156-115 Check Point Certified Security Master - Final Exam Set 7

Command fwaccel stat to show what information?


Options are :

  • Accelerated packages, approve designs, dropped packets
  • Accelerator mode, CoreXL state drop-down models
  • Accelerator mode, accept the models, calculation models
  • Accelerator mode, a fast-track rules, the drop-down models
  • None

Answer : Accelerator mode, accept the models, calculation models

156-115 Check Point Certified Security Master Practice Exam Set 1

When the VPN user-based authentication fails, which of the following debug is necessary to understand the problem?


Options are :

  • VPN one core debug
  • None
  • FW tracking
  • IKE.elg
  • Vpnd.elg

Answer : IKE.elg

You run the command FW tab -t connections -S both members of the cluster. Both members report the abnormal values ??"vals" and "peaks". Which may not be the reason for this difference?


Options are :

  • None
  • SBM is a 61k setting to sync only selective portions of the table connections.
  • short-lived services heavily used have been the use of synchronization to improve performance.
  • Synchronization does not work for two members
  • Standby Member will not sync until the fault tolerance is required.

Answer : Standby Member will not sync until the fault tolerance is required.

You have a problem with Endpoint Connect client connects successfully, however, it cuts off every 20 seconds. What is the most likely cause of this issue?


Options are :

  • Remote access to your own community has not been determined.
  • You have selected IKEv2 only Global Properties> Remote access> VPN authentication and encryption.
  • None
  • Accept remote control connections not in use Global Properties> Firewall Implied Rules.
  • You are not licensed Endpoint Connect client.

Answer : Accept remote control connections not in use Global Properties> Firewall Implied Rules.

156-115 Check Point Certified Security Master Practice Exam Set 2

After removing the SecureXL drove command FW Monitor to get your VPN problem. In your review you notice that you only see the finished incoming traffic (⠀ œi⠀) and other traffic thereafter. Which of the following can explain the output?


Options are :

  • You do not have to conceal rule
  • None
  • Traffic is not intended for the correct MAC address, because you've managed to set up a proxy ARP
  • The routes are set incorrectly
  • Overlapping encryption domains in the remote site

Answer : Overlapping encryption domains in the remote site

Where can determine Wire mode?


Options are :

  • Advanced VPN community
  • Global Features
  • in cpconfig
  • None
  • Gateway object Stateful Inspection

Answer : Advanced VPN community

In the process the diagnostic value of the traffic issues VPN tunnel, you'll see the output of FW monitor -e host (172.21.1.10), accepted; Packages that are going through the incoming chain (i> I) and then disappear after the outgoing chain (O> __), were waiting to see when the package leave of absence O. What could be causing this problem?


Options are :

  • It does not appear FW display, because it is coming out at the wrong interface to C. The package starts off quietly, because there is no route for the packet.
  • Gateway never completed IKE and IPSec key exchange, and the tunnel is not yet.
  • The package is coming quietly away, because there is no route for the packet.
  • When packets are to be passed through the VPN tunnel, it is encrypted and encapsulated ESP packet, so it is not visible on the monitor FW.
  • None

Answer : When packets are to be passed through the VPN tunnel, it is encrypted and encapsulated ESP packet, so it is not visible on the monitor FW.

156-115 Check Point Certified Security Master Practice Exam Set 3

What must make a choice "no_hide_services_ports" in tables.def files?


Options are :

  • Tucked away in particular, the tables have been synchronized to another member of the cluster.
  • None
  • Prevents secondary member of hiding its presence does not have all the packages together.
  • Allowing management decisions to be adopted in the transport Applied rule before the rule stealth.
  • outgoing traffic to prevent being hidden in a cluster IP address.

Answer : outgoing traffic to prevent being hidden in a cluster IP address.

You are trying to find out is between the VPN gateway and the partner site and get the drop port states to sign in clear text packet should be encrypted. Which of the following would be the best troubleshooting step?


Options are :

  • This is a traffic management and we have to take an implicit rule to address this issue.
  • None
  • Interval phase one algorithms are faulty between the gateways.
  • Use VPN services outside the Community fails to make the VPN traffic, or find out why the traffic leaves the local (private) gateway unencrypted.
  • Use VPN services outside the Community fails to make the VPN traffic, or find out why the traffic that triggered the leaves (partner) gateway unencrypted.

Answer : Use VPN services outside the Community fails to make the VPN traffic, or find out why the traffic that triggered the leaves (partner) gateway unencrypted.

The customer is R77 Multi-domain Management Server controlled by a mix of firewalls R70 and R77 versions. The change was made to a file $ FWDIR / lib / tables.def one domain names. However, it was found that the change is not applied to R70 firewalls. What could be the problem?


Options are :

  • In order to support R70, file compatibility directory should have been changed.
  • R70 is the end and is not supported. Most functions work, however, changed table.def not.
  • Changes table.def firewalls can be applied to the corresponding version of the Management Server. The customer needs to update the same version of firewalls as a firewall.
  • None
  • In order for changes in the R70 machines need to work GuiDBedit

Answer : In order to support R70, file compatibility directory should have been changed.

156-115 Check Point Certified Security Master Practice Exam Set 4

You have problems after dynamic routing failover. Traffic is now becoming a backup and dropped it out of state. What is the best configuration to avoid dropping a spatial dynamic routing traffic?


Options are :

  • Global Properties select Accept other IP protocols are stateful answers to unknown services.
  • To create a new clear rules.
  • Implements Wire mode.
  • Contact Visitor mode.
  • None

Answer : Implements Wire mode.

Which of the following is never influenced by the wrong OS date and time configuration?


Options are :

  • Identity Awareness Kerberos
  • VPN certificate authentication
  • None
  • VPN PSK authentication
  • SIC

Answer : VPN PSK authentication

What is a log file that shows the processes that are involved in start-up phase in the tunnel?


Options are :

  • None
  • $ FWDIR / log / ikev2.xmll
  • $ FWDIR / log / ike.xmll
  • $ FWDIR / log / ike.elg
  • $ FWDIR / log / vpnd.elg

Answer : $ FWDIR / log / vpnd.elg

156-115 Check Point Certified Security Master Practice Exam Set 5

You are using an IPv6 environment, and find that you need an access control and want to establish some directional VPN rules. How to restrict based on the target?


Options are :

  • Place the rule with a match All_gwtogw and create a new rule.
  • Contact Global Properties> Advanced> IPv6 directed VPN implementation.
  • This can be done only in the traditional mode VPN.
  • Directional VPN implementation of the feature is not supported for IPv6.
  • None

Answer : Directional VPN implementation of the feature is not supported for IPv6.

You run the commands: CTL debug 0 FW FW CTL debug -buf 32000 Which of the following commands would be best to troubleshoot clusters in question?


Options are :

  • FW CTL zdebug -m all cluster +
  • FW CTL debug m + cluster if the stat PNote
  • FW CTL debug CLUSTER m + conf stat
  • FW CTL kdebug -m CLUSTER all
  • None

Answer : FW CTL debug m + cluster if the stat PNote

Although the issue to troubleshoot VPN between the port and partner site, you will see Smartview Tracker states ⠀ œInfo: Encryption failure: the various Community ID: Possible NAT problem. Which of the following is the most likely cause?


Options are :

  • You have not created a rule that allows VPN traffic.
  • Expected global rules properties, such as ICMP, and DNS is set up first instead of currencies.
  • You have the wrong encryption domains specified.
  • None
  • You have the encryption method mismatch.

Answer : Expected global rules properties, such as ICMP, and DNS is set up first instead of currencies.

156-110 Check Point Certified Security Principles Associate Set 1

The firewall has 8 cores and the correct license. CoreXL is enabled. How can you set a kernel, for example, # 3 to operate the processing at the core of # 5?


Options are :

  • Run fwaffinity_apply 3 -k 5 and verify that the settings have taken a command affecting the FW CTL multik stat.
  • None
  • Edit the file and add the line fwaffinity.conf k3 CPUID 5
  • fw ctl affinity -s k May 3
  • This is not possible CoreXL is best left to manage core processor core descriptions. Only when the daemon is tied to your core, which CoreXL bypass the microprocessor in identifying instances of the core kernel.

Answer : fw ctl affinity -s k May 3

Where would you go to adjust the number of cores CoreXL?


Options are :

  • fw ctl affinity
  • FW ctl multik stat
  • Cpconfig
  • None
  • FW ctl conf

Answer : Cpconfig

What is one way to check the status of the two gateways cluster running HA mode?


Options are :

  • Show Cluster ha area
  • show cluster
  • None
  • cp ha PROB stat
  • cphaprob stat

Answer : cphaprob stat

156-110 Check Point Certified Security Principles Associate Set 2

What command displays the Connections Table CoreXL a particular case, the firewall?


Options are :

  • FW tab connections
  • None
  • FW tab connections
  • FW tab connection | grep FW
  • FW -i FW_INSTANCE_ID tab -t connections [tickets]

Answer : FW -i FW_INSTANCE_ID tab -t connections [tickets]

What is the command to verify that each core user interface and gateway firewall, for example, is currently running?


Options are :

  • show stat corexl
  • fw ctl affinity -l
  • None
  • FW ctl Pstat
  • FW Accel stat

Answer : fw ctl affinity -l

CoreXL is IPSO R77.20 does NOT support which of the following?


Options are :

  • Route-based VPN
  • IPv6
  • overlapping NAT
  • Check Point QoS
  • None

Answer : Check Point QoS

156-110 Check Point Certified Security Principles Associate Set 3

Where can determine Wire mode?


Options are :

  • in Clish
  • None
  • Object to the gateway IPSec VPN> VPN Advanced Settings page
  • in sysconfig
  • Global properties

Answer : Object to the gateway IPSec VPN> VPN Advanced Settings page

156-110 Check Point Certified Security Principles Associate Set 4

Tracker you are trying to find out is between the VPN gateway and the partner site and you get a drop of the log, which states that the proposal is not selected what is the most likely cause?


Options are :

  • Peer machine does not accept the multicast packets
  • Use IKEv1 the peer to use the IKEv2
  • It is time mismatch
  • None
  • Conflict settings the two peers

Answer : Conflict settings the two peers

Your customers will tell you that the time in standby mode, a member of the cluster is not correct. over and after failing to make it active, the time is now right. NTP is configured on both machines, so it is expected that both machines are synchronized to the NTP server. After investigating, it was found that the standby mode, the member is not able to communicate with the NTP in its standby mode configuration. What could be the problem?


Options are :

  • The routing prevents the standby member to perform functions such as dynamic routing peering and get NTP update.
  • NTP does not support active-passive mode.
  • None
  • You will need to synchronize a backup to the primary setting the delay time
  • Raffica Standby retailer behind an active member of the cluster's IP address, which is why it will return.

Answer : Raffica Standby retailer behind an active member of the cluster's IP address, which is why it will return.

Each menu shows the compression / decompression Statistics?


Options are :

  • None
  • vpn ver
  • vpn compress
  • vpn compstat
  • vpn crlview

Answer : vpn compstat

156-110 Check Point Certified Security Principles Associate Set 5

Once you have your directional VPN implementation of the rule is Internal_Clear, what is this?


Options are :

  • All interfaces are known as internal
  • None
  • All interfaces are known as External
  • Do not do this enforcements aimed VPN traffic
  • VOIP traffic

Answer : All interfaces are known as internal

Every command you run list established VPN tunnels?


Options are :

  • FW tab -t vpn_active
  • FW tab -t vpn_routing
  • None
  • VPN tu
  • vpn compstat

Answer : VPN tu

When driving SecureXL how to initialize debug debug buffer 32000?


Options are :

  • fwaccel debug buf 32000
  • None
  • sim debug buf 32000
  • fwaccel dbg buf 32000
  • FW CTL debug ⠀ "buf 32000

Answer : FW CTL debug ⠀ "buf 32000

156-110 Check Point Certified Security Principles Associate Set 6

File ike.elg is the log file is used to log the IKE negotiations over the establishment of the VPN tunnel. Where is this file located?


Options are :

  • / Var / log / opt / CPsuite-R 77 / FG1 / log
  • / Opt / CPsuite-R77 / FW1 / log
  • / Opt / CPsuite-R77 / FG1 / log
  • / Opt / CPshrd-R77 / log
  • None

Answer : / Opt / CPsuite-R77 / FW1 / log

Which program would you use to analyze the phase I and phase II package gears?


Options are :

  • None
  • vpndebugView
  • vpnView
  • Check their perspective
  • IKEView

Answer : IKEView

VPN configuration, the following mode can be used to increase the capacity by bypassing the firewall implementation.


Options are :

  • There is no such status, which can bypass the firewall implementation
  • None
  • Wire mode can be used to get packet filtering
  • Virtual Tunnel Interface (VTI) mode can bypass the firewall for all encrypted communications
  • Hub mode can be bypassed packet filtering

Answer : Wire mode can be used to get packet filtering

156-110 Check Point Certified Security Principles Associate Set 7

How many synchronization interfaces are supported by Check Point R77 GAIA?


Options are :

  • 3
  • 2
  • 1
  • 4
  • None

Answer : 1

You Parter VPN troubleshooting and configuration mismatch suspect Diffie-Hellman (DH) group stage 1. After starting the VPN debug in which the package would look to analyze this option to debug file?


Options are :

  • Packet4
  • None
  • Packet5
  • package 1
  • Packet3

Answer : package 1

Checkpoint Best practices suggest that when you stop the kernel debug, you should run the command _____________________.


Options are :

  • FW default debug ctl
  • FW debug ctl 0
  • None
  • FW debug off
  • FW debug 0

Answer : FW debug ctl 0

156-115 Check Point Certified Security Master - Final Exam Set 1

In IKEView although the issue to troubleshoot VPN between the port and the partner site list entry, stating Invalid ID. Which of the following is the most likely cause?


Options are :

  • None
  • Encryption parameters (hash, encryption type) do not match.
  • Wrong subnets negotiated
  • IKEv1 does not support peer.
  • Time is not equivalent to two members.

Answer : Wrong subnets negotiated

What file includes IKEv2 debug messages?


Options are :

  • $ FWDIR / log / ike.elg
  • $ FWDIR / log / IKEv2
  • None
  • $ FWDIR / log / ike.xml
  • $ FWDIR / log / vpnd.elg

Answer : $ FWDIR / log / IKEv2

You're trying to VPN tunnel Check Point gateway and 3rd party vendor. When attempting to send traffic to the peer gateway, it will fail. You look SmartView Tracker and see that the failure was due to € œEncryption failure: is not responsible for PeerA €. After running the VPN gateway debug is problematic, which is one of the files would like to analyze?


Options are :

  • $ FWDIR / log / fwd.elg
  • /var/log/fw_debug.txt
  • $ FWDIR / log / fw.log
  • $ FWDIR / log / ike.elg
  • None

Answer : $ FWDIR / log / ike.elg

156-115 Check Point Certified Security Master - Final Exam Set 2

What would be the reason to use the command cphaosu stat?


Options are :

  • None
  • This is not a valid command.
  • To see a policy to install the dates of each member of the cluster.
  • Decide when to fail over traffic to the new cluster member.
  • Specifies the number of connections from OPSEC software open source licenses

Answer : Decide when to fail over traffic to the new cluster member.

Certain rules disable the connection speed acceleration (models) Rule Base. What command should be used to determine what models usually are not in use?


Options are :

  • cpconfig
  • FW ctl Pstat
  • None
  • #NAME?
  • fwaccel stat

Answer : fwaccel stat

What is the log file is displayed keep alive packets during the debug process?


Options are :

  • $ FWDIR / log / vpnd.elg
  • $ FWDIR / log / ike.elg
  • $ FWDIR / log / ike.xmll
  • $ FWDIR / log / ikev2.xmll
  • None

Answer : $ FWDIR / log / ike.elg

156-115 Check Point Certified Security Master - Final Exam Set 3

SecureXL used to accelerate the templating passing through the gateway. What command should you run whether Accept, Drop and NAT templating engine is operating?


Options are :

  • fwaccel stat
  • None
  • #NAME?
  • FW ctl Pstat
  • cpconfig

Answer : fwaccel stat

To perform a debug VPN producing both ike.elg and vpn.elg files. What is the best command that can be used to achieve this goal?


Options are :

  • VPN debug TDERR_ALL_ALL = 5
  • vpn debug TRUNC
  • None
  • vpn debug TRUNC
  • vpn debug ikeon

Answer : vpn debug TRUNC

Which operating systems support wire mode?


Options are :

  • Secure Platform and GAIA
  • IPSO and GAIA
  • Solaris and Secure Platform
  • IPSO and Secure Platform
  • None

Answer : Secure Platform and GAIA

156-115 Check Point Certified Security Master - Final Exam Set 4

What would you like to debug file, check what you IKE version you are using?


Options are :

  • debug.txt
  • vpnd.elg
  • vpn.txt
  • fwpnd.elg
  • None

Answer : vpnd.elg

Which is not a valid upgrade method using the R77 Gaia ClusterXL deployment?


Options are :

  • With minimal effort Update
  • None
  • Full Connectivity Upgrade
  • Optimal service update
  • Automatic Incremental Update

Answer : Automatic Incremental Update

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now