156-115 Check Point Certified Security Master - Final Exam Set 4

Each connection allows the Security Gateway is a true entry and some symbolic link state table entries frame connections. A symbolic link to point back to real events marking by using this:


Options are :

  • None
  • the serial number of the actual subscription.
  • memory pointer.
  • Six-tuple.
  • Date and time of connection establishment.

Answer : Six-tuple.

156-115 Check Point Certified Security Master - Final Exam Set 5

In a production environment, your gateway is configured to apply the Hide NAT for all internal traffic intended for the Internet. However, you are creating a VPN tunnel remote gateway, and you're worried about the encryption domain that you need to configure the gateway on the remote control. Is the remote gateway must be included in your industry, your gateway YS its external IP encryption?


Options are :

  • Not all packets through the VPN received the original source and destination of packets without translation.
  • Not all packets through the VPN tunnel is the payload encapsulated in the ESP package and after encryption at the remote site, has the same internal source and destination IP addresses.
  • None
  • Yes Ports apply Hide NAT for this VPN traffic.
  • Yes, all packets through the VPN tunnel is the payload encapsulated in the ESP package and after encryption at the remote site, the package contains the source IP Gateway because of Hide NAT.

Answer : Not all packets through the VPN tunnel is the payload encapsulated in the ESP package and after encryption at the remote site, has the same internal source and destination IP addresses.

In order to prevent the outgoing NTP traffic from coming back Cluster IP should you?


Options are :

  • Edit the relevant Management Server and more table.def on the line no_hide_services_ports = {<17, 123>}; and push the policy.
  • Edit the relevant Management Server and more table.def on the line no_hide_services_ports = {<123, 17>}; and push the policy.
  • None
  • Modify the relevant table.def gateway and the additional line no_hide_services_ports = {<123 17>}.
  • Modify the relevant table.def gateway and the additional line no_hide_services_ports = {<17, 123>};.

Answer : Edit the relevant Management Server and more table.def on the line no_hide_services_ports = {<123, 17>}; and push the policy.

You have set the manual NAT rule, but the FW Monitor indicates that the device continues to use the automatic Hide NAT rule. How do I fix this?


Options are :

  • Global Properties> NAT ensures that the server side NAT is enabled.
  • Global Properties> NAT ensures that the Merge automatic to manual NAT is selected.
  • None
  • Set the following parameters fwx_alloc_man core 1.
  • Move the manual NAT rule above automatic NAT rule.

Answer : Move the manual NAT rule above automatic NAT rule.

156-115 Check Point Certified Security Master - Final Exam Set 6

How to rename the gateway point for the implementation of the peers involved Directional VPN Enforcement?


Options are :

  • From the WebUI's peers to add a static route to the implementation of the designated point.
  • The file $ FWDIR / conf / user.def point on each peer the route of access to the gateway implementation.
  • None
  • Edit the file $ FWDIR / conf / vpn_route.conf point on each peer the route of access to the gateway implementation.
  • The name of this VPN gateway community features.

Answer : Edit the file $ FWDIR / conf / vpn_route.conf point on each peer the route of access to the gateway implementation.

How to clear connections to the table?


Options are :

  • The command FW Connection tab,
  • The command FW Connection tab,
  • The command FW tab Conns
  • Gateway Properties> Optimizations click the Clear connections table
  • None

Answer : The command FW Connection tab,

Each command can be seen in all active modules Security Gateway:


Options are :

  • FW debug ctl -m
  • FW ctl zdebug drop
  • FW ctl chain
  • FW debug ctl-h
  • None

Answer : FW ctl chain

156-115 Check Point Certified Security Master - Final Exam Set 7

Since R76 GAIA, which is a method for determining the manual proxy ARP entries NAT rules?


Options are :

  • WebUI or add a proxy ARP commands ... in Clish
  • SmartDashboard
  • SmartView Tracker
  • None
  • local.arp file

Answer : WebUI or add a proxy ARP commands ... in Clish

The customer must warn their network operations center, and they will see the ARP Ping scan the network from the firewall. What could be the reason for the behavior?


Options are :

  • Check Point firewalls probe during the normal operation of adjacent network devices.
  • Checkpoint AntiBot blade carried out with anti-bot scans the surrounding network.
  • IPS is out of the firewall and is characterized OpenSSL vulnerability that allows a hacker causes scanning the network from the firewall.
  • None
  • One or both firewalls cluster are stopped accepting packages CCP interface.

Answer : One or both firewalls cluster are stopped accepting packages CCP interface.

Which of the following commands shows the high-resolution watermark threshold for cluster load mechanism R77?


Options are :

  • FW CTL get int fwha_cul_cluster_short_timeout
  • None
  • FW CTL get int fwha_cul_policy_freeze_event_timeout_millisec
  • FW CTL get int fwha_cul_member_cpu_load_limit
  • FW CTL get int fwha_cul_mechanism_enable

Answer : FW CTL get int fwha_cul_member_cpu_load_limit

156-110 Check Point Certified Security Principles Associate Set 1

The output of the next cphaprob -i list, which is the most likely cause of the issue clusters? Cluster B> cphaprob -i list Built-in Devices: Device name: Interface Active Check the current status: OK Device Name: HA Initialize the current status: OK Device Name: Recovery Delay Current state: equipment OK registered: Device Name: Sync Registration number: 0 Delay: no Current state: OK time of the previous report: 3651.5 s device name: Filter registration number: 1 Timeout: none Current state: the problem of previous report period: 139 s device name: routed registration number: 2 Alarm: none Current state: OK time of the previous report: 3651.9 s device name: cphad registration No: 3 timeout: none Current state: OK time of the previous report: 3696.5 s device name: fwd registration No: 4 timeout: none Current state: OK time since last report: 3696.5 sec


Options are :

  • There is a lower connection group A
  • Cluster B and the group A is different versions of the policy installed.
  • It is a matter between the synchronization network Cluster A and Cluster B
  • The routing table Cluster B is different from group A
  • None

Answer : Cluster B and the group A is different versions of the policy installed.

The following response options that best describes the potential impact to expand links to the table?


Options are :

  • Reduced access times
  • Increased memory consumption
  • Increased the duration of the connection
  • The reduced memory consumption
  • None

Answer : Increased memory consumption

While troubleshooting the connectivity problem with the internal web server, you know that the packages will receive the upstream router, but when I run tcpdump external interface gateway, you'll find the only traffic is from the upstream router ARP requests. Is the problem lying in Check Point Gateway?


Options are :

  • There is no firewall dropping the traffic, so the problem is not caused by a firewall.
  • Yes, this may be due to incorrectly route to the firewall.
  • Yes, this may be due to incorrectly Static NAT firewall policy.
  • No. This is a layer 2 connection of your problem and it has nothing to do with the firewall.
  • None

Answer : Yes, this may be due to incorrectly Static NAT firewall policy.

156-110 Check Point Certified Security Principles Associate Set 2

Every command clears all entries in the connection table is a Security Gateway?


Options are :

  • FW tab connections -x
  • FW tab connetion
  • FW tab connetion -S
  • None
  • FW ctl tab connetions

Answer : FW tab connections -x

At default settings, the settings ClusterXL what will be on the active state of gateway command ClusterXL_admin up?


Options are :

  • Down
  • Ready
  • active
  • At the ready
  • None

Answer : At the ready

a member of the cluster shows the state "Ready". Which of the following is not a reason to expect this problem?


Options are :

  • Nothing
  • None
  • One cluster is configured for 32-bit and the other is organized in 64 bits B. CoreXL configured differently in the two devices
  • A firewall that shows "Ready" has been updated, but the other firewall has not yet been updated
  • The firewall policy is not yet installed the firewall

Answer : The firewall policy is not yet installed the firewall

156-110 Check Point Certified Security Principles Associate Set 3

Why would you choose to combine dynamic routing protocols and VPNs?


Options are :

  • In the case of a failure of the tunnel, the other may be routed to traffic tunnels
  • Dynamic routing data can be spread over a VPN using a VPN only one point-to-point connection to the network.
  • None
  • VPN device can automatically update the network of any changes to a peer VPN gateway without the need to update the domain VPN configuration.
  • All of the options listed.

Answer : All of the options listed.

156-110 Check Point Certified Security Principles Associate Set 4

HA cluster, you change the number of cores is given CoreXL only one member using cpconfig and then give the reboot. What is the expected ClusterXL position of this member when it comes up?


Options are :

  • Ready
  • active
  • Down
  • None
  • At the ready

Answer : At the ready

What considerations are required when configuring the IPv6 Wire mode?


Options are :

  • IPv6 is determined by both the end-point.
  • You will need to use internal space to use IPv6 Wire mode.
  • IPv6 Wire mode is supported only R77.
  • None
  • IPV6 is not supported Wire mode.

Answer : IPV6 is not supported Wire mode.

When there are rules that contain the identity of consciousness to speed up access roles SecureXL?


Options are :

  • Only when the unauthenticated guests include access to the role.
  • They have no importance, whether the access rule will accelerate.
  • None
  • Rules are using Identity Awareness is always accelerated.
  • Rules are using Identity Awareness never picked up.

Answer : They have no importance, whether the access rule will accelerate.

156-110 Check Point Certified Security Principles Associate Set 5

What command fwaccel models to do?


Options are :

  • Begins firewall after acceleration fwaccel driven off or allowed SecureXL command cpconfig.
  • SecureXL that have been introduced cpconfig command menu.
  • Displays models of existing SecureXL device. This is so that the administrator can look for a model that corresponds to a particular trade.
  • None
  • Regular Base mapping of the actual rules and the model built up in Layer 2.

Answer : Displays models of existing SecureXL device. This is so that the administrator can look for a model that corresponds to a particular trade.

Where can configure OSPF GAIA is a firewall?


Options are :

  • WebUI
  • SmartDashboard
  • sysconfig
  • cpconfig
  • None

Answer : WebUI

The new package is received at the firewall interface. The package was compared to the connection table and they do not match. What process does not begin to respect the firewall?


Options are :

  • The packet is discarded core firewall.
  • , Then the packet is transmitted to the outgoing interface processing.
  • The package is delivered firewall to apply the security policy.
  • The new package is a new flow and requires a new connection entry of the table.
  • None

Answer : The package is delivered firewall to apply the security policy.

156-110 Check Point Certified Security Principles Associate Set 6

Which of the following is a valid synchronization status output of fw ctl Pstat?


Options are :

  • Synchronization down to member
  • None
  • Communicating
  • Can not receive the synchronization packets
  • Synchronized

Answer : Can not receive the synchronization packets

At your disposal a number of diagnoses GAIA gateway. Reviewing the number of fragmented packets; you will find that there are a lot of big and duplicate packets. Every command you give to get this information?


Options are :

  • FW CTL get int fw_frag_stats
  • None
  • sysconfig
  • FW ctl Pstat
  • cat / proc / cpuinfo

Answer : FW ctl Pstat

What information can not be displayed by the command cat / proc / cpuinfo?


Options are :

  • vendor_id
  • FPU
  • CPU family
  • NFS_Unstable
  • None

Answer : NFS_Unstable

156-110 Check Point Certified Security Principles Associate Set 7

In order to perform some troubleshooting, run a command to accept the monitor FW = 443 --dport you can not see the TCP ACK packet. Why is this?


Options are :

  • The connection is accelerated.
  • The connection is lost.
  • The connection is encrypted.
  • None
  • The connection is NATted.

Answer : The connection is accelerated.

By executing the command FW CTL Pstat would return to what information?


Options are :

  • Additional information kmem
  • Additional information hmem
  • None
  • General Security Gateway statistics
  • Additional information SMEM

Answer : General Security Gateway statistics

When there are rules that include Identity Awareness Access (IDA) to speed up the roles SecureXL?


Options are :

  • The inclusion of the IDA status does not matter whether the connection is faster for the rule.
  • Only when the unauthenticated guests include access to the role.
  • Each time, the inclusion of IDA's role to guarantee the connection rule is accelerated.
  • Ever, the inclusion of the role of IDA remove SecureXL.
  • None

Answer : The inclusion of the IDA status does not matter whether the connection is faster for the rule.

156-115 Check Point Certified Security Master - Final Exam Set 1

The 'Maximum entries' value Gaia portal is responsible for 'gc_thresh3' parameter to the Linux kernel, and has a value of 1024. Knowing this, you know that gc_thresh2 and gc_thresh1 if the automatically set values:


Options are :

  • gc_thresh2 = 1024 and = 1024 gc_thresh1
  • gc_thresh2 = 256 and 128 = gc_thresh1
  • gc_thresh1 = 256 and 128 = gc_thresh2
  • None
  • gc_thresh2 = 512 and 256 = gc_thresh1

Answer : gc_thresh2 = 512 and 256 = gc_thresh1

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now