question is asking what is incorrect,Answer C is the right choice

Either disable IGMP registration in switches that rely on IGMP packets to configure their ports, or enableIGMP registration on ClusterXL.

For instructions on how to enable IGMP snooping, refer to the ClusterXL IGMP Membership document athttp://downloads.checkpoint.com/dc/download.htm?ID=6699.

In situations where disabling IGMP registration is not acceptable, it is necessary to configure static CAMsin order to allow multicast traffic on specific ports.

QUESTION 150What could be a reason why synchronization between primary and secondary Security ManagementServers does not occur?

A. You did not activate synchronization within Global Properties.B. You are using different time zones.C. You have installed both Security Management Servers on different server systems (e. g. one machine

on HP hardware and the other one on DELL).D. If the set of installed products differ from each other, the Security Management Servers do not

synchronize the database to each other.



QUESTION 151What is the proper command for importing users into the R75 User Database?

A. fwm dbimportB. fwm importusrsC. fwm importD. fwm importdb

Correct Answer: A

Section: BasicsExplanation


QUESTION 152In a R75 Management High Availability (HA) configuration, you can configure synchronization to occurautomatically, when:

1. The Security Policy is installed.2. The Security Policy is saved.3. The Security Administrator logs in to the secondary SmartCenter Server, and changes its status toactive.4. A scheduled event occurs.5. The user database is installed.

Select the BEST response for the synchronization trigger.

A. 1, 2, 4B. 1, 2, 3, 4C. 1, 2, 5D. 1, 3, 4



QUESTION 153What is a requirement for setting up R75 Management High Availability?

A. All Security Management Servers must have the same number of NICs.B. All Security Management Servers must have the same operating system.C. State synchronization must be enabled on the secondary Security Management Server.D. All Security Management Servers must reside in the same LAN.



QUESTION 154You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use four machines with the following configurations:

Cluster Member 1: OS: SecurePlatform, NICs: QuadCard, memory: 1 GB, Security Gateway only, version:R75Cluster Member 2: OS: SecurePlatform, NICs: 4 Intel 3Com, memory: 1 GB, Security Gateway only,version: R75Cluster Member 3: OS: SecurePlatform, NICs: 4 other manufacturers, memory: 512 MB, Security Gatewayonly, version: R75

Security Management Server: MS Windows 2003, NIC. Intel NIC (1), Security Gateway and primarySecurity Management Server installed, version: R75

Are these machines correctly configured for a ClusterXL deployment?

A. No, the Security Gateway cannot be installed on the Security Management Pro Server.B. No, Cluster Member 3 does not have the required memory.C. Yes, these machines are configured correctly for a ClusterXL deployment.D. No, the Security Management Server is not running the same operating system as the cluster members.



QUESTION 155You are establishing a ClusterXL environment, with the following topology:

VIP internal cluster IP = 172.16.10.3, VIP external cluster IP = 192.168.10.3Cluster Member 1:4 NICs, 3 enable:hme0:192.168.10/24,hme1:10.10.10/24,qfe2:172.16.10/24Cluster Member 2:5 NICs, 3 enable:hme0:192.168.10/24,hme1:10.10.10/24,qfe2:172.16.10/24


External interfaces 192.168.10.1 and 192.168.10.2 connect to a VLAN switch. The upstream router connects to the same VLAN switch. Internal interfaces 172.16.10.1 and 172.16.10.2 connect to a hub. 10.10.10.0 is the synchronization network. The Security Management Server is located on the internal network with IP 172.16.10.3.

What is the problem with this configuration?

A. Cluster members cannot use the VLAN switch. They must use hubs.B. The Cluster interface names must be identical across all cluster members.C. There is an IP address conflict.D. The Security Management Server must be in the dedicated synchronization network, not the internal

network.



QUESTION 156What is the reason for the following error?

A. A third-party cluster solution is implemented.B. Cluster membership is not enabled on the gateway.C. Objects.C does not contain a cluster object.D. Device Name contains non-ASCII characters.



QUESTION 157In which ClusterXL Load Sharing mode, does the pivot machine get chosen automatically by ClusterXL?

A. Hot Standby Load SharingB. Unicast Load SharingC. Multicast Load SharingD. CCP Load Sharing



QUESTION 158What configuration change must you make to change an existing ClusterXL cluster object from Multicast toUnicast mode?

A. Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the SecurityPolicy.

B. Run cpstop and cpstart, to re-enable High Availability on both objects. Select Pivot mode in cpconfig.C. Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.D. Change the cluster mode to Unicast on each of the cluster-member objects.



QUESTION 159In Load Sharing Unicast mode, the internal cluster IP address is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies. The following is the ARP table from the internal Windows host 10.4.8.108.

Review the exhibit and identify the member serving as the pivot machine.

A. 10.4.8.3B. 10.4.8.2C. The pivot machine cannot be determined by this test.D. 10.4.8.1



if u don't the answer to this question, don't do the exam... u will not succeed in your job and worse, you willput the companies security at the mercy of the hackers

QUESTION 160Which of the following commands will stop acceleration on a Security Gateway running on SecurePlatform?

A. splat_accel offB. perf_pack offC. fw accel offD. fwaccel off



QUESTION 161How do new connections get established through a Security Gateway with SecureXL enabled?

A. New connections are always inspected by the firewall and if they are accepted, the subsequent packetsof the same connection will be passed through SecureXL

B. The new connection will be first inspected by SecureXL and if it does not match the drop table ofSecureXL, then it will be passed to the firewall module for a rule match.

C. New connection packets never reach the SecureXL module.D. If the connection matches a connection or drop template in SecureXL, it will either be established or

dropped without performing a rule match, else it will be passed to the firewall module for a rule match.

Correct Answer: DSection: Performance Pack/ SecureXL/ CoreXLExplanation


Explanation:

QUESTION 162Which of the following commands can be used to bind a NIC to a single processor when using aPerformance Pack on SecurePlatform?

A. sim affinityB. splat procC. set procD. fw fat path nic

Correct Answer: ASection: Performance Pack/ SecureXL/ CoreXLExplanation


QUESTION 163Your customer asks you about the Performance Pack. You explain to him that a Performance Pack is a software acceleration product which improves theperformance of the Security Gateway. You may enable or disable this acceleration by either:

1) The command cpconfig2) The command fwaccel on¦off

What is the difference between these two commands?

A. Both commands function identically.B. The fwaccel command determines the default setting. The command cpconfig can dynamically change

the setting, but after the reboot it reverts to the default setting.C. The command cpconfig works on the Security Platform only. The command fwaccel can be used on all

platforms.D. The cpconfig command enables acceleration. The command fwaccel can dynamically change the

setting, but after the reboot it reverts to the default setting.



QUESTION 164Your customer complains of the weak performance of his systems. He has heard that Connection Templates accelerate traffic.

How do you explain to the customer about template restrictions and how to verify that they are enabled?

A. To enhance connection-establishment acceleration, a mechanism attempts to "group together" allconnections that match a particular service and whose sole discriminating element is the source port.To test if connection templates are enabled, use the command fwaccel stat.

B. To enhance connection-establishment acceleration, a mechanism attempts to "group together" allconnections that match a particular service and whose sole discriminating element is the destinationport. To test if connection templates are enabled, use the command fwacel templates.

C. To enhance connection-establishment acceleration, a mechanism attempts to "group together" allconnections that match a particular service and whose sole discriminating element is the destinationport. To test if connection templates are enabled, use the command fw ctl templates.

D. To enhance connection-establishment acceleration, a mechanism attempts to "group together" allconnections that match a particular service and whose sole discriminating element is the source port.To test if connection templates are enabled, use the command fw ctl templates.



QUESTION 165Frank is concerned with performance and wants to configure the affinities settings. His gateway does not have the Performance Pack running.

What would Frank need to perform in order configure those settings?

A. Edit $FWDIR/conf/fwaffinity.conf and change the settings.B. Edit affinity.conf and change the settings.C. Run fw affinity and change the settings.D. Run sim affinity and change the settings.



QUESTION 166You are concerned that the processor for your firewall running NGX R71 SecurePlatform may beoverloaded.

What file would you view to determine the speed of your processor(s)?

A. cat /etc/cpuinfoB. cat /proc/cpuinfoC. cat /var/opt/CPsuite-R71/fw1/conf/cpuinfoD. cat /etc/sysconfig/cpuinfo

Correct Answer: BSection: Performance Pack/ SecureXL/ CoreXLExplanation


QUESTION 167In CoreXL, what process is responsible for processing incoming traffic from the network interfaces, securelyaccelerating authorized packets, and distributing non-accelerated packets among kernel instances?

A. NAD (Network Accelerator Daemon)B. SND (Secure Network Distributor)C. SSD (Secure System Distributor)D. SNP (System Networking Process)



QUESTION 168Due to some recent performance issues, you are asked to add additional processors to your firewall.

If you already have CoreXL enabled, how are you able to increase Kernel instances?

A. Once CoreXL is installed you cannot enable additional Kernel instances without reinstalling R75.B. In SmartUpdate, right-click on Firewall Object and choose Add Kernel Instances.C. Use cpconfig to reconfigure CoreXL.D. Kernel instances are automatically added after process installed and no additional configuration is

needed.

Correct Answer: CSection: Performance Pack/ SecureXL/ CoreXLExplanation

Explanation/Reference:Explanation: by Jay Dias

PP 192 R70 Firewall Administration Guide and PP 107 CCSE R75 Study Guide under AddingProcessing Cores to the Hardware====================================================================================================

CoreXL provides almost linear scalability of performance, according to the number of processing cores on asingle machine. The increase in performance is achieved without requiring any changes to management orto network topology.

In a CoreXL gateway, the firewall kernel is replicated multiple times. Each replicated copy, or instance, ofthe firewall kernel runs on one processing core. These instances handle traffic concurrently, and eachinstance is a complete and independent inspection kernel.

A CoreXL gateway works like a regular Security Gateway. All kernel instances work with traffic goingthrough the same gateway interfaces and apply the same gateway security policy.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Configuring CoreXL Page 192

Configuring CoreXL

To enable/disable CoreXL: 1. Run the cpconfig command. 2. Select Configure Check Point CoreXL. 3. Choose whether to enable or disable CoreXL. 4. Reboot the gateway.

To configure the number of instances: 1. Run the cpconfig command. 2. Select Configure Check Point CoreXL. 3. If CoreXL is enabled, choose to change the number of firewall instanced. If CoreXL is disabled,choose to enable CoreXL and then set the required number of firewall instances. <================Answer to the Question 4. Reboot the gateway

==========================================================

QUESTION 169Which of the following platforms does NOT support SecureXL?

A. Power-1 ApplianceB. IP ApplianceC. UTM-1 ApplianceD. UNIX



QUESTION 170Which of the following is NOT supported by CoreXL?

A. SmartView TrackerB. Route-based VPNC. IPSD. IPV4



QUESTION 171Which of the following is NOT accelerated by SecureXL?

A. TelnetB. FTPC. SSHD. HTTPS



QUESTION 172To verify SecureXL statistics you would use the command ________?

A. fwaccel stats

B. fw ctl pstatC. fwaccel topD. cphaprob stat



QUESTION 173How can you disable SecureXL via the command line (it does not need to survive a reboot)?

A. cphaprob offB. fw ctl accel offC. securexl offD. fwaccel off



QUESTION 174Which of these is a type of acceleration in SecureXL?

A. FTPB. connection rateC. GRED. QoS



QUESTION 175How can you verify that SecureXL is running?

A. cpstat osB. fw verC. fwaccel statD. securexl stat



QUESTION 176Which of the following services will cause SecureXL templates to be disabled?

A. TELNETB. FTPC. HTTPSD. LDAP



QUESTION 177How do you enable SecureXL (command line) on SecurePlatform?

A. fw securexl onB. fw accel onC. fwaccel onD. fwsecurexl on



QUESTION 178The following graphic illustrates which command being issued on SecurePlatform?

A. fwaccel statsB. fw accel statsC. fw securexl statsD. fwsecurexl stats

Correct Answer: A

Section: Performance Pack/ SecureXL/ CoreXLExplanation


QUESTION 179After Travis added new processing cores on his server, CoreXL did not use them.

What would be the most plausible reason why? Travis did not:

A. edit the Gateway Properties and increase the kernel instances.B. run cpconfig to increase the number of CPU cores.C. edit the Gateway Properties and increase the number of CPU cores.D. run cpconfig to increase the kernel instances.



QUESTION 180A SmartProvisioning Gateway could be a member of which VPN communities?

(i) Center In Star Topology(ii) Satellite in Star Topology(iii) Carter in Remote Access Community(iv) Meshed Community

A. (ii) and (iii)B. AllC. (i), (ii) and (iii)D. (ii) only

Correct Answer: ASection: SmartProvisioningExplanation


QUESTION 181What process manages the dynamic routing protocols (OSPF, RIP, etc.) on SecurePlatform Pro?

A. gatedB. There's no separate process, but the Linux default router can take care of that.C. routerdD. arouted

Correct Answer: ASection: Routing/ NATExplanation


QUESTION 182

What is the command to enter the router shell?

A. gatedB. routerdC. clirouterD. router



QUESTION 183Which statement is TRUE for route-based VPN's?

A. Route-based VPN's replace domain-based VPN's.B. Route-based VPN's are a form of partial overlap VPN Domain.C. Dynamic-routing protocols are not required.D. IP Pool NAT must be configured on each Gateway.

Correct Answer: CSection: Routing/ NATExplanation


PP77 in CP_R76_VPN_AdminGuide under Configuring Numbered VTIs

Enabling Route Based VPNIf you configure a Security Gateway for Domain Base d VPN and Route Based VPN, Domain BasedVPN takes precedence by default . To force Route Based VPN to take priority, you must create a dummy(empty) group and assign it to the VPN domain.

QUESTION 184If both domain-based and route-based VPN's are configured, which will take precedence?

A. Must be chosen/configured manually by the Administrator in the Policy > Global PropertiesB. Must be chosen/configured manually by the Administrator in the VPN community objectC. Domain-basedD. Route-based



QUESTION 185Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?

A. They are only supported on the IPSO Operating System.B. VTIs cannot be assigned a proxy interface.C. VTIs can only be physical, not loopback.D. Local IP addresses are not configured, remote IP addresses are configured.

Correct Answer: ASection: VPN VTIExplanation


QUESTION 186Which of the following is TRUE concerning un-numbered VPN Tunnel Interfaces (VTIs)?

A. VTIs must be assigned a proxy interface.B. VTIs can only be physical, not loopback.C. VTIs are only supported on SecurePlatform.D. Local IP addresses are not configured, remote IP addresses are configured.



Two types of routing within VPNs, Domain based Routing AND VTI Based Routing. In VTI based routing, itsbased on the concept that setting up a VTI between peer GW is much like connecting them Directly

TWO VTI types 1. Numbered VTI :- Interface is assigned a local and a remote IP. IP address CAN NOT be an addressthats already in use in a Physical IP address

2. Unnumbered VTI :-No Local OR Remote IP reuored, Unnumbered VTI mused be assigned to a Proxyinterface

Page 62 R75 VPN Admin Guide

QUESTION 187Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?

A. Local IP addresses are not configured, remote IP addresses are configuredB. VTI specific additional local and remote IP addresses are not configuredC. VTIs are only supported on SecurePlatformD. VTIs cannot be assigned a proxy interface

Correct Answer: BSection: VPN VTIExplanation


QUESTION 188Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?

A. VTIs can use an already existing physical-interface IP addressB. VTIs cannot share IP addressesC. VTIs are supported on SecurePlatform ProD. VTIs are assigned only local addresses, not remote addresses

Correct Answer: CSection: VPN VTIExplanation


QUESTION 189When configuring numbered VPN Tunnel Interfaces (VTIs) in a clustered environment, what issues need tobe considered?

1. Each member must have uniqie source IP address2. Every interface on each member reqiures a unique IP address3. All VTIs going to the same remote peer must have the same name4. Cluster IP addresses are required

A. 1, 3, and 4B. 2 and 3C. 1, 2, and 4D. 1, 2, 3 and 4

Correct Answer: DSection: VPN VTIExplanation


QUESTION 190How do you verify a VPN Tunnel Interface (VTI) is configured properly?

A. vpn shell display <VTI name> detailedB. vpn shell show <VTI name> detailedC. vpn shell show interface detailed <VTI name>D. vpn shell display interface detailed <VTI name>



PP290 CP_R75.20_VPN_AdminGuide under VPN Shell

Ar vpn shell promt enter :show/interface/detailed Shows summary of all interfaces or of a specific interface with greater detail

QUESTION 191What is used to validate a digital certificate?

A. S/MIMEB. CRLC. IPsecD. PKCS

Correct Answer: BSection: SMART/ EncryptionExplanation


QUESTION 192You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner.

Which of the following activities should you do first?

A. Manually import your partner's Access Control List.B. Manually import your partner's Certificate Revocation List.C. Exchange exported CA keys and use them to create a new server object to represent your partner's

Certificate Authority (CA).D. Create a new logical-server object to represent your partner's CA.

Correct Answer: CSection: VPN/ MEP VPN/ High-Traffic VPNExplanation


QUESTION 193You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway bound for all site-to-site VPN Communities, includingRemote Access Communities.

How should you configure the VPN match rule?

A. Communities > CommunitiesB. internal_clear > All_GwToGwC. internal_clear > All_communitiesD. Internal_clear > External_Clear



QUESTION 194Which of the following statements is FALSE regarding OSPF configuration on SecurePlatform Pro?

A. router ospf 1 creates the Router ID for the Security Gateway and should be the same ID for allGateways.

B. router ospf 1 creates the Router ID for the Security Gateway and should be different for all Gateways.C. router ospf 1 creates an OSPF routing instance and this process ID should be different for each Security

Gateway.D. router ospf 1 creates an OSPF routing instance and this process ID should be the same on all

Gateways.



QUESTION 195If you need strong protection for the encryption of user data, what option would be the BEST choice?

A. When you need strong encryption, IPsec is not the best choice. SSL VPN's are a better choice.

B. Use Diffie-Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in QuickMode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.

C. Disable Diffie-Hellman by using stronger certificate based key-derivation. Use AES-256 bit on allencrypted channels and add PFS to QuickMode. Use double encryption by implementing AH and ESPas protocols.

D. Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.



QUESTION 196Your organization maintains several IKE VPN's. Executives in your organization want to know which mechanism Security Gateway R75 uses to guaranteethe authenticity and integrity of messages.

Which technology should you explain to the executives?

A. Digital signaturesB. Certificate Revocation ListsC. Key-exchange protocolsD. Application Intelligence



QUESTION 197There are times when you want to use Link Selection to manage high-traffic VPN connections.With Link Selection you can:

A. Probe links for availability.B. Use links based on Day/Time.C. Assign links to specific VPN communities.D. Use links based on authentication method.



PP122 CCSE R75 under Link Selection

Among the configuration options, the admin could choose to: 1. Probe links for availability 2. Use load sharing on links to distribute VPN traffic 3. Use links based on services to control the bandwidth 4. setup links for remote access


A. Assign links to use Dynamic DNS.B. Use links based on authentication method.C. Use links based on Day/Time.D. Use Load Sharing to distribute VPN traffic.

Correct Answer: DSection: VPN/ MEP VPN/ High-Traffic VPNExplanation



A. Assign links to specific VPN communities.B. Assign links to use Dynamic DNS.C. Use links based on services.D. Prohibit Dynamic DNS.



QUESTION 200What type of object may be explicitly defined as a MEP (Multiple Entry Point) VPN?

A. Mesh VPN CommunityB. Any VPN CommunityC. Remote Access VPN CommunityD. Star VPN Community



QUESTION 201MEP (Multiple Entry Point) VPN's use the Proprietary Probing Protocol to send special UDP RDP packets toport ____ to discover if an IP is accessible.

A. 259B. 256C. 264D. 201



QUESTION 202Which of the following statements is TRUE concerning MEP (Multiple Entry Point) VPN's?

A. State synchronization between Secruity Gateways is required.B. MEP VPN's are not restricted to the location of the gateways.C. The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first

connection fail.D. MEP Security Gateways cannot be managed by separate Management Servers.

Correct Answer: BSection: VPN/ MEP VPN/ High-Traffic VPNExplanation


QUESTION 203Which of the following statements is TRUE concerning MEP (Multiple Entry Point) VPN's?

A. The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the firstconnection fail.

B. MEP Security Gateways can be managed by separate Management Servers.C. MEP VPN's are restricted to the location of the gateways.D. State synchronization between Secruity Gateways is required.



QUESTION 204Which of the following statements is TRUE concerning MEP VPN's?

A. MEP Security Gateways cannot be managed by separate Management Servers.B. MEP VPN's are restricted to the location of the gateways.C. The VPN Client selects which Security Gateway takes over, should the first connection fail.D. State synchronization betweened Secruity Gateways is required.



PP 124 in CCSE R75 under Multiple Entry Point VPNs, 4th Bullet point ( Question 336 test you onBullet point 3) AND [R75 VPN Admin Guide PP 115]

VPN High Availability Using MEP or ClusteringBoth MEP and Clustering are ways of achieving High Availability and load sharing. However:

--There is no physical restriction on the location of MEPed Security Gateways. MEPed Security Gateways can be geographically separated machines.

--MEPed Security Gateways can be managed by different Security Management servers

--In a MEP configuration there is no "state synchronization" between the MEPed Security Gateways.

In a MEPed configuration, if a Security Gateway fails, the current connection is lost and one of the backupSecurity Gateways picks up the next connection.

--In a MEPed environment, the decision which Security Gateway to use is taken on the remote side;

[R75 VPN Admin Guide PP 115]

QUESTION 205You need to publish SecurePlatform routes using the ospf routing protocol.

What is the correct command structure, once entering the route command, to implement ospf successfully?

A. Run cpconfig utility to enable ospf routingB. ip route ospf

ospf network1ospf network2

C. EnableConfigure terminalRouter ospf [id]Network [network] [wildmask] area [id]

D. Use DBedit utility to either the objects_5_0.c file



QUESTION 206At what router prompt would you save your OSPF configuration?

A. localhost.localdomain(config)#B. localhost.localdomain(config-if)#C. localhost.localdomain#D. localhost.localdomain(config-router-ospf)#



QUESTION 207What is the router command to save your OSPF configuration?

A. save memoryB. write configC. saveD. write mem



QUESTION 208What is the command to show OSPF adjacencies?

A. show ospf interfaceB. show ospf summary-addressC. show running-configD. show ip ospf neighbor



QUESTION 209Which of the following operating systems support numbered VTI's?

A. SecurePlatform ProB. SolarisC. IPSO 4.0 +D. Windows Server 2008



QUESTION 210You have installed SecurePlatform R75 as Security Gateway operating system. As company requirements changed, you need the VTI features of R75.

What should you do?

A. Only IPSO 3.9 supports VTI feature, so you have to replace your Security Gateway with Nokiaappliances.

B. In SmartDashboard click on the OS drop down menu and choose SecurePlatform Pro. You have toreboot the Security Gateway in order for the change to take effect.

C. Type pro enable on your Security Gateway and reboot it.D. You have to re-install your Security Gateway with SecurePlatform Pro R75, as SecurePlatform R75

does not support VTIs.



QUESTION 211Which operating system(s) support(s) unnumbered VPN Tunnel Interfaces (VTIs) for route-based VPN's?

A. Solaris 9 and higherB. IPSO 3.9 and higherC. Red Hat LinuxD. SecurePlatform for NGX and higher

Correct Answer: BSection: VPN VTI

Explanation


QUESTION 212Which of the following commands would you run to remove site-to-site IKE and IPSec Keys?

A. vpn tuB. ikeoffC. vpn export_p12D. vpn accel off



QUESTION 213What is the most common cause for a Quick mode packet 1 failing with the error "No Proposal Chosen"error?

A. The OS and patch level of one gateway does not match the other.B. The previously established Permanent Tunnel has failed.C. There is a network connectivity issue.D. The encryption strength and hash settings of one peer does not match the other.



QUESTION 214Which component receives events and assigns severity levels to the events; invokes any defined automaticreactions, and adds the events to the Events Data Base?

A. SmartEvent Analysis DataServerB. SmartEvent ClientC. SmartEvent Correlation UnitD. SmartEvent Server

Correct Answer: DSection: SmartEventExplanation


PP148 CCSE R75 under SamertEvent Architecture

QUESTION 215The SmartEvent Correlation Unit:

A. adds events to the events database.

B. assigns a severity level to an event.C. analyzes each IPS log entry as it enters the Log server.D. displays the received events.

Correct Answer: CSection: SmartEventExplanation


Answer C correct

PP148 R75 CCSE Study Guide

Correlation Unit : Analyses logs looking for patterns according to the installed policy. When a threatpattern is identified, forwards the event to the Eventia Analyzer Server

Basically it, correlates all the events

QUESTION 216The SmartEvent Client:

A. analyzes each IPS log entry as it enters the Log server.B. displays the received events.C. adds events to the events database.D. assigns a severity level to an event.

Correct Answer: BSection: SmartEventExplanation



Analyzer Client :The Windows GUI that : 1. Displays the received events <-------------------------------------- 2. Manages them for filtering and status (ie closed events) 3. Provides fine-tuning and Installation of the Events Policy

QUESTION 217What are the 3 main components of the SmartEvent Software Blade?

1. Correlation Unit2. Correlation Client3. Correlation Server4. Analyzer Server5. Analyzer Client6. Analyzer Unit

A. 1, 2, 3B. 4, 5, 6C. 1, 4, 5D. 1, 3, 4

Correct Answer: CSection: SmartEventExplanation



QUESTION 218You are reviewing computer information collected in ClientInfo. You can NOT:

A. Enter new credential for accessing the computer information.B. Save the information in the active tab to an .exe file.C. Copy the contents of the selected cells.D. Run Google.com search using the contents of the selected cell.



Answer B is correct

PP22 in CP_R75_SmartEvent_AdminGuide:

QUESTION 219What is the SmartEvent Analyzer's function?

A. Assign severity levels to events.B. Analyze log entries, looking for Event Policy patterns.C. Display received threats and tune the Events Policy.D. Generate a threat analysis report from the Analyzer database.

Correct Answer: ASection: SmartEventExplanation



Answer correct ( A)


Analyzer Server -- Receives events from the Correlation Units (CU) and assigns a severity level to theevent

QUESTION 220What is the SmartEvent Client's function?

A. Display received threats and tune the Events Policy.B. Generate a threat analysis report from the Reporter database.C. Invoke and define automatic reactions and add events to the database.D. Assign severity levels to events.



QUESTION 221A tracked SmartEvent Candidate in a Candidate Pool becomes an Event.

What does NOT happen in the Analyzer Server?

A. SmartEvent provides the beginning and end time of the Event.B. The Correlation Unit keeps adding matching logs to the Event.C. The Event is kept open, but condenses many instances into one Event.D. SmartEvent stops tracking logs related to the Candidate.



PP46 in CP_R75_SmartEvent_AdminGuide in Creating Ev ent Definitions (User Defined Events)starting at pp42

Step 4: When a Candidate Becomes an Event ( in Point form)1. When a candidate becomes an event, the Correlation Unit forwards the event to the Event Database.

2. But discovering an event does not mean that SmartEvent stops tracking logs related to it.====>Contradict Answer option D. So answer is D

3. The Correlation Unit will keep adding matching logs to the event as long as they continue to arrive duringthe event threshold. ===> B. The Correlation Unit keeps adding matching logs to the Event.

4. Keeping the event "open" condenses what might otherwise appear as many instances of the same eventto one, and provides accurate, up-to-date information as to the beginning and end time of the event.====>C. The Event is kept open, but condenses many instances into one Event.

QUESTION 222What is the benefit to running SmartEvent in Learning Mode?

A. There is no SmartEvent Learning ModeB. To run SmartEvent with preloaded sample data in a test environmentC. To run SmartEvent, with a step-by-step online configuration guide for training/setup purposesD. To generate a report with system Event Policy modification suggestions


Explanation/Reference:Explanation: by [email protected]:

Answer D correct

PP 37 :CP_R75_SmartEvent Admin Guide

Tuning SmartEvent Using Learning Mode While SmartEvent is ready "out-of-the-box" with an Event Policy based on real-world expectations, in mostcases further fine-tuning is required.

SmartEvent's Learning Mode analyzes the Event Log and generates a report with suggestions as towhat modifications you should make to your system's Event Policy.

It should be run a day or so after installing SmartEvent, and whenever you want to further refine the eventsdetected.

QUESTION 223For best performance in Event Correlation, you should use:

A. IP address rangesB. Large groupsC. Nothing slows down Event CorrelationD. Many objects



QUESTION 224_______________ manages Standard Reports and allows the administrator to specify automatic uploads ofreports to a central FTP server.

A. SmartDashboard Log ConsolidatorB. SmartReporterC. Security Management ServerD. SmartReporter Database

Correct Answer: BSection: SmartReporterExplanation


Answer B is correct

PP28 CP_R75_SmartReport_AdminGuide

Uploading Reports to an FTP Server In order to enable report uploads to an FTP server you must configure the Report's output properties. Configuring the FTP Upload 1. Enable the FTP Upload option.2. Fill the server properties in the fields to the right of the option list, including the FTP server's name or IP,the User Name and Password that SmartReporter uses to connect to the FTP server, and the Path of thedirectory in which the report results are saved. 3. Select how the new uploaded report is saved (that is, whether in a new directory or overriding theprevious report).

QUESTION 225_____________ generates a SmartEvent Report from its SQL database.

A. SmartEvent ClientB. Security Management ServerC. SmartReporterD. SmartDashboard Log Consolidator

Correct Answer: CSection: SmartReporterExplanation


QUESTION 226Which SmartReporter report type is generated from the SmartView Monitor history file?

A. CustomB. ExpressC. TraditionalD. Standard

Correct Answer: BSection: SmartReporterExplanation


B is correct

PP147, R75 CCSE Study guide

Express Reports -- Express Reports are generated from SmartView Monitor History Files and areproduced much more quickly

QUESTION 227You have selected the event Port Scan from Internal Network in SmartEvent, to detect an event when 30port scans have occurred within 60 seconds. You also want to detect two port scans from a host within 10 seconds of each other.

How would you accomplish this?

A. Define the two port-scan detections as an exception.B. Select the two port-scan detections as a new event.C. Select the two port-scan detections as a sub-event.

D. You cannot set SmartEvent to detect two port scans from a host within 10 seconds of each other.



PP37, CP_R75_SmartEvent_AdminGuide

This chapter explain how you fine tune your policie s. Answer A is correct

QUESTION 228When do modifications to the Event Policy take effect?

A. When saved on the Correlation Units, and pushed as a policy.B. As soon as the Policy Tab window is closed.C. When saved on the SmartEvent Client, and installed on the SmartEvent Server.D. When saved on the SmartEvent Server and installed to the Correlation Units.



Answer D correct

PP 36 in CP_R75_SmartEvent_AdminGuide

QUESTION 229To clean the system of all events, you should delete the files in which folder(s)?

A. $RTDIR/distrib and $RTDIR/events_dbB. $RTDIR/events_dbC. $FWDIR/distrib_db and $FWDIR/eventsD. $FWDIR/distrib

Correct Answer: ASection: File Locations/ File ModificationExplanation


QUESTION 230What SmartConsole application allows you to change the Log Consolidation Policy?

A. SmartDashboardB. SmartReporterC. SmartUpdateD. SmartEvent Server

Correct Answer: ASection: SmartReporterExplanation


Answer A is correct

PP: CCSE R75 Page 147

Bullet Point 1 in SmartReporter Standard Reports are supported by TWO clients :

SmartDashboard Log Consolidator - Manages the log consolidation r ules

QUESTION 231Where is it necessary to configure historical records in SmartView Monitor to generate Express reports inSmartReporter?

A. In SmartView Monitor, under Global Properties > Log and MastersB. In SmartReporter, under Express > Network ActivityC. In SmartDashboard, the SmartView Monitor page in the R75 Security Gateway objectD. In SmartReporter, under Standard > Custom


Explanation/Reference:Explanation: by [email protected]:PP 24 in CP_R75_SmartReporter_Admin Guide

Express Reports Configuration The following procedure sets the SmartView Monitor to collect complete system data in order to produceSmartReporter Express Reports. SmartView Monitor settings are enabled through the SmartDashboard.Proceed as follows:

1. In the SmartDashboard network objects branch, select a gateway of interest. Double click the gateway to

open the Check Point Gateway properties window.

2. You will need to enable the SmartView Monitor to collect data for reporting purposes throughSmartDashboard. If you do not see SmartView Monitor in the selection to the left, enable it through the General Propertiestab. Click General Properties, then in the Check Point Products scroll-down list, select SmartViewMonitor . It will appear on the left. Select SmartView Monitor , and in the SmartView Monitor tab, enable one or all of the following options toensure that SmartView Monitor is collecting necessary data for reporting purposes:

� Check Point System Counters� Traffic Connections� Traffic Throughput

Note - Selecting Traffic Connections and Traffic Throughput in the SmartView Monitor tab may affectthe performance of the gateway.

3. To finish this procedure, in SmartDashboard select Policy > Install .

QUESTION 232SmartReporter reports can be used to analyze data from a penetration-testing regimen in all of the followingexamples, EXCEPT:

A. Possible worm/malware activity.B. Analyzing traffic patterns against public resources.C. Analyzing access attempts via social-engineering.D. Tracking attempted port scans.



QUESTION 233If Jack was concerned about the number of log entries he would receive in the SmartReporter system,which policy would he need to modify?

A. Consolidation PolicyB. Log Consolidator PolicyC. Log Sequence PolicyD. Report Policy



PP 31, CP_R75_SmartReporter_AdminGuide

Consolidation Policy Configuration Overview ==== ? note "Consolidation Policy"

The Out of the Box Consolidation Policy has been designed to address the most common Consolidationneeds. However, in case you have specific Consolidation needs that are not covered by this Policy, theConsolidation Rules can be modified as needed.

QUESTION 234Your company has the requirement that SmartEvent reports should show a detailed and accurate view ofnetwork activity but also performance should be guaranteed.

Which actions should be taken to achieve that?

(i) Use same hard driver for database directory, log files and temporary directory(ii) Use Consolidation Rules(iii) Limit logging to blocked traffic only(iv) Using Multiple Database Tables

A. (i) and (ii)B. (ii) and (iv)C. (i), (ii) and (iv)D. (i), (iii) and (iv)



Objective: Accurate view of network activity but also performa nce should be guaranteed

(i) Use same hard driver for database directory, log files and temporary directory ================>This will result in lot of read/write operations so, performance wise, NOT GOOD

(ii) Use Consolidation Rules ================> Needthis for accurate reports

(iii) Limit logging to blocked traffic only ================> Thereports may not be accurate

(iv) Using Multiple Database Tables ================>Multiple Tables means, its properly normalized, so good

--------------------------------------------------------------------------------------------So answer should be (ii) and (iv)

QUESTION 235To help organize events, SmartReporter uses filtered queries.

Which of the following is NOT an SmartEvent event property you can query?

A. Event: Critical, Suspect, False AlarmB. TimE. Last Hour, Last Day, Last WeekC. StatE. Open, Closed, False AlarmD. TypE. Scans, Denial of Service, Unauthorized Entry



QUESTION 236How could you compare the Fingerprint shown to the Fingerprint on the server?

A. Run cpconfig, select the Certificate's Fingerprint option and view the fingerprintB. Run cpconfig, select the GUI Clients option and view the fingerprintC. Run cpconfig, select the Certificate Authority option and view the fingerprint

D. Run sysconfig, select the Server Fingerprint option and view the fingerprint



QUESTION 237Which file defines the fields for each object used in the file objects.C (color, num/string, default value...)?

A. $FWDIR/conf/classes.CB. $FWDIR/conf/scheam.CC. $FWDIR/conf/table.CD. $FWDIR/conf/fields.C



QUESTION 238Which of the following commands can be used to stop Management portal services?

A. fw stopportalB. cpportalstopC. cpstop / portalD. smartportalstop



QUESTION 239You use the snapshot feature to store your Connectra SSL VPN configuration.

What do you expect to find?

A. Nothing; snapshot is not supported in Connectra SSL VPN.B. The management configuration of the current product, on a management or stand-alone machineC. A complete image of the local file systemD. Specified directories of the local file system.

Correct Answer: CSection: Configuration/ Topology/ ConnectraExplanation


QUESTION 240When running DLP Wizard for the first time, which of the following is a mandatory configuration?

A. Mail Server

B. E-mail Domain in My OrganizationC. DLP Portal URLD. Active Directory

Correct Answer: BSection: DLPExplanation


QUESTION 241When using Connectra with Endpoint Security Policies, what option is not available when configuring DATenforcement?

A. Maximum DAT file versionB. Maximum DAT file ageC. Minimum DAT file versionD. Oldest DAT file timestamp

Correct Answer: ASection: Configuration/ Topology/ ConnectraExplanation

Explanation/Reference:Explanation: by [email protected] : Jay Dias

Above Answer is wrong, it should be D-- Oldest DAT file timestamp

http://dl3.checkpoint.com/paid/82/HowTo_CreateOrGroup_ConnectraESOD.pdf?HashKey=1392035503_bfa706b834222c1a869e30e73fbb5c2c&xtn=.pdf

--This Question is all about creating "OR group " or adding a custom check than what pre-defined for hostcheck. Basically these custom checks are called "OR Group"

-- If there is an application (anti-virus or other) that the Endpoint Security On Demand (ESOD) scannercannot detect, or is not listed inside of the ESOD configuration, you can build an OR Group. The “OR Group ” lets you use the standard predefined anti-virus template, and lets a Custom Rule detectother applications that are not in a predefined ESOD template.

--SSL VPN re-branding:In SmartDashboard R65.3 or 65.4: open the Connectra tab. For R70.x and above, open the SSL VPN tab. For R71.30 and above, open the Mobile Access tab .

QUESTION 242Which of the following statements is FALSE about the DLP Software Blade and Active Directory (AD) orLDAP?

A. When a user authenticates in the DLP Portal to view all his unhandled incidents, the portal authenticatesthe user using only AD/LDAP.

B. Check Point UserCheck client authentication is based on AD.C. For SMTP traffic, each recipient e-mail address is translated using AD/LDAP to a user name and group

that is checked vs. the destination column of the DLP rule base.D. For SMTP traffic, the sender e-mail address is translated using AD/LDAP to a user name and group that

is checked vs. the source column of the DLP rule base.

Correct Answer: ASection: DLP

Explanation


QUESTION 243You are running R71 and using the new IPS Software Blade. To maintain the highest level of security, you are doing IPS updates regularly.


What kind of problems can be caused by the automatic updates?

A. None; updates will not add any new security checks causing problematic behaviour on the systems.B. None, all new updates will be implemented in Detect only mode to avoid unwanted traffic interruptions.

They have to be activated manually later.C. None, all the checks will be activated from the beginning, but will only detect attacks and not disturb any

non-malicious traffic in the network.D. All checks will be activated from the beginning and might cause unwanted traffic outage due to false

positives of the new checks and non-RFC compliant self-written applications.

Correct Answer: BSection: IPSExplanation


QUESTION 244Which of the following deployment scenarios CANNOT be managed by Check Point QoS?

A. Two lines connected to a single router, and the router is connected directly to the GatewayB. Two lines connected to separate routers, and each router is connected to separate interfaces on the

GatewayC. One LAN line and one DMZ line connected to separate Gateway interfacesD. Two lines connected directly to the Gateway through a hub

Correct Answer: ASection: QoSExplanation


QUESTION 245Which technology is responsible for assembling packet streams and passing ordered data to the protocolparsers in IPS?

A. Pattern MatcherB. Content Management InfrastructureC. Accelerated INSPECTD. Packet Streaming Layer

Correct Answer: DSection: IPS

Explanation


Source : checkpoint_blade_ips.pdf ( http://www.nwtechusa.com/pdf/checkpoint_blade_ips.pdf)

Protocol Parsers in IPS:============================================================

Pattern Matcher============================================================

Content Management Infrastructure=============================================================

Packet Streaming Layer=====================================================

QUESTION 246You configure a Check Point QoS Rule Base with two rules: an H.323 rule with a weight of 10, and theDefault Rule with a weight of 10. The H.323 rule includes a per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee is for four connections, and no additional connections are allowed in theAction properties.

If traffic is passing through the QoS Module matches both rules, which of the following statements isTRUE?

A. Each H.323 connection will receive at least 512 Kbps of bandwidth.B. The H.323 rule will consume no more than 2048 Kbps of available bandwidth.C. 50% of available bandwidth will be allocated to the Default Rule.D. Neither rule will be allocated more than 10% of available bandwidth.

Correct Answer: BSection: QoSExplanation


QUESTION 247How is SmartWorkflow enabled?

A. In SmartView Monitor, click on SmartWorkflow / Enable SmartWorkflow. The Enabling SmartWorkflowwizard launches and prompts for SmartWorkflow Operation Mode. Once a mode is selected, the wizardfinishes.

B. In SmartView Tracker, click on SmartWorkflow / Enable SmartWorkflow. The Enabling SmartWorkflowwizard launches and prompts for SmartWorkflow Operation Mode Once a mode is selected, the wizardfinishes.

C. In SmartDashboard, click on SmartWorkflow / Enable SmartWorkflow The Enabling SmartWorkflowwizard launches and prompts for SmartWorkflow Operation Mode. Once a mode is selected, the wizardfinishes.

D. In SmartEvent, click on SmartWorkflow/ Enable SmartWorkflow. The Enabling SmartWorkflow wizardlaunches and prompts for SmartWorkflow Operation Mode. Once a mode is selected, the wizardfinishes.

Correct Answer: CSection: SmartCenter/ SmartLSMExplanation


QUESTION 248What could the following regular expression be used for in a DLP rule?

\$([0-9]*,[0-9] [0-9] [0-9]. [0-9] [0-9]

Select the best answer

A. As a Data Type to prevent programmers from leaking code outside the companyB. As a compound data type representation.C. As a Data Type to prevent employees from sending an email that contains a complete price-list of nine

products.D. As a Data Type to prevent the Finance Department from leaking salary information to employees

Correct Answer: DSection: DLPExplanation


QUESTION 249Exhibit:

UserA is able to create a SmartLSM Security Cluster Profile , you must select the correct justification.

A. False. The user must have at least Read permissions for the SmartLSM Gateways DatabaseB. True Only Object Database Read/Write permissions are required to create SmartLSM ProfilesC. False The user must have Read/Write permissions for the SmartLSM Gateways Database.D. Not enough information to determine. You must know the user's Provisioning permissions to determine

whether they are able to create a SmartLSM Security Cluster Profile



QUESTION 250Which Check Point QoS feature is used to dynamically allocate relative portions of available bandwidth?

A. GuaranteesB. Weighted Fair QueuingC. Low Latency QueuingD. Differentiated Services



QUESTION 251

Laura notices the Microsoft Visual Basic Bits Protection is set to inactive. She wants to set the Microsoft Visual Basic Kill Bits Protection and all other Low Performance ImpactProtections to Prevent. She asks her manager for approval and stated she can turn theses on. But he wants Laura to make sure no high Performance Impacted Protections are turned on while changingthis setting.

Using the out below, how would Laura change the Default_Protection on Performance Impact Protectionsclassified as low from inactive to prevent until meeting her other criteria?

A. Go to Profiles / Default_Protection and uncheck Do not activate protections with performance impact tomedium or above

B. Go to Profiles / Default_Protection and select Do not activate protections with performance impact tolow or above

C. Go to Profiles / Default_Protection and select Do not activate protections with performance impact tomedium or above

D. Go to Profiles / Default_Protection and uncheck Do not activate protections with performance impact tohigh or above



QUESTION 252Refer to the to the network topology below.

You have IPS software Blades active on security Gateways sglondon, sgla, and sgny, but still experienceattacks on the Web server in the New York DMZ.

How is this possible?

A. All of these options are possible.B. Attacker may have used a touch of evasion techniques like using escape sequences instead of clear

text commands. It is also possible that there are entry points not shown in the network layout, like rougeaccess points.

C. Since other Gateways do not have IPS activated, attacks may originate from their networks without anynoticing

D. An IPS may combine different technologies, but is dependent on regular signature updates and well-turned automatically algorithms. Even if this is accomplished, no technology can offer protection.

Correct Answer: ASection: Configuration/ Topology/ ConnectraExplanation


QUESTION 253How is change approved for implementation in SmartWorkflow?

A. The change is submitted for approval and is automatically installed by the approver once Approve isclicked

B. The change is submitted for approval and is automatically installed by the original submitter the nexttime he logs in after approval of the 3nge

C. The change is submitted for approval and is manually installed by the original submitter the next time helogs in after approval of the change.

D. The change is submitted for approval and is manually installed by the approver once Approve is clicked



Explanation:

QUESTION 254Provisioning Profiles can NOT be applied to:

A. UTM-1 EDGE AppliancesB. UTM-1 AppliancesC. IP AppliancesD. Power-1 Appliances

Correct Answer: CSection: SmartProvisioningExplanation


QUESTION 255One profile in SmartProvisioning can update:

A. Potentially hundreds and thousands of gateways.B. Only Clustered Gateways.C. Specific gateways.D. Profiles are not used for updating, just reporting.



QUESTION 256Check Point recommends deploying SSL VPN:

A. In parallel to the firewallB. In a DMZC. In front of the firewall with a LAN connectionD. On the Primary cluster member

Correct Answer: CSection: SSL-VPNExplanation


QUESTION 257What are the SmartProvisioning Provisioning Profile indicators?

A. OK, Needs Attention, Uninitialized, UnknownB. OK, Needs Attention, Agent is in local mode, Uninitialized, UnknownC. OK, Waiting, Unknown, Not Installed, Not Updated, May be out of dateD. OK, In Use. Out of date, not used

Correct Answer: BSection: SmartProvisioningExplanation


QUESTION 258SmartWorkflow has been enabled with the following configuration:

If a security administrator opens a new session and after making changes to policy, submits the session forapproval will be displayed as:

A. ApprovedB. In progressC. Not ApprovedD. Awaiting Approval

Correct Answer: BSection: SmartCenter/ SmartLSMExplanation


QUESTION 259In Company XYZ, the DLP Administrator defined a new Keywords Data Type that contains a list of secretproject names; i.e., Ayalon, Yarkon, Yarden. The threshold is set to At least 2 keywords or phrases.

Based on this information, which of the following scenarios will be a match to the Rule Base?

A. A PDF file that contains the following textYarkon1 can be the code name for the new product. Yardens list of protected sites

B. An MS Excel file that contains the following textMort resources for Yarkon project.. Are you certain this is about Yarden?

C. A word file that contains the following text will match:AyalonayalonAYALON

D. A password protected MS Excel file that contains the following text AyalonYarkonYarden



QUESTION 260Which Name Resolution protocols are supported in SSL VPN?

A. DNS, hosts, Imhosts, WINSB. DNS, hosts, ImhostsC. DNS, hosts, WINSD. DNS, hosts



QUESTION 261Which Check Point QoS feature marks the ToS byte in the IP header?

A. Differentiated ServicesB. GuaranteesC. Weighted Fair QueuingD. Low Latency Queuing



QUESTION 262How does ClusterXL Unicast mode handle new traffic?

A. All members receive all packets. The Security Management Server decides which member will processthe packets. Other members delete the packets from memory.

B. The pivot machine receives and inspects all new packets then synchronizes the connections with othermembers

C. The pivot machine receives all the packets and runs an algorithm to determine which member shouldprocess the packets

D. All cluster members' process all packets and members synchronize with each other. The pivot isresponsible for the master sync catalog



QUESTION 263Which of the following explains Role Segregation?

A. Administrators have different abilities than managers within SmartWorkflow.B. Different tasks within SmartDashboard are divided according to firewall administrator permissions.C. Changes made by an administrator in a SmartWorkflow session must have managerial approval prior to

commitment.D. SmartWorkflow can be configured so that managers can only view their assigned sessions



QUESTION 264Which of the following actions is most likely to improve the performance of Check Point QoS?

A. Put the most frequently used rules at the bottom of the QoS Rule Base.B. Define Check Point QoS only on the external interfaces of the QoS Module.C. Turn per rule limits into per connection limitsD. Turn per rule guarantees into per connection guarantees.



QUESTION 265Where is the encryption domain for a SmartLSM Security Gateway configured in R71?

A. Inside the SmartLSM Security Gateway object in the SmartDashboard GUIB. Inside the SmartLSM Security Gateway profile in the SmartProvisioning GUIC. Inside the SmartLSM Security Gateway object in the SmartProvisioning GUID. Inside the SmartLSM Security Gateway profile in the SmartDashboard GUI

Correct Answer: BSection: SmartCenter/ SmartLSMExplanation


QUESTION 266John is the MultiCorp Security Administrator. If he suggests a change in the firewall configuration, he must submit his proposal to David, a securitymanager. One day David is out of the office and john submits his proposal to peter. Surprisingly, Peter is not able to approve the proposal because the system does not permit him to do so?

Both David and Peter have accounts as administrators in the Security Management server and both havethe Read/Write ALL permission.

What is the reason for this difference?

A. There were some Hardware/Software issues at Security Management server on the first day.B. Peter was no logged on to system for a longer timeC. The attribute Manage Administrator was not assigned to PeterD. The specific SmartWorkflow read/Write permission were assigned to David only.



QUESTION 267What is NOT true about Management Portal?

A. Choosing Accept control connections in Implied Rules includes Management Portal accessB. Management Portal requires a licenseC. Default Port for Management Portal access is 4433D. Management Portal could be reconfigured for using HTTP instead of HTTPS



PP 12 to 15, CCSE R70 Study Guide

QUESTION 268Management Portal should be installed on:

(i) Management Server(ii) Security Gateway(iii) Dedicated Server

A. All are possible solutionsB. (ii) onlyC. (iii) onlyD. (i) or (iii) only



Answer should be (i) and (iii)

PP12 CCSE R71 under Web Based Administration

"The Management Portal can be deployed on either a Dedicated Server or along side the Security mgmtServer."

QUESTION 269What port is used for Administrator access for your SSL VPN?

A. 80B. 4433C. 4434D. 443

Correct Answer: BSection: Port/ Port HardeningExplanation

Explanation/Reference:Explanation: by [email protected]:sk31333

Configuring SmartPortal / Management Portal to work in a Multi-Domain Security Management / Provider-1environment

Solution ID: sk31333Product: Management Portal, Multi-Domain Management / Provider-1Version: NGX R60, NGX R61, NGX R62, NGX R65, R70, R71, R75, R76, R77Platform / Model: Intel/PC, Smart-1Date Created: 17-Nov-2005Last Modified: 08-Jan-2014Rate this document[1=Worst,5=Best]

SOLUTION

By default, SmartPortal / Management Portal can not be used if installed on a Provider-1 / Multi-DomainSecurity Management MDS machine.

In order to configure SmartPortal / Management Portal to work in a Provider-1 / Multi-Domain SecurityManagement environment, follow this procedure:

Install SmartPortal / Management Portal (just the SmartPortal / Management Portal !) on a "clean"machine.

Use the SecurePlatform / Gaia Portal in order to set the interfaces and define the SIC password - do NOTuse the 'cpconfig' command !!!.

Connect to Provider-1 / Multi-Domain Security Management MDS machine with Provider-1 MDG /SmartDomain Manager.

Go to 'Global Policies' - expand the relevant Global Policy - expand the relevant Customer / Domain - right-click on the relevant CMA / Domain Management Server - click on 'Launch SmartDashboard'.

Go to 'Manage' menu - click on 'Network Objects' - click on 'New...' button - select 'Check Point' - select'Host...'. This object will represent the SmartPortal / Management Portal machine.

Configure the object's properties. Make sure to check only the box for 'SmartPortal' / 'Management Portal'in the products section.

Establish SIC with the SmartPortal / Management Portal machine.

Configure the following global explicit rule:

SOURCE DESTINATION SERVICE ACTIONSmartPortal / Management Portal object SmartPortal / Management Portal object Any Accept

Save the changes: go to 'File' menu - click on 'Save'.

Close the SmartDashboard.

Go to 'Global Policies' - right-click on the relevant Global Policy - click on 'Reassign/Install Global Policy ...' -select the relevant CMA(s) / Domain(s).

Connect to SmartPortal / Management Portal at https ://Portal_IP_Address:4433 - you should now beable to access the desired MDS / CMA / Domain. <==================================================Note: If you have one MDS and one MLM server, and you have a Management Portal license on your MDSserver, then you do not need a separate license on your dedicated Management Portal server.

QUESTION 270What is the command to upgrade a SecurePlatform NG with Application Intelligence (Al) R55 SmartCenterServer to VPN-1 NGX using a CD?

A. cd patch addB. fwm upgrade_toolC. cppkg addD. patch addE. patch add cd

Correct Answer: ESection: Upgrade/ Backup/ RestoreExplanation


QUESTION 271You set up a mesh VPN Community, so your internal networks can access your partner's network, and viceversa. Your Security Policy encrypts only FTP and HTTP traffic through a VPN tunnel. All other traffic among your internal and partner networks is sent in clear text.

How do you configure the VPN Community?

A. Disable "accept all encrypted traffic", and put FTP and HTTP in the Excluded services in the Communityobject. Add a rule in the Security Policy for services FTP and http, with the Community object in the VPNfield.

B. Disable "accept all encrypted traffic" in the Community, and add FTP and HTTP services to the SecurityPolicy, with that Community object in the VPN field.

C. Enable "accept all encrypted traffic", but put FTP and HTTP in the Excluded services in the Community.Add a rule in the Security Policy, with services FTP and http, and the Community object in the VPN field.

D. Put FTP and HTTP in the Excluded services in the Community object. Then add a rule in the SecurityPolicy to allow Any as the service, with the Community object in the VPN field.



Accepting all Encrypted Traffic If you select Accept all encrypted traffic on the General page of the VPN community Properties window, anew rule is added to the Security Policy Rule Base. This rule is neither a regular rule or an implied rule, butan automatic community rule, and can be distinguished by its "beige" colored background. [pp33 R75.20 VPN Admin Guide]

On the General page, select Accept all encrypted traffic if you need all traffic between the SecurityGateways to be encrypted . If not, then create appropriate rules in the Security Policy Rule Base thatallows encrypted traffic between community members. [pp34 R75.20 VPN Admin Guide]

If you did not select Accept all encrypted traffic in the community, build an access control policy, for example:

Source Destination VPN Service Action Any Any Meshed community Any Accept [pp35 R75.20 VPN Admin Guide]

***************************As per Question:******** ****************************1. Your Security Policy encrypts only FTP and HTTP traffic through a VPN tunnel. 2. All other traffic among your internal and partner networks is sent in clear text.

As per point 2, not all Traffic MUST BE Encrypted, so we CAN NOT tick "Accepting all Encrypted Traffic", now we need to add a rule to encrypt the FTP and HTTP traffic

QUESTION 272How does a standby SmartCenter Server receive logs from all Security Gateways, when an activeSmartCenter Server fails over?

A. The remote Gateways must set up SIC with the secondary SmartCenter Server, for logging.B. Establish Secure Internal Communications (SIC) between the primary and secondary Servers.

The secondary Server can then receive logs from the Gateways, when the active Server fails over.C. On the Log Servers screen (from the Logs and Masters tree on the gateway object's General Properties

screen), add the secondary SmartCenter Server object as the additional log server.Reinstall the Security Policy.

D. Create a Check Point host object to represent the standby SmartCenter Server. Then select "SecondarySmartCenter Server" and Log Server", from the list of Check Point Products on the General propertiesscreen.

E. The secondary Server's host name and IP address must be added to the Masters file, on the remoteGateways.



QUESTION 273You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directlybetween end points.

Which routing mode in the VoIP Domain Gatekeeper do you select?

A. DirectB. Direct and Call SetupC. Call SetupD. Call Setup and Call Control

Correct Answer: ASection: VoIP/ CIFS/ FTP/SMTP/ e-mailExplanation


QUESTION 274Which component functions as the Internal Certificate Authority for VPN-1 NGX?

A. VPN-1 Certificate ManagerB. SmartCenterServerC. SmartLSMD. Policy ServerE. Security Gateway

Correct Answer: B

Section: SmartCenter/ SmartLSMExplanation


QUESTION 275Which Security Servers can perform Content Security tasks, but CANNOT perform authentication tasks?

A. TelnetB. FTPC. SMTPD. HTTP


Explanation/Reference:Explanation:CP Document : Content Security, pp 105 under Securi ty Server Overview

QUESTION 276The following diagram illustrates how a VPN-1 SecureClient user tries to establish a VPN with hosts in theexternal_net and internal_net from the Internet.

How is the Security Gateway VPN Domain created?

A. Internal Gateway VPN Domain = internal_net;External VPN Domain = external net + external gateway object + internal_net.

B. Internal Gateway VPN Domain = internal_net.External Gateway VPN Domain = external_net + internal gateway object

C. Internal Gateway VPN Domain = internal_net;External Gateway VPN Domain = internal_net + external_net

D. Internal Gateway VPN Domain = internal_net.External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net

Correct Answer: DSection: Configuration/ Topology/ ConnectraExplanation


QUESTION 277How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped dueto long queue using Check Point QoS solution?

A. Weighted Fair queuingB. guaranteed per connectionC. Low latency classD. guaranteed per VoIP rule

Correct Answer: CSection: QoSExplanation


QUESTION 278You are preparing to deploy a VPN-1 Pro Gateway for VPN-1 NGX. You have five systems to choose from for the new Gateway, and you must conform to the followingrequirements:

Operating-system vendor's license agreementCheck Point's license agreementMinimum operating-system hardware specification

Minimum Gateway hardware specificationGateway installed on a supported operating system (OS)

Which machine meets ALL of the following requirements?

A. Processor: 1.1 GHz RAM: 512MB Hard disk: 10 GB OS: Windows 2000 WorkstationB. Processor: 2.0 GHz RAM: 512MB Hard disk: 10 GB OS: Windows MEC. Processor: 1.5 GHz RAM: 256 MB Hard disk: 20 GB OS: Red Hat Linux 8.0D. Processor: 1.67 GHz RAM: 128 MB Hard disk: 5 GB OS: FreeBSDE. Processor: 2.2 GHz RAM: 256 MB Hard disk: 20 GB OS: Windows 2000 Server

Correct Answer: ESection: BasicsExplanation


QUESTION 279Where can a Security Administrator adjust the unit of measurement (bps, Kbps or Bps), for Check PointQoS bandwidth?

A. Global PropertiesB. QoS Class objectsC. Check Point gateway object propertiesD. $CPDIR/conf/qos_props.pf



QUESTION 280Problems sometimes occur when distributing IPSec packets to a few machines in a Load Sharing Multicastmode cluster, even though the machines have the same source and destination IP addresses.

What is the best Load Sharing method for preventing this type of problem?

A. Load Sharing based on IP addresses, ports, and serial peripheral interfaces (SPI)B. Load Sharing based on SPIs onlyC. Load Sharing based on IP addresses onlyD. Load Sharing based on SPIs and ports onlyE. Load Sharing based on IP addresses and ports

Correct Answer: ESection: ClusterExplanation


QUESTION 281Jacob is using a mesh VPN Community to create a site. to-site VPN. The VPN properties in this mesh Community display in this graphic: Which of the following statements is TRUE?

A. If Jacob changes the setting, "Perform key exchange encryption with" from "3DES" to "DES", he willenhance the VPN Community's security and reduce encryption overhead.

B. Jacob must change the datA. integrity settings for this VPN Community. MD5 is incompatible with AES.C. If Jacob changes the setting "Perform IPSec data encryption with" from "AES-128" to "3DES", he will

increase the encryption overhead.D. Jacob's VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key

VPN-1 NGX supports.



QUESTION 282Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbiddensites. He has created a URI resource object using CVP with the following settings:

Use CVPAllow CVP server to modify contentReturn data after content is approved

He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other toallow all other HTTP traffic.

Wayne sees HTTP traffic going to those problematic sites is not prohibited.

What could cause this behavior?

A. The Security Server Rule is after the general HTTP Accept Rule.B. The Security Server is not communicating with the CVP server.C. The Security Server is not configured correctly.D. The Security Server is communicating with the CVP server, but no restriction is defined in the CVP

server.



QUESTION 283You want to block corporate internal-net and localnet from accessing Web sites containing inappropriatecontent. You are using WebTrends for URL filtering. You have disabled VPN-1 Control connections in the Globalproperties. Review the diagram and the Security Policies for GW_A and GW_B in the exhibit provided.

Corporate users and localnet users receive message "Web cannot be displayed". In SmartView Tracker, you see the connections are dropped with message "content security is notreachable".

What is the problem, and how do you fix it?

A. The connection from GW_B to the internal WebTrends server is not allowed in the Policy.Fix: Add a rule in GW_A's Policy to allow source WebTrends Server, destination GW_B, service TCPport 18182, and action accept.

B. The connection from GW_B to the WebTrend server is not allowed in the Policy.Fix: Add a rule in GW_B's Policy with Source GW_B, destination WebTrends server, service TCP port18182, and action accept.

C. The connection from GW_Ato the WebTrends server is not allowed in the Policy.Fix: Add a rule in GW_B's Policy with source WebTrends server, destination GW_A, service TCP port18182, and action accept.

D. The connection from GW_A to the WebTrends server is not allowed in the Policy.

Fix: Add a rule in GW_B's Policy with source GW_A, destination: WebTrends server, service TCP port18182, and action accept.

E. The connection from GW_A to the WebTrends server is not allowed in the Policy.Fix: Add a rule in GW_A's Policy to allow source GW_A, destination WebTrends server, service TCPport 18182, and action accept.

Correct Answer: ESection: Configuration/ Topology/ ConnectraExplanation


QUESTION 284VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS). However, this service only provides a limited level of actions for CIFS security.

Which of the following services is NOT provided by a CIFS resource?

A. Log access sharesB. Block Remote Registry AccessC. Log mapped sharesD. Allow MS print shares

Correct Answer: DSection: VoIP/ CIFS/ FTP/SMTP/ e-mailExplanation


QUESTION 285Robert has configured a Common Internet File System (CIFS) resource to allow access to the publicpartition of his company's file server, on \\erisco\goldenapple\files\public. Robert receives reports that users are unable to access the shared partition, unless they use the fileserver's IP address.

Which of the following is a possible cause?

A. Mapped shares do not allow administrative locks.B. The CIFS resource is not configured to use Windows name resolutionC. Access violations are not logged.D. Remote registry access is blocked.E. Null CIFS sessions are blocked.

Correct Answer: BSection: VoIP/ CIFS/ FTP/SMTP/ e-mailExplanation


QUESTION 286You want to create an IKE VPN between two VPN-1 NGX Security Gateways, to protect two networks. The network behind one Gateway is 10.15.0.0/16, and network 192.168.9.0/24 is behind the peer'sGateway.

Which type of address translation should you use, to ensure the two networks access each other throughthe VPN tunnel?

A. Manual NAT

B. Static NATC. Hide NATD. None



QUESTION 287Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX routE. based VPN feature, without stopping the VPN.

What is the correct order of steps?

A. 1. Add a new interface on each Gateway.2. Remove the newly added network from the current VPN Domain for each Gateway.3. Create VTIs on each Gateway, to point to the other two peers4. Enable advanced routing on all three Gateways.

B. 1. Add a new interface on each Gateway.2. Remove the newly added network from the current VPN Domain in each gateway object.3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers.4. Add static routes on three Gateways, to route the new network to each peer's VTI interface.

C. 1. Add a new interface on each Gateway.2. Add the newly added network into the existing VPN Domain for each Gateway.3. Create VTIs on each gateway object, to point to the other two peers.4. Enable advanced routing on all three Gateways.

D. 1. Add a new interface on each Gateway.2. Add the newly added network into the existing VPN Domain for each gateway object.3. Create VTIs on each gateway object, to point to the other two peers.4. Add static routes on three Gateways, to route the new networks to each peer's VTI interface.



QUESTION 288You are running a VPN-1 NG with Application Intelligence R54 SecurePlatform VPN-1 Pro Gateway. The Gateway also serves as a Policy Server.

When you run patch add cd from the NGX CD, what does this command allow you to upgrade?

A. Only VPN-1 Pro Security GatewayB. Both the operating system (OS) and all Check Point productsC. All products, except the Policy ServerD. Only the patch utility is upgraded using this commandE. Only the OS



QUESTION 289Which type of service should a Security Administrator use in a Rule Base to control access to specificshared partitions on target machines?

A. TelnetB. CIFSC. HTTPD. FTPE. URI



QUESTION 290How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_Ato end pointNet_B, through an NGX Security Gateway?

A. Net_A/Net_B/sip/acceptB. Net_A/Net_B/sip and sip_any/acceptC. Net_A/Net_B/VolP_any/acceptD. Net_A/Net_BM3lP/accept



QUESTION 291Barak is a Security Administrator for an organization that has two sites using pre-shared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites toconnect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo SecurityGateway. Barak decides to switch from pre-shared secrets to Certificates issued by the Internal Certificate Authority(ICA).

After creating the Madrid gateway object with the proper VPN Domain, what are Barak's remaining steps?

1. Disable "pre-shared" on the London and Oslo gateway objects2. Add the Madrid gateway object into the Oslo and London's mesh VPN Community3. Manually generate ICA Certificates for all three Security Gateways.4. Configure "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen5. Reinstall the Security Policy on all three Security Gateways.

A. 1, 2, 5B. 1, 3, 4, 5C. 1, 2, 3, 5D. 1, 2, 4, 5E. 1, 2, 3, 4



QUESTION 292You have an internal FTP server, and you allow downloading, but not uploading. Assume Network Address Translation is set up correctly, and you want to add an inbound rule with:

Source : AnyDestination: FTP serverService : FTP resources object.

How do you configure the FTP resource object and the action column in the rule to achieve this goal?

A. Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, withaction accept.

B. Enable only the "Get" method in the FTP Resource Properties and use it in the rule, with action drop.C. Enable both "Put" and "Get" methods in the FTP Resource Properties and use them in the rule, with

action drop.D. Disable "Get" and "Put" methods in the FTP Resource Properties and use it in the rule, with action

accept.E. Enable only the "Put" method in the FTP Resource Properties and use it in the rule, with action accept.



QUESTION 293Damon enables an SMTP resource for content protection. He notices that mail seems to slow down on occasion, sometimes being delivered late.

Which of the following might improve throughput performance?

A. Configuring the SMTP resource to bypass the CVP resourceB. Increasing the Maximum number of mail messages in the Gateway's spool directoryC. Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP

server, without waiting for a response from the Security GatewayD. Configuring the CVP resource to return the mail to the GatewayE. Configuring the SMTP resource to only allow mail with Damon's company's domain name in the header

Correct Answer: CSection: VoIP/ CIFS/ FTP/SMTP/ e-mailExplanation


QUESTION 294You are preparing to configure your VoIP Domain Gatekeeper object. Which two other objects should youhave created first?

A. An object to represent the IP phone network, AND an object to represent the host on which the proxy isinstalled

B. An object to represent the PSTN phone network, AND an object to represent the IP phone networkC. An object to represent the IP phone network, AND an object to represent the host on which the

gatekeeper is installedD. An object to represent the Q.931 service origination host, AND an object to represent the H.245

termination hostE. An object to represent the call manager, AND an object to represent the host on which the transmission

router is installed



QUESTION 295Yoav is a Security Administrator preparing to implement a VPN solution for his multi-site organization. To comply with industry regulations, Yoav's VPN solution must meet the following requirements:

Portability : StandardKey management: Automatic, external PKISession keys : Changed at configured times during a connection's lifetimeKey length : No less than 128-bitData integrity : Secure against inversion and brutE. force attacks

What is the most appropriate setting Yoav should choose?

A. IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 hashB. IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hashC. IKE VPNs: CAST encryption for IKE Phase 1, and SHA1 encryption for Phase 2; DES hashD. IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hashE. IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash



QUESTION 296You must set up SIP with a proxy for your network. IP phones are in the 172.16.100.0 network. The Registrar and proxy are installed on host 172.16.100.100. To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you havedefined the following objects:

Network object : SIP-net: 172.16.100.0/24SIP-gateway : 172.16.100.100VoIP Domain object : VolP_domain_A 1. EnD. point domain : SIP-net 2.VoIP gateway installed at: SIP-gateway host object

How would you configure the rule?

A. SIP- G ateway/N et_B/s i p_a ny/a c c e ptB. VolP_domain_A/Net_B/sip/acceptC. SIP-Gateway/Net_B/sip/acceptD. VolP_domain_A/Net_B/sip_any, and sip/acceptE. VolP_Gateway_MJet_B/sip_any/accept



Explanation:

QUESTION 297The following rule contains an FTP resource object in the Service field:

Source : local_netDestination: AnyService : FTP-resource objectAction : Accept

How do you define the FTP Resource Properties > Match tab to prevent internal users from receivingcorporate files from external FTP servers, while allowing users to send files?

A. Enable "Put" and "Get" methods.B. Disable the "Put" method globally.C. Enable the "Put" method only on the Match tab.D. Enable the "Get" method on the Match tab.E. Disable "Get" and "Put" methods on the Match tab.



QUESTION 298VPN-1 NGX supports VoIP traffic in all of the following environments, EXCEPT which environment?

A. H.323B. SIPC. MEGACOD. SCCPE. MGCP



QUESTION 299Cody is notified by blacklist.org that his site has been reported as a spam relay, due to his SMTP Serverbeing unprotected. Cody decides to implement an SMTP Security Server, to prevent the server from being a spam relay.

Which of the following is the most efficient configuration method?

A. Configure the SMTP Security Server to perform MX resolving.B. Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.C. Configure the SMTP Security Server to work with an OPSEC based product, for content checking.D. Configure the SMTP Security Server to apply a generic "from" address to all outgoing mail.E. Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate

domain.

Correct Answer: ESection: VoIP/ CIFS/ FTP/SMTP/ e-mailExplanation


QUESTION 300You want to upgrade a SecurePlatform NG with Application Intelligence (Al) R55 Gateway toSecurePlatform NGX R60 via SmartUpdate.

Which package is needed in the repository before upgrading?

A. SVN Foundation and VPN-1 Express/ProB. VPN-1 and Firewall-1C. SecurePlatform NGX R60D. SVN Foundation 3 E. VPN-1 Pro/Express NGXR60



QUESTION 301If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:

A. The standard threE. packet IKE Phase 1 exchange is replaced by a six-packet exchange.B. The standard six-packet IKE Phase 2 exchange is replaced by a threE. packet exchange.C. The standard threE. packet IKE Phase 2 exchange is replaced by a six-packet exchange.D. The standard six-packet IKE Phase 1 exchange is replaced by a threE. packet exchange.E. The standard six-packet IKE Phase 1 exchange is replaced by a twelvE. packet exchange.



QUESTION 302DShield is a Check Point feature used to block which of the following threats?

A. Cross Site ScriptingB. SQL injectionC. DDOSD. Buffer overflowsE. Trojan horses



Distributed Denial of Service (DDOS) is a sophisticated attack.

DShield Storm Center The range and sophistication of the techniques used by hackers to penetrate private networks is everincreasing. However, few organizations are able to maintain up-to-date protection against the latest attacks.

Network Storm Centers are collaborative initiatives that were set up to help security administrators maintain

the most up-to-date solutions to security threats to their networks. Storm Centers achieve this by gathering logging information about attacks and sharing it with otherorganizations from around the world. Storm Centers collate and present reports on threats to networksecurity in a timely and effective manner.

The IPS Storm Center module is included in the Check Point Security Gateway. It enables communication between the Network Storm Centers and the organizations requiring networksecurity information.

One of the leading Storm Centers is SANS DShield.org, located at: http://www.dshield.org/(http://www.dshield.org/). DShield.org gathers statistics and presents it as a series of reports at http://www.dshield.org/reports.html (http://www.dshield.org/reports.html). IPS integrates with the SANS DShield.org Storm Center.

The DShield.org Storm Center produces a Block List report which is a frequently updated list of addressranges that are recommended for blocking. The IPS Storm Center module retrieves and adds this list to thesecurity policy.

QUESTION 303How do you control the maximum mail messages in a spool directory?

A. In the Security Server window in Global PropertiesB. In SmartDefense SMTP settingsC. In the smtp.conf file on the SmartCenter ServerD. In the gateway object's SMTP settings in the Advanced windowE. In the SMTP resource object



QUESTION 304Greg is creating rules and objects to control VoIP traffic in his organization, through a VPN-1 NGX SecurityGateway. Greg creates VoIP Domain SIP objects to represent each of his organization's three SIP gateways. Greg then creates a simple group to contain the VoIP Domain SIP objects.

When Greg attempts to add the VoIP Domain SIP objects to the group, they are not listed. What is the problem?

A. The related end points domain specifies an address range.B. VoIP Domain SIP objects cannot be placed in simple groups.C. The installed VoIP gateways specify host objects.D. The VoIP gateway object must be added to the group, before the VoIP Domain SIP object is eligible to

be added to the group.E. The VoIP Domain SIP object's name contains restricted characters.



QUESTION 305Which service type does NOT invoke a Security Server?

A. HTTP

B. FTPC. TelnetD. CIFSE. SMTP



QUESTION 306What is a requirement for setting up Management High Availability?

A. All SmartCenter Servers must reside in the same Local Area Network (LAN).B. All SmartCenter Servers must have the same amount of memory.C. You can only have one Secondary SmartCenter Server.D. All SmartCenter Servers must have the BIOS release.E. All SmartCenter Servers must have the same operating system.

Correct Answer: ESection: High Availability - (HA)Explanation


QUESTION 307Which of the following TCP port numbers is used to connect the VPN-1 Gateway to the Content VectorProtocol (CVP) server?

A. 18182B. 18180C. 18181D. 7242E. 1456



QUESTION 308Which operating system is NOT supported by VPN-1 Secure Client?

A. IPSO 3.9B. Windows XP SP2C. Windows 2000 ProfessionalD. RedHat Linux 8.0E. MacOSX



Explanation:

QUESTION 309The following configuration is for VPN-1 NGX:1s this configuration correct for Management High Availability(HA)?

A. No, the SmartCenter Servers must be installed on the same operating system.B. No, a VPN-1 NGX SmartCenter Server cannot run on Red Hat Linux 7.3.C. No, the SmartCenter Servers must reside on the same network.D. No, A VPN-1 NGX SmartCenter Server can only be in a Management HA configuration, if the operating

system is Solaris.E. No, the SmartCenter Servers do not have the same number of NICs.



QUESTION 310Which of the following QoS rule action properties is an Advanced action type, only available in Traditionalmode?

A. Guarantee AllocationB. Rule weightC. Apply rule only to encrypted trafficD. Rule limitE. Rule guarantee



QUESTION 311Which OPSEC server is used to prevent users from accessing certain Web sites?

A. LEA (Log Export API)B. URI (Uniform Resource Identifier)C. UFP (Uniform Filter Protocol)D. AMON (Application Monitoring API)

E. CVP (Content Vectoring Protocol)



PP 74 in Security Gateway R76 Technical Administra tion Guide T76

Deploying OPSEC Servers OPSEC solutions, such as CVP and UFP servers, are deployed on dedicated servers. These servers aretypically placed in the DMZ or on a private network segment. This allows fast secure connections between the CVP servers and the Security Gateway. Performing scanning at the network perimeter is both safer and more efficient than performing the scanning at the desktop or on the application servers.

QUESTION 312Regarding QoS guarantees and limits, which of the following statements is FALSE?

A. If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than theguarantee.

B. If both a rule limit and a per connection limit are defined for a rule, the per connection limit must not begreater than the rule limit.

C. A rule guarantee must not be less than the sum the guarantees defined in its sub-rules.D. If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it.



QUESTION 313When upgrading to NGX R65, which Check Point products do not require a license upgrade to be current?

A. VPN-1 NGX (R64) and laterB. VPN-1 NGX (R60) and laterC. VPN-1 NG with Application Intelligence (R54) and laterD. None, all versions require a license upgrade



QUESTION 314Which of these components does NOT require a VPN-1 NGX R65 license?

A. SmartConsoleB. Check Point GatewayC. SmartCenter ServerD. SmartUpdate upgrading/patching

Correct Answer: A

Section: BasicsExplanation


QUESTION 315Which of the following is a TRUE statement concerning contract verification?

A. Your contract file is stored on the User Center and fetched by the Gateway as needed.B. Your contract file is stored on the SmartConsole and downloaded to the SmartCenter Server.C. Your contract file is stored on the SmartConsole and downloaded to the Gateway.D. Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway.



QUESTION 316Your current VPN-1 NG with Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway andSmartCenter Server runs on SecurePlatform. You plan to implement VPN-1 NGX R65 in a distributed environment, where the new machine will be theSmartCenter Server, and the existing machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with AI R55 SmartCenter Server configuration, including licensing.

How do you handle licensing for this NGX R65 upgrade?

A. Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a newcentral NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address.

B. Leave the current license on the gateway to be upgraded during the software upgrade.Purchase a new license for the VPN-1 NGX R65 SmartCenter Server.

C. Request an NGX R65 SmartCenter Server license, using the existing gateway machine's IP address.Request a new local license for the NGX R65 VPN-1 Gateway using the new server's IP address.

D. Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a newcentral NGX R65 VPN-1 Gateway license for the existing gateway server's IP address.



QUESTION 317What action can be run from SmartUpdate NGX R65?

A. remote_uninstall_verifierB. upgrade_exportC. mds_backupD. cpinfo

Correct Answer: DSection: SmartUpdateExplanation


QUESTION 318What tools CANNOT be launched from SmartUpdate NGX R65?

A. cpinfoB. SecurePlatform Web UIC. Nokia VoyagerD. snapshot



QUESTION 319You are a Security Administrator preparing to deploy a new HFA (Hot fix Accumulator) to ten SecurityGateways at five geographically separated locations.

What is the BEST method to implement this HFA?

A. Send a Certified Security Engineer to each site to perform the updateB. Use SmartUpdate to install the packages to each of the Security Gateways remotelyC. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote

installation command and monitor the installation progress with SmartView Monitor.D. Send a CDROM with the HFA to each location and have local personnel install it

Correct Answer: BSection: SmartUpdateExplanation


QUESTION 320What port is used for communication to the UserCenter with SmartUpdate?

A. HTTPB. HTTPSC. TCP 8080D. CPMI

Correct Answer: BSection: SmartUpdateExplanation


QUESTION 321What physical machine must have access to the UserCenter public IP when checking for new packageswith SmartUpdate?

A. VPN-1 Security Gateway getting the new upgrade packageB. SmartUpdate installed SmartCenter Server PCC. SmartUpdate Repository SQL database ServerD. SmartUpdate GUI PC



QUESTION 322You want to upgrade an NG with Application Intelligence R55 Security Gateway running on SecurePlatformto VPN-1 NGX R65 via SmartUpdate.

Which package(s) is(are) needed in the Repository prior to upgrade?

A. SecurePlatform NGX R65 packageB. VPN-1 Power/UTM NGX R65 packageC. SecurePlatform and VPN-1 Power/UTM NGX R65 packagesD. SVN Foundation and VPN-1 Power/UTM packages

Correct Answer: ASection: SmartUpdateExplanation


QUESTION 323Concerning these products: SecurePlatform, VPN-1 Pro Gateway, UserAuthority Server, Nokia OS, UTM-1,Eventia Reporter, and Performance Pack, which statement is TRUE?

A. All but the Nokia OS can be upgraded to VPN-1 NGX R65 with SmartUpdate.B. All but Performance Pack can be upgraded to VPN-1 NGX R65 with SmartUpdate.C. All can be upgraded to VPN-1 NGX R65 with SmartUpdate.D. All but the UTM-1 can be upgraded to VPN-1 NGX R65 with SmartUpdate.

Correct Answer: CSection: SmartUpdateExplanation


QUESTION 324If a SmartUpdate upgrade or distribution operation fails on SecurePlatform, how is the system recovered?

A. SecurePlatform will reboot and automatically revert to the last snapshot version prior to upgrade.B. The Administrator must remove the rpm packages manually, and reattempt the upgrade.C. The Administrator can only revert to a previously created snapshot (if there is one) with the command

cprinstall snapshot <object name> <filename>.D. The Administrator must reinstall the last version via the command cprinstall revert <object name> <file

name>.



QUESTION 325Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway.

A. After selecting "Packages > Distribute..." and choosing the target gateway, the selected package iscopied from the Package Repository on the SmartCenter to the Security Gateway but the installation ISNOT performed.

B. After selecting "Packages > Distribute..." and choosing the target gateway, the SmartUpdate wizardwalks the Administrator through a Distributed Installation.

C. After selecting "Packages > Distribute..." and choosing the target gateway, the selected package iscopied from the Package Repository on the SmartCenter to the Security Gateway and the installation ISperformed.

D. After selecting "Packages > Distribute..." and choosing the target gateway, the selected package iscopied from the CDROM of the SmartUpdate PC directly to the Security Gateway and the installation ISperformed.



QUESTION 326What happens in relation to the CRL cache after a cpstop;spstart has been initiated?

A. The gateway continues to use the old CRL even if it is not valid, until a new CRL is cachedB. The gateway continues to use the old CRL, as long as it is valid.C. The gateway issues a crl_zap on startup, which empties the cache and forces Certificate retrieval.D. The gateway retrieves a new CRL on startup, then discards the old CRL as invalid.



PP 48 R75 VPN Admin Guide

Special Considerations for the CRL Pre-fetch Mechan ism

The CRL pre-fetch mechanism makes a "best effort" to obtain the most up to date list of revokedcertificates.However, after the cpstop, cpstart commands have been executed, the cache is no longer updated.

The Security Gateway continues to use the old CRL for as long as the old CRL remains valid (even if thereis an updated CRL available on the CA).

The pre-fetch cache mechanism returns to normal functioning only after the old CRL expires and a newCRL is retrieved from the CA. In case there is a requirement that after cpstop, cpstart the CRL's will be updated immediately, proceed as follows: - After executing cprestart, run crl_zap to empty the cache, or: - In Global Properties > SmartDashboard Customization > Configure > Check Point CA properties > select: flush_crl_cache_file_on_install. When a new policy is installed, the cache is flushed and a new CRL will be retrieved on demand.

QUESTION 327Public-key cryptography is considered which of the following?

A. two-key/symmetric

B. one-key/asymmetricC. two-key/asymmetricD. one-key/symmetric



QUESTION 328What is the greatest benefit derived from VPNs compared to frame relay, leased lines any other types ofdedicated networks?

A. lower costB. stronger authenticationC. Less failure/downtimeD. Greater performance



QUESTION 329In cryptography, the Rivest, Shamir, Adelman (RSA) scheme has which of the following? Select all that apply.

A. A symmetric-cipher systemB. A secret-key encryption-algorithm systemC. A public-key encryption-algorithm systemD. An asymmetric-cipher system

Correct Answer: CDSection: SMART/ EncryptionExplanation


QUESTION 330Which of the following are supported with the office mode? Select all that apply.

A. SecureClientB. L2TPC. Transparent ModeD. GopherE. SSL Network Extender

Correct Answer: ABESection: SMART/ EncryptionExplanation


QUESTION 331Which network port does PPTP use for communication?

A. 1723/tcpB. 1723/udpC. 25/udpD. 25/tco

Correct Answer: ASection: Port/ Port HardeningExplanation


QUESTION 332In ClusterXL, which of the following processes is defined by default as a critical device?

A. fwmB. cphadC. fw.dD. fwd.proc



QUESTION 333If a digital signature is used to achieve both data-integrity checking and verification of sender, digitalsignatures are only used when implementing:

A. A symmetric-encryption algorithmB. CBL-DESC. Triple DESD. An asymmetric-encryption algorithm



QUESTION 334When synchronizing clusters, which of the following statements are true?

Select all that apply.

A. Only cluster members running on the same OS platform can be synchronized.B. Client Auth or Session Auth connections through a cluster member will be lost of the cluster member

fails.C. The state of connections using resources is maintained by a Security Server, so these connections

cannot be synchronized.D. In the case of a failover, accounting information on the failed member may be lost despite a properly

Correct Answer: ACDSection: ClusterExplanation


PP 15 in CP_R76_ClusterXL_AdminGuide under Synchronized Cluster Restrictions

Synchronized Cluster RestrictionsThe following restrictions apply to synchronizing cluster members:

--Only cluster members running on the identical platform can be synchronized. -------------->A

--All cluster members must use the same Check Point software version.

--A user-authenticated connection through a cluster member will be lost if the cluster member goesdown. Other synchronized cluster members will be unable to resume the connection.

--However, a client-authenticated connection or session-authenticated connection will not be lost.---------------XXXX----------->B is wrong

Explanation for above: The reason for these restrictions is that user authentication state is maintained on Security Servers,which are processes, and thus cannot be synchronized on different machines in the way that kernel datacan be synchronized. However, the state of session authentication and client authentication is stored in kernel tables, andthus can be synchronized.

--The state of connections using resources is maintained in a Security Server, so these connectionscannot be synchronized for the same reason that user-authenticated connections cannot be synchronized. ------------------------->C

--Accounting information is accumulated in each cluster member and reported separately to the SecurityManagement server, where the information is aggregated. --------------------------->D In case of a failover, accounting information that was accumulated on the failed member but not yetreported to the Security Management server is lost. To minimize the problem it is possible to reduce the period in which accounting information is "flushed".To do this, in the cluster object's Logs and Masters > Additional Logging page, configure the attributeUpdate Account Log every:.

QUESTION 335VPN traffic control would fall under which VPN component?

A. PerformanceB. ManagementC. SecurityD. QoS



QUESTION 336When configuring site-to-site VPN High Availability (HA) with MEP, which of the following is correct?

A. MEP Gateways cannot be geographically separated machines.

B. The decision on which MEP Gateway to use is made on the MEP Gateway's side of the tunnel.C. MEP Gateways must be managed by the same SmartCenter Server.D. If one MEP Security Gateway fails, the connection is lost and the backup Gateway picks up the next

connection.



PP 124 in CCSE R75 under Multiple Entry Point VPNs, 3rd Bullet point ( Question 204 test you onBullet point 4)

VPN High Availability Using MEP or Clustering--There is no physical restriction on the location of MEPed Security Gateways. MEPed Security Gateways can be geographically separated machines.

--MEPed Security Gateways can be managed by different Security Management servers

--In a MEP configuration there is no "state synchronization" between the MEPed Security Gateways. In a MEPed configuration, if a Security Gateway fails, the current connection is lost and one of the backupSecurity Gateways picks up the next connection.

--In a MEPed environment, the decision which Security Gateway to use is taken on the remote side;

[R75 VPN Admin Guide PP 115]

QUESTION 337Consider the following actions that VPN-1 NGX can take when it control packets. The Policy Package has been configured for Traditional Mode VPN.

Identify the options that includes the available actions. Select four.

A. AllowB. RejectC. Client authD. DecryptE. AcceptF. DropG. EncryptH. HoldI. Proxy

Correct Answer: BEFGSection: SMART/ EncryptionExplanation


QUESTION 338Which of the following SSL Network Extender server-side prerequisites are correct?


A. The VPN1-Gateway must be configured to work with Visitor ModeB. The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access

Community.C. There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender

users.D. To use Integrity Clientless Security (ICS), you must install the ICS server or configuration tool.

Correct Answer: ABDSection: SMART/ EncryptionExplanation


Server-side prerequisites for SSL Network Extender

Solution ID: sk26511Product: SSL Network ExtenderVersion: NG AI R55OS: AllDate Created: 12-Aug-2004Last Modified: 03-May-2005Rate this document[1=Worst,5=Best]

SOLUTION

The SSL Network Extender server-side prerequisites are listed below:

1) The SSL Network Extender Add-On is a server-side component, which must be

installed on the NG with Application Intelligence R55 HFA-04 Security Gateway.

2) The Security Gateway on which the SSL Network Extender Add-On is installed must be i. configured as a member of the VPN-1 Remote Acce ss Community. ii. The Gateway must be configured to work with Visitor Mode. This will not interfere withSecureClient functionality, but will allow SecureCl ient users to utilize Visitor Mode.

3) The same Security Policy rules are configured for both SecureClient and SSL Network Extender users.

4) When using SecureUpdate to install the SSL Extender Gateway on the Security Gateway, verify thatR55 HFA-04 is installed on the SmartCenter Server. No other HFA is currently supported.Download R44HFA-04 from the download site, and select "SSL Network Extender" from the product list:

QUESTION 339After installing VPN-1 Pro NGQ R65, you discover that one port on your Intel Quad NIC on the SecurityGateway is not fetched by a get topology request.

What is the most likely cause and solution?

A. The NIC is faulty. Replace it and reinstall.B. Make sure the driver for you particular NIC is available, and reinstall. You will be prompted for the driver.C. If an interface is not configured, it is not recognized. Assign an IP and subnet mask using the Web UI,D. Your NIC driver is installed but was not recognized. Apply the latest SecurePlatform R65 Hotfix

Accumulator (HFA).



QUESTION 340What proprietary Check Point protocol is the basis of the functionality of Check Point ClusterXL inter-module communication?

A. RDPB. IPSecC. CCPD. HA OPCODEE. CKPP



QUESTION 341Which of the following are valid PKI architectures?

A. mesh architectureB. Bridge architectureC. Gateway architectureD. Hierarchical architecture

Correct Answer: ACDSection: SMART/ EncryptionExplanation


QUESTION 342Which of the following are valid reasons for beginning with a fresh installation VPN-1 NGX R65, instead ofupgrading a previous version to VPN-1 NGX R65?


A. You see a more logical way to organize your rules and objectsB. You want to keep your Check Point configuration.C. Your Security Policy includes rules and objects whose purpose you do not know.D. Objects and rules' naming conventions have changed over time.

Correct Answer: ACDSection: Upgrade/ Backup/ RestoreExplanation


QUESTION 343Public keys and digital certificates provide which of the following?

Select three.

A. Non repudiationB. Data integrityC. Availability

D. Authentication



QUESTION 344Which encryption scheme provides in-place encryption?

A. DESB. SKIPC. AESD. IKE



QUESTION 345What is the command to upgrade an NG with Application Intelligence R55 SmartCenter running onSecurePlatform to VPN-1 NGX R65?

A. fw install_mgmtB. upgrade_mgmtC. patch add cdD. fwm upgrade_tool



QUESTION 346What can be said about RSA algorithms?


A. Long keys can be used in RSA for enhances securityB. Short keys can be used for RSA efficiency.C. RSA is faster to compute than DESD. RSA's key length is variable.



QUESTION 347Which of the following items can be provisioned via a Profile through SmartProvisioning?

i) Backup Scheduleii) DNS Entriesiii) Hosts Tableiv) Domain Namev) Interface IP's

A. i, ii, iii, iv, vB. i, ii, iii, ivC. iD. i, ii, iv



QUESTION 348What does it mean when a Security Gateway is labeled Untrusted in the SmartProvisioning Status view?

A. SIC has not been established between the Security Gateway and the Security Management.B. SmartProvisioning is not enabled on the Security Gateway,C. cpd is not running at the Security Gateway.D. The Security Gateway is down.



QUESTION 349The We-Make-Widgets company has purchased twenty UTM-1 Edge appliances for their remote offices. Kim decides the best way to manage those appliances is to use SmartProvisioning and create a profile theycan all use.

List the order of steps Kim would go through to add the Dallas Edge appliance to the Remote Office profileusing the output below.

1. Enter the name of the profile called "Remote Offices"2. Change the provisioning profile to "Remote Offices"3. Click File, then select New, then Provisioning Profile4. Click on the Devices Tab5. Highlight the Dallas Edge appliance, click Edit, then edit Gateway6. Click on the Profiles Tab

A. 6, 3, 1, 4, 5, 2B. 4, 1, 3, 6, 5, 2C. 6, 1, 3, 4, 5, 2D. 4, 3, 1, 6, 5, 2



QUESTION 350

Which of the following load-balancing methods is not valid?

A. DomainB. They are all validC. Round tripD. Random



QUESTION 351The relay mail server configured under Email Notifications is used by the DLP Gateway to:(Choose the BEST answer.)

A. If UserCheck is configured, there is no need to configure this relay server if there are no Ask User rulesand there is no need to notify any Data Owners.

B. Send e-mail notifications to users and Data Owners.C. Define My Organization / DLP Gateway and scan only e-mails that originate from this relay server.D. Synchronize with other mail servers in the network.



QUESTION 352You just upgraded to R71 and are using the IPS Software Blade. You want to enable all critical protections while keeping the rate of false positive very low.

How can you achieve this?

A. new IPS system is based on policies, but it has no ability to calculate or change the confidence level, soit always has a high rate of false positives.

B. As in SmartDefense, this can be achieved by activating all the critical checks manually.C. The new IPS system is based on policies and gives you the ability to activate al checks with critical

severity and a high confidence level.D. This can't be achieved; activating any IPS system always causes a high rate of false positives.



QUESTION 353You enable Sweep Scan Protection and Host port scan in IPS to determine if a large amount of traffic froma specific internal IP address is a network attack, or a user's system is infected with a worm.

Will you get all the information you need from these actions?

A. Yes. IPS will limit the traffic impact from the scans, and identify if the pattern of the traffic matches anyknown worms.

B. No. These IPS protections will only block the traffic, but it will not provide a detailed analysis of the

traffic.C. No. To verify if this is a worm or an active attack, you must also enable TCP attack defenses.D. No. The logs and alert can provide some level of information, but determining whether the attack is

intentional or a worm, requires further research.

Correct Answer: DSection: IPSExplanation


QUESTION 354You need to determine if your company's Web servers are accessed an excessive number of times fromthe same host.

How would you configure this in the IPS tab?

A. Successive alertsB. Successive DoS attacksC. Successive multiple connectionsD. HTTP protocol inspection



QUESTION 355Which application is used to create a File-Share Application?

A. SmartDashboard (SSL VPN Tab)B. SmartPortal WebUI (File-Share Tab)C. SSL VPN Portal WebUI (File-Share Tab)D. Provider-1 MDG (Global VPNs Tab)

Correct Answer: ASection: SmartDashboard/ Security Mamagement Server (SMS)Explanation


QUESTION 356Which version is the minimum requirement for SmartProvisioning?

A. R65 HFA 40B. R70C. R71D. R70.20



QUESTION 357If SmartWorkflow is configured to work without Sessions or Role Segregation, how does theSmartDashboard function?

A. The SmartDashboard functions as if SmartWorkflow is not enabled but an automatic session exists inthe background and full SmartView tracker and audit trail functionality will be available.

B. The SmartDashboard will function without SmartWorkflow, with no session and no audit trailfunctionality.

C. The SmartDashboard will have no session but SmartView Tracker and audit trail will be available.D. All functions of SmartWorkflow will be available on a per rule basis.

Correct Answer: ASection: SmartCenter/ SmartLSMExplanation


QUESTION 358What is the best method for scheduling backup's on multiple firewalls?

A. WebUIB. SmartProvisioningC. Smart DashboardD. SmartUpdate



QUESTION 359When two or more DLP rules are matched, the action taken is the most restrictive action. Rank the following items from the lowest restriction level (1) to the highest (4).

1. Ask User2. Prevent3. Detect4. Inform User

A. 3,4,1,2B. 3,1,4,2C. 4,3,1,2D. 4,1,3,2



When it is Inform user, there is no option for user so its more restrictive than "Asking the user" where theuser has an option

QUESTION 360When using IPS, what does Geo protection do?

A. To block traffic from and to a specific countryB. To block traffic from and to a specific personC. To block traffic from and to a specific companyD. To block traffic from and to a specific city

Correct Answer: ASection: IPSExplanation


Ans A is correct

PP 8 CP_R75_IPS_AdminGuide

QUESTION 361The Management Portal allows all of the following EXCEPT:

A. Manage firewall logsB. Schedule policy installationC. View administrator activityD. View the status of Check Point products



QUESTION 362When selecting a backup target using SmartProvisioning, which target is NOT available?

A. Locally on deviceB. FTPC. SCPD. TFTP



QUESTION 363Which of the following can NOT approve a change in a SmartWorkflow session?

A. FireWall AdministratorsB. FireWall ManagersC. Provider-1 SuperusersD. Customer Superusers

Correct Answer: ASection: SmartWorkFlowExplanation


QUESTION 364The Management Portal Software Blade allows users to

A. View Security PoliciesB. Monitor traffic flowsC. Add/Delete rulesD. Create/Modify objects



QUESTION 365Which file can you modify to change settings of the Management Portal?

For example: changing the webserver port or to use HTTP instead of HTTPS.

A. cp_http.confB. cp_httpd.confC. cp_http_admin.confD. cp_httpd_admin.conf

Correct Answer: DSection: File Locations/ File ModificationExplanation


PP14 CCSE R70 under Management Portal Configuration

QUESTION 366When a security administrator logs in to SmartDashboard and selects Continue without session from thefollowing window, what kind of access will be granted to him in SmartDashboard?

A. He will get read-only access to the policy, network objects and session management.B. He will get read-only access to the policy and network objects; however, he can still manage the

sessions, i.e. Approve, Request Repair etc.C. A new session will automatically be created with a default session name along with date and time. All

changes made by the manager will be saved in this new session.D. No access will be granted, he will be logged out of SmartDashboard.

Correct Answer: BSection: SmartDashboard/ Security Mamagement Server (SMS)Explanation


QUESTION 367When does the SmartWorkflow Policy Installation window appear?

A. When the administrator installs an approved policyB. When the manager approves a sessionC. When the administrator installs an unapproved policyD. When the administrator submits a session for approval

Correct Answer: CSection: SmartWorkFlowExplanation


QUESTION 368What happens to the session information after they are approved and a policy installation is done?

A. Session information is never deleted from the database.B. It depends on the SmartWorkflow settings in Global Properties.C. An option is given to retain the session information, default being deletion of session information from

the database.D. Session information can only be deleted before a policy is installed.



QUESTION 369Your customer wishes to install the SmartWorkflow Software Blade on a R70 Security Management server(SecurePlatform).

Which is the correct method?

A. When you install the R70.1 package on an R70 Security Management server, it will be upgraded toversion R70.1 with SmartWorkflow.

B. The SmartWorkflow works directly on the version R70. Install the SmartWorkflow as an add-on.The version of the Management server remains R70.

C. You must upgrade the Management Server to the version R70.1 first before you start the installation ofthe SmartWorkflow Software Blade plug-in.

D. The SmartWorkflow Software Blade is included in the standard R70 version. You need to enable it viacpconfig.

Correct Answer: ASection: SmartWorkFlowExplanation


QUESTION 370You have to uninstall the Check Point SmartWorkflow Software Blade on a SecurePlatform system.

How can you perform this procedure?

A. To uninstall the SmartWorkflow Software Blade you can connect to the SecurePlatform WebUI ( <IP ofthe Security Management Server>) and select: Device > Upgrade. You will be asked if you wantuninstall the SmartWorkflow Software Blade.

B. To uninstall the SmartWorkflow Software Blade you must first connect to your Security ManagementSystem on command line level. Then in the directory /opt/CPUninstall/Check_Point_Workflow, run thecommand ./UnixInstallScript -u. Afterwards, follow the screen instructions and change to the directory /opt/CPUninstall/R70_HFA_10 and repeat the previous command.

C. To uninstall the SmartWorkflow Software Blade, you use SmartUpdate. Click on the symbol of theSecurity Management Server, right-click, select Get Gateway Data, select SmartWorkflow, right -clickuninstall SmartWorkflow. You will see the progress in the Operaration Status windows.

D. To uninstall the SmartWorkflow Software Blade, you must first connect to your Security ManagementSystem on the command line level. Then in the directory /opt/CPuninstall/Check_Point_Workflow, runthe command ./UnixInstallScript -u.

Correct Answer: BSection: SmartWorkFlowExplanation


QUESTION 371Your customer wishes to use SmartWorkflow Software Blade, but he also wishes to install a policy duringan emergency without an approval.

Is it possible?

A. Yes, it is possible but the administrator must receive special administrator permission, i.e., Can install inemergency. You can use the new GUI to set the administration security setting.

B. Yes, it is possible, but this feature must be configured in the Global Properties. The administrator mustprovide a special password and the reason for this emergency installation.

C. Yes, it is possible, but this feature must be configured in Global Properties and the administrator mustprovide a special password.

D. No, if a customer uses the SmartWorkflow Software Blade, a policy must be approved.

Correct Answer: BSection: SmartWorkFlow

Explanation


QUESTION 372In SmartWorkflow, what is NOT a valid possibility?

A. Task Flow without Session and without Role SegregationB. Task Flow without Session but with Role SegregationC. Task Flow with Session but without Role SegregationD. Task Flow with Session and with Role Segregation

Correct Answer: BSection: SmartWorkFlowExplanation


QUESTION 373What is a possible reason for the grayed out Restore Version button in the screenshot of the DatabaseRevision Control while trying to restore Old_Structure?

A. Old_Structure was not approved in SmartWorkflow.B. No SmartWorkflow session is started.C. With SmartWorkflow active, only SmartWorkflow revisions could be restored.D. Self-created versions cannot be restored if there are newer versions created in SmartWorkflow.



QUESTION 374How is the SmartWorkflow Session Information Pane enabled?

A. In SmartView Tracker, click on SmartWorkflow > Show Session Information PaneB. In SmartDashboard, click on View > Smart Workflow > Show Session Information PaneC. In SmartDashboard, click on SmartWorkflow > Show Session Information PaneD. In cpconfig, choose Enable Session Information Pane from the menu



QUESTION 375How is Smart Workflow disabled?

A. In cpconfig, choose Disable Smart Workflow from the menuB. In SmartView Tracker, click on SmartWorkflow > Disable Smart WorkflowC. In SmartDashboard, click on View > Smart Workflow > Disable Smart WorkflowD. Open Smart Workflow as admin. Create new session and name it Disable Smart Workflow. In

SmartDashboard click Smart Workflow > Disable Smart Workflow, click OK in the warning box, click

Save and Continue



QUESTION 376When using SmartWorkflow, how many sessions can be in progress at the same time?

A. 2B. As many as you wantC. 1D. 3



QUESTION 377While using the SmartProvisioning Wizard to create a new profile, you cannot continue because there areno devices to select.

What is a possible reason for this?

i) All devices already have a profile assigned to themii) Provisioning Blade is not enabled on the devicesiii) No UTM- 1/Power- 1/Secure Platform devices are defined in SmartDashboardiv) SIC is not established on the devices.

A. (ii), (iii) or (iv)B. (ii) onlyC. (iii) or (iv)D. (i) or (iii)

Correct Answer: DSection: SmartProvisioningExplanation


QUESTION 378You logged in to your firewall and discovered that the scheduled backup has been modified.

Which of the below options is NOT a reason for the change?

A. Another administrator pushed a SmartProvisioning profile to the firewallB. Another administrator issued a new backup command through the command lineC. Another administrator logged in to the WebUI and changed the setting without your knowledgeD. Another administrator updated the Backup Schedule using SmartUpdate



QUESTION 379The SmartProvisioning management concept is based on:

A. ZonesB. GroupsC. RegionsD. Profiles

Correct Answer: DSection: SmartProvisioningExplanation


QUESTION 380Where do Gateways managed by SmartProvisioning fetch their assigned profiles?

A. The Smartview MonitorB. The standalone SmartProvisioning serverC. The Security Management server or CMAD. They are fetched locally from the individual device



QUESTION 381SmartProvisioning is an integral part of the Security Management or Provider-1 CMA.

To enable SmartProvisioning on the Security Management server:

A. Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, turnon SmartProvisioning on each Gateway to be controlled.

B. Obtain a SmartProvisioning license, add the License to the Security Management server or CMA,disable SecureXL.

C. Obtain a SmartProvisioning license, add the License to the Security Management server or CMA.D. Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, select

the box under Policy for SmartProvisioning.



QUESTION 382When Converting Gateways to SmartLSM Security Gateways, you can:

A. do nothing, the conversion is automatic.B. delete the device and re-install it in SmartProvisioning.C. reset SIC and re-establish communication with the new SmartProvisioning.

D. convert a Security Gateway or UTM-1 Edge Gateway managed with SmartDashboard to a SmartLSMSecurity Gateway managed with SmartProvisioning.



QUESTION 383Domain name can NOT be changed in SmartProvisioning and Domain Name is grayed out.

What is a possible reason for this?

A. There is no SmartProvisioning license installed.B. Profile is not assigned to any Gateway.C. Override profile setting on device level is set to Mandatory.D. Domain name settings are always fetched from firewall object.



QUESTION 384Which of the following is a supported deployment for Connectra?

A. IPSO 4.9 build 88B. VMWare ESXC. Solaris 10D. Windows server 2007

Correct Answer: BSection: Configuration/ Topology/ ConnectraExplanation


QUESTION 385SSL termination takes place:

A. In a LAN deployment on a Security GatewayB. In a DMZ and LAN deployment scenario on a Security GatewayC. In a DMZ and LAN deployment scenario on a Connectra GatewayD. In a DMZ deployment on a Connectra Gateway



QUESTION 386Which port is typically used by SSL Network Extender, if the Connectra Portal will also be used on the sameIP address?

A. SSL (TCP/900)B. SSL (TCP/443)C. SSL (TCP/444)D. SSL (TCP/80)



PP 16 Chapter 2 Connectra End-Point Security Featu res and Development under ConfiguringGateway Access Rules

QUESTION 387For an initial installation of Connectra, which of the following statements is TRUE?

A. You must configure the Connectra username and password before running the First Time Wizard.B. It is possible to run the First Time Wizard from Expert Mode on the Connectra server.C. It is not possible to use the sysconfig and cpconfig utilities, until the First Time Wizard in the

Administration Web GUI is successfully completed.D. It is not necessary to set up the Rule Base before completing Connectra's installation.



QUESTION 388To configure a client to properly log in to the user portal using a certificate, the Administrator MUST:

A. Create an internal user in the admin portal.B. Install an R71 internal Certificate Authority certificate.C. Create a client certificate from SmartDashboard.D. Store the client certificate on the SSL VPN Gateway.



QUESTION 389A user attempts to initialize a network application using SSL Network Extender. The application fails to start.

What is the MOST LIKELY solution?

A. Select the option Auto-detect client capabilities.B. Select the option Enable SSL Network Extender Application Mode only.C. Select the option Turn off all SSL tunneling clients.D. Select the option Enable SSL Network Extender Network Mode only.



QUESTION 390Among the authentication schemes SSL VPN employs for users, which scheme does Check Pointrecommend so all servers are replicated?

A. User certificatesB. LDAPC. Username and passwordD. RADIUS

Correct Answer: DSection: SSL-VPNExplanation


QUESTION 391You have configured an LDAP account unit and confirmed the Apply & Fetch Branches option works in SSLVPN, but end users still cannot be authenticated.

What is the MOST LIKELY cause?

A. The Administrator's login is incorrect.B. The LDAP server is incorrectly configured.C. The user is not defined in Active Directory.D. The LDAP account unit's login Distinguished Name is incorrectly configured.



QUESTION 392You are a SSL VPN administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsingexperience continues to worsen. You suspect it could be a logging problem.

Which of the following logs does Check Point recommend you turn off?

A. AlertB. EventC. TraceD. Traffic



QUESTION 393You are a SSL VPN Administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsingexperience continues to worsen. You suspect it could be a logging problem.

Which of the following log files does Check Point recommend you purge?

A. httpd*.logB. event_ws.logC. mod_ws_owd.logD. alert_owd.log

Correct Answer: ASection: SSL-VPNExplanation


QUESTION 394Network applications accessed using SSL Network Extender have been found to fail after one of their TCPconnections has been left idle for more than one hour. You determine that you must enable sending reset (RST) packets upon TCP time-out expiration.

Where is it necessary to change the setting?

A. $FWDIR/conf/objects_5_0.CB. $FWDIR/conf/objects.CC. $WEBISDIR/conf/cpadmin.elgD. $CVPNDIR/conf/cvpnd.C

Correct Answer: ASection: File Locations/ File ModificationExplanation


Connectra's Network (SNX) Applications hang or cras h upon expiration of a TCP connection But ucan firgure out the answer by rule of elimination

Solution ID: sk31904Product: Mobile Access / SSL VPN, SSL Network ExtenderVersion: NGX R61OS: AllPlatform / Model: AllDate Created: 09-Jul-2006Last Modified: 06-May-2013Rate this document[1=Worst,5=Best]

SYMPTOMS

Network applications accessed using SNX hang or cra sh after one of their TCP connections hasbeen left idle for more than an hour.

CAUSE

For some applications, connections may stay idle for a long time, and when the communication is resumed

after a connection timeout, reset (RST) packets are sent from Connectra to the client and the server. When not receiving the RST packet, applications may hang or behave unexpectedly. Connectra records allTCP connections with a certain timeout. The default timeout is one hour. When this timeout is reached, theconnection is deleted from the connections table. By default, Connectra does not send a RST packet upon TCP connection expiration.

SOLUTION

Follow the instructions below in order to enable sending reset (RST) packets upon TCP timeout expiration:

Login to Connectra's expert shell (in case of a cluster setup, login to the active administration member).

Type the cpstop command.

Edit the $FWDIR/conf/objects_5_0.Cfile.============================================== =============>Answer to theQuestion

Find the property named fw_rst_expired_conn, and change its value to true.

Save the edited file.

Type the cpstart command.

Login to the administration portal and install the policy.

QUESTION 395Even after configuring central logging on Connectra, Connectra logs are not displaying in SmartViewTracker.

What could be the cause of this problem?

A. You must reestablish logging from Connectra to the Management Server, using a dummy log- serverobject.

B. R70 does not support a host object with the same IP address as a Management Server used assecondary log server or management station.

C. You must install the Management Server database.D. You must install the Security Policy, and try again.



QUESTION 396Which procedure enables the SSL VPN blade on the gateway?

A. Log into SmartDashboard, Create a new rule with the source and destination addresses of the neededremote network, set the action to Encrypt and push the policy to that gateway.

B. Log into SmartDashboard, edit the properties of the Gateway, and select the SSL VPN check box.C. Log into SmartDashboard, Select the VPN Communities tab and add the gateway to the appropriate

community.D. Log into WebUI on the gateway and check the SSL VPN Blade check box.

Correct Answer: BSection: SSL-VPNExplanation



QUESTION 397Which command can be used to verify SecureXL statistics?

A. fwaccel topB. fwaccel statsC. fw ctl pstatD. cphaprob stat



QUESTION 398You are trying to configure Directional VPN Rule Match in the Rule Base.

But the Match column does not have the option to see the Directional Match. You see the following window.

What must you enable to see the Directional Match?

A. VPN Directional Match on the Gateway object's VPN tabB. Advanced Routing on each Security GatewayC. VPN Directional Match on the VPN advanced window, in Global PropertiesD. directional_match(true) in the objects_5_0.C file on Security Management Server



QUESTION 399Which of these four Check Point QoS technologies prevents the transmission of redundant packets whenmultiple copies of a packet are concurrently queued on the same flow?

A. Weighted Flow Random Early Drop (WFRED)B. Intelligent Queuing EngineC. Retransmission Detection Early Drop (RDED)D. Stateful Inspection

Correct Answer: CSection: QoSExplanation


QUESTION 400Using IPS, how do you notify the Security Administrator that malware is scanning specific ports? By enabling:

A. Malware Scan protectionB. Sweep Scan protectionC. Host Port ScanD. Malicious Code Protector



Original Answer is B but as per below, as question ask for scanning specific ports, Answer is C ( soB is wrong)

Port ScanAn attacker can perform a port scan to determine whether ports are open and vulnerable to an attack. Thisis most commonly done by attempting to access a port and waiting for a response. The response indicateswhether or not the port is open.

This category includes the following types of port scans:

Host Port Scan . : The attacker scans a specific host's ports to determine which of the ports are open.Sweep Scan . : The attacker scans various hosts to determine where a specific port is open.

Source : http://www.checkpoint.com/smb/help/safeatoffice/8.2/2346.htm---------------------------------------------------------------------------------------------------------------------------------------------------------

Different between Host Port scan and Sweep Scan Protection : One is where you scan a range of ports onone host, the other is when you scan a network range, looking for one open port across all systems

QUESTION 401What is the meaning of the option Connect to the Internet?

A. SmartDashboard will retrieve information from Check Point over the Internet. No information will besent.

B. SmartDashboard will retrieve information from Check Point over the Internet. Your information will besent anonymously to Check Point.

C. SmartDashboard will retrieve information from Check Point over the Internet using your User Centerlogin.

D. SmartDashboard will retrieve information from Check Point over the Internet.



QUESTION 402Your online bookstore has customers connecting to a variety of Web servers to place or change orders andcheck order status. You ran penetration tests through the Security Gateway to determine if the Web servers were protectedfrom a recent series of cross-site scripting attacks. The penetration testing indicated the Web servers were still vulnerable. You have checked every box in the Web Intelligence tab, and installed the Security Policy.

What else might you do to reduce the vulnerability?

A. Configure the Security Gateway protecting the Web servers as a Web server.B. Check the Products / Web Server box on the host node objects representing your Web servers.C. Add Port (TCP 443) as an additional port on the Web Server tab for the host node.D. The penetration software you are using is malfunctioning and is reporting a false-positive.



QUESTION 403In a particular IPS protection in R71 in the Logging Settings, what does the Capture Packets option do?

A. This is not a valid selection in R71B. Attaches a packet capture of the traffic that matches this particular protection to each log that the

protection generates.C. Starts a packet capture at the time of policy install to capture all of the traffic until this protection is hit.D. Collects all of the logs for packets that have matched this protection within the last 30 days



Ans B is corret

PP22 CP_R75_IPSAdminGuide

QUESTION 404When deploying a dedicated DLP Gateway behind a perimeter firewall on an interface leading to theinternal network (there is only one internal network):

A. The DLP Gateway can inspect SMTP traffic if a MS Exchange server is located on the internal network,and it either sends e-mails directly to the Internet using SMTP or sends e-mails to the Internet in SMTPvia a mail relay that is located on the perimeter's firewall DMZ network.

B. The DLP Gateway can inspect internal e-mails (e-mails between two users on the internal network) ifthe organization's internal mail server is located in the internal network and users are configured to sende-mails to this mail server using SMTP.

C. User's HTTPS and FTP traffic can be inspected by the R71 DLP Gateway.D. The DLP Gateway can inspect e-mails (e-mails between two users on an internal or external network) if

the organization's internal mail server is located on another network (not the internal network; forinstance the DMZ or a different internal network) and users are configured to send e- mails to this mailserver using SMTP.

Correct Answer: ASection: DLPExplanation


QUESTION 405For proper system operation, the Administrator has to configure the DLP Portal and define its DNS namefor which of the following conditions?

A. If the DLP Policy is applied to HTTP traffic.B. If there are one or more Inform Rules.C. If there are one or more Ask User rules.D. If the action of all rules is Detect and no Data Owners are configured.

Correct Answer: CSection: DLPExplanation


QUESTION 406Which of the following is NOT TRUE regarding HTTPS traffic being passed through a DLP gateway?

A. You must edit the $FWDIR/conf/fwauthd.conf file in order for HTTPS traffic to be passed to your WebProxy through a DLP gateway.

B. HTTPS traffic is not scanned by DLPC. Only one proxy can be configured for DLPD. You must configure the DLP gateway to allow HTTP/HTTPS traffic through the proxy if you have a web

proxy between the DLP gateway and the internet.



Questions ask what is NOT correct

A

B: HTTPS traffic is not scanned by DLP ----> Correct PP19, CP_R75_DLPAdminGuide

C. Only one proxy can be configured for DLP

D. You must configure the DLP gateway to allow HTTP/HTTPS traffic through the proxy if you have a webproxy between the DLP gateway and the internet. --->Correct, Correct PP19, CP_R75_DLPAdminGuide

QUESTION 407In Company XYZ, the DLP Administrator defined a new template Data Type that is based on an empty PDFform for an insurance claim.

Which of the following statements about this new data type are CORRECT?

A. Only completed insurance claim forms of PDF file-type that were based on the empty PDF form will bematched by this Data Type.

B. If the empty PDF insurance claim form is sent, it will NOT be matched by this Data Type.C. Word, Excel, PDF filled in insurance claim forms that were based on the empty PDF insurance claim

form will be matched by this Data Type.D. The Data Type will match only files where the name and file size is similar to that of the original

insurance claim forms in PDF format.

Correct Answer: CSection: DLPExplanation


QUESTION 408Which DLP action would describe the following action: -The data transmission event is logged in SmartView Tracker. -Administrators with permission can view the data that was sent. -The traffic is passed.

A. DetectB. Ask UserC. Inform UserD. Prevent



QUESTION 409What is a task of the SmartEvent Client?

A. Add events to the events database.B. Display the received events.C. Assign a severity level to an event.D. Analyze each IPS log entry as it enters the Log server.



QUESTION 410Which of the following functions CANNOT be performed in ClientInfo on computer information collected?

A. Copy the contents of the selected cells.B. Save the information in the active tab to an .exe file.C. Enter new credential for accessing the computer information.D. Run Google.com search using the contents of the selected cell.



Repeat Question Q218

Answer B is correct

PP22 in CP_R75_SmartEvent_AdminGuide:

QUESTION 411You have selected the event Port Scan from Internal Network in SmartEvent, to detect an event when 30port scans have occurred within 60 seconds. You also want to detect two port scans from a host within 10 seconds of each other.

How would you accomplish this?

A. Select the two port-scan detections as a sub-event.B. Define the two port-scan detections as an exception.C. You cannot set SmartEvent to detect two port scans from a host within 10 seconds of each other.D. Select the two port-scan detections as a new event.

Correct Answer: B

Section: SmartEventExplanation


Repeat Questionc Q221

PP46 in CP_R75_SmartEvent_AdminGuide in Creating Ev ent Definitions (User Defined Events)starting at pp42

Step 4: When a Candidate Becomes an Event ( in Point form)1. When a candidate becomes an event, the Correlation Unit forwards the event to the Event Database. 2. But discovering an event does not mean that SmartEvent stops tracking logs related to it. 3. The Correlation Unit will keep adding matching logs to the event as long as they continue to arrive duringthe event threshold. 4. Keeping the event "open" condenses what might otherwise appear as many instances of the same eventto one, and provides accurate, up-to-date information as to the beginning and end time of the event. Event.

QUESTION 412Which of the following statements about the Port Scanning feature of IPS is TRUE?

A. The default scan detection is when more than 500 open inactive ports are open for a period of 120seconds.

B. The Port Scanning feature actively blocks the scanning, and sends an alert to SmartView Monitor.C. Port Scanning does not block scanning; it detects port scans with one of three levels of detection

sensitivity.D. When a port scan is detected, only a log is issued, never an alert.


Explanation/Reference:Exlanation:

QUESTION 413Match the SmartDashboard session status icons with the appropriate SmartWorkflow session status:

A. 1-B, 2-A, 3-D, 4-E, 5-CB. 1-A , 2-E , 3-D , 4-B , 5-CC. 1-B , 2-A , 3-E , 4-D , 5-CD. 1-A , 2-B , 3-E , 4-D , 5-C

Correct Answer: A

Section: SmartWorkFlowExplanation


QUESTION 414Match the VPN-related terms with their definitions:

A. A-3 , B-2 , C-4 , D-1B. A-3 , B-2 , C-1 , D-4C. A-2 , B-3 , C-4 , D-1D. A-2 , B-3 , C-1 , D-4



QUESTION 415ABC.com has two sites using certificates-based VPN issued by the ICA. The two sites, Tokyo and Paris, are configured using a simplified VPN policy. You are trying to integrate a new office opening in Dubai. You must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server behind the Paris SecurityGateway.

After creating the Dubai Gateway object with the proper VPN domain, what must you do?

Select appropriate steps:

A. 4 > 1 > 2B. 4 > 5 > 3 > 2C. 1 > 2D. 5 > 3 > 2



QUESTION 416Match the Best Management High Availability synchronization-status descriptions for your SecurityManagement Server (SMS):

A. A-3 , B-1 , C-2 , D-4B. A-3 , B-1 , C-4 , D-2C. A-1 , B-3 , C-2 , D-4D. A-1 , B-3 , C-4 , D-2



PP95 CCSE R75 Study Guide under Synchronization Sta tus


CheckPoint.Actualtests.156-315.75.v2014-04-11.by.LAKISHA ·...

Documents

Transcript of CheckPoint.Actualtests.156-315.75.v2014-04-11.by.LAKISHA ·...