Which operating systems support Wire mode?

Options are :

• IPSO and GAIA
• SecurePlatform and GAIA (Correct)
• Solaris and SecurePlatform
• IPSO and SecurePlatform

Answer : SecurePlatform and GAIA

The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is this file located?

Options are :

• /opt/CPshrd-R77/log
• /var/log/opt/CPsuite-R77/fg1/log
• /opt/CPsuite-R77/fg1/log
• /opt/CPsuite-R77/fw1/log (Correct)

Answer : /opt/CPsuite-R77/fw1/log

Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?

Options are :

• Optimal Service Upgrade
• Automatic Incremental Upgrade (Correct)
• Full Connectivity Upgrade
• Minimal Effort Upgrade

Answer : Automatic Incremental Upgrade

You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log on your gateway that states “Clear text packet should be encrypted”. Which of the following would be the best troubleshooting step?

Options are :

• This is management traffic and we need to enable implied rule to address this issue.
• Your phase one algorithms are mismatched between gateways.
• Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text. (Correct)
• Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text.

Answer : Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text.

What would be a reason to use the command cphaosu stat?

Options are :

• To see the policy install dates on each of the members in the cluster.
• To decide when to fail over traffic to a new cluster member. (Correct)
• To determine the number of connections from OPSEC software using Open Source Licenses
• This is not a valid command.

Answer : To decide when to fail over traffic to a new cluster member.

What is the log file that shows the keep alive packets during the debug process?

Options are :

• $FWDIR/log/ike.xmll
• $FWDIR/log/ike.elg (Correct)
• $FWDIR/log/vpnd.elg
• $FWDIR/log/ikev2.xmll

Answer : $FWDIR/log/ike.elg

The command fwaccel stat displays what information?

Options are :

• Accelerator status, accept templates, drop templates (Correct)
• Accelerator status, CoreXL state, drop templates
• Accelerated packets, accept templates, dropped packets
• Accelerator status, accelerated rules, drop templates

Answer : Accelerator status, accept templates, drop templates

You are experiencing an issue where Endpoint Connect client connects successfully however, it disconnects every 20 seconds. What is the most likely cause of this issue?

Options are :

• Your remote access community is not configured.
• You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.
• You are not licensed for Endpoint Connect client.
• The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules. (Correct)

Answer : The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.

When running a SecureXL debug how do you initialize the debug buffer to 32000?

Options are :

• sim debug –buf 32000
• fwaccel dbg –buf 32000
• fwaccel debug –buf 32000
• fw ctl debug –buf 32000 (Correct)

Answer : fw ctl debug –buf 32000

Your customer reports that the time on the standby cluster member is not correct. After failing over and making it active, the time is now correct. NTP has been configured on both machines, so it is expected that both machines be in sync with the NTP server. Upon investigating, it was found that the standby member was never able to communicate with the NTP server while it was in standby configuration. What could be the problem?

Options are :

• You should be syncing your backup to the primary for time setting
• raffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member. (Correct)
• Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP updates.
• NTP is not supported in active-passive mode.

Answer : raffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.

What is the function of the setting "no_hide_services_ports" in the tables.def files?

Options are :

• Preventing outbound traffic from being hidden behind the cluster IP address. (Correct)
• Hiding the particular tables from being synchronized to the other cluster member.
• Allowing management traffic to be accepted in an applied rule ahead of the stealth rule.
• Preventing the secondary member from hiding its presence by not forwarding any packets.

Answer : Preventing outbound traffic from being hidden behind the cluster IP address.

Which of the following is NEVER affected by incorrect OS time and date configuration?

Options are :

• SIC
• VPN certificate authentication
• VPN PSK authentication (Correct)
• Identity Awareness Kerberos authentication

Answer : VPN PSK authentication

Where can you configure Wire mode?

Options are :

• In the gateway object in “Stateful Inspection”
• In the VPN community in “Advanced Settings” (Correct)
• In cpconfig
• In Global Properties

Answer : In the VPN community in “Advanced Settings”

Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70 and R77 versions. A change was made to the file $FWDIR/lib/tables.def on one of the domains. However, it was found that the change was not applied to the R70 firewalls. What could be the problem?

Options are :

• To support R70, the file in the compatibility directory should have been modified. (Correct)
• In order to make changes on R70 machines you need work within GuiDBedit
• Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to upgrade the firewalls to the same version as the firewall.
• R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not.

Answer : To support R70, the file in the compatibility directory should have been modified.

While troubleshooting a VPN issue between your gateway and a partner site you see an entry in Smartview Tracker that states “Info: encryption failure: Different community ID: possible NAT problem”. Which of the following is the most likely cause?

Options are :

• You have an encryption method mismatch.
• You have not created a specific rule allowing VPN traffic.
• You have the wrong encryption domains configured.
• Implied rules in global properties such as ICMP and DNS are set to first instead of before last. (Correct)

Answer : Implied rules in global properties such as ICMP and DNS are set to first instead of before last.

What file contains IKEv2 debug messages?

Options are :

• $FWDIR/log/ike.xml
• $FWDIR/log/ike.elg
• $FWDIR/log/ikev2 (Correct)
• $FWDIR/log/vpnd.elg

Answer : $FWDIR/log/ikev2

You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party vendor. When attempting to send traffic to the peer gateway it is failing. You look in SmartView Tracker and see that the failure is due to “Encryption failure: no response from peer”. After running a VPN debug on the problematic gateway, what is one of the files you would want to analyze?

Options are :

• $FWDIR/log/fw.log
• $FWDIR/log/ike.elg (Correct)
• /var/log/fw_debug.txt
• $FWDIR/log/fwd.elg

Answer : $FWDIR/log/ike.elg

SecureXL uses templating to accelerate traffic passing through the gateway. What command should you run to determine if Accept, Drop and NAT templating is enabled?

Options are :

• fw ctl pstat
• cphaprob -a if
• cpconfig
• fwaccel stat (Correct)

Answer : fwaccel stat

In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall enforcement.

Options are :

• Hub Mode can be used to bypass stateful inspection
• There is no such mode that can bypass firewall enforcement
• Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic
• Wire mode can be used to bypass stateful inspection (Correct)

Answer : Wire mode can be used to bypass stateful inspection

Check Point Best Practices suggest that when you finish a kernel debug, you should run the command _____________________ .

Options are :

• fw ctl debug default
• fw debug 0
• fw debug off
• fw ctl debug 0 (Correct)

Answer : fw ctl debug 0

Which command displays compression/decompression statistics?

Options are :

• vpn crlview
• vpn ver –k
• vpn compstat (Correct)
• vpn compreset

Answer : vpn compstat

After disabling SecureXL you ran command fw monitor to help troubleshoot a VPN issue. In your review you note that you only see pre-inbound traffic (“i”) and no other traffic after this. Which of the following reasons could explain this output?

Options are :

• Routes are set up incorrectly
• You don?t have an “encrypt” rule
• You have overlapping encryption domains with the remote site (Correct)
• Traffic is not destined to the correct MAC address because you failed to set up proxy ARP

Answer : You have overlapping encryption domains with the remote site

In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an entry that states “Invalid ID”. Which of the following is the most likely cause?

Options are :

• Time is not matching between two members.
• Wrong subnets are being negotiated (Correct)
• IKEv1 is not supported by the peer.
• The encryption parameters (hash, encryption type, etc.) do not match.

Answer : Wrong subnets are being negotiated

You are having issues with dynamic routing after a failover. The traffic is now coming from the backup and is being dropped as out of state. What is the BEST configuration to avoid stateful inspection dropping your dynamic routing traffic?

Options are :

• Enable Visitor mode.
• Create additional explicit rules.
• In Global Properties select Accept other IP protocols stateful replies for unknown services.
• Implement Wire mode. (Correct)

Answer : Implement Wire mode.

Which command will you run to list established VPN tunnels?

Options are :

• fw tab -t vpn_active
• fw tab -t vpn_routing
• vpn compstat
• vpn tu (Correct)

Answer : vpn tu

You are in VPN troubleshooting with a Partner and you suspect a mismatch configuration in Diffie-Hellman (DH) group to Phase1. After starting a vpn debug, in which packet would you look to analyze this option in your debug file?

Options are :

• Packet4
• Packet 1 (Correct)
• Packet5
• Packet3

Answer : Packet 1

You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best command that can be used to achieve this goal?

Options are :

• vpn debug trunc (Correct)
• vpn debug on TDERR_ALL_ALL=5
• vpn debug trunc
• vpn debug ikeon

Answer : vpn debug trunc

When VPN user-based authentication fails, which of the following debug logs is essential to understanding the issue?

Options are :

• fw monitor trace
• VPN-1 kernel debug logs
• IKE.elg (Correct)
• Vpnd.elg

Answer : IKE.elg

In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log that states “No proposal chosen” what is the most likely cause?

Options are :

• A mismatch in the settings between the two peers (Correct)
• The peer machine is not accepting multicast packets
• There is a time mismatch
• Using IKEv1 when peer uses IKEv2

Answer : A mismatch in the settings between the two peers

You are using an IPV6 environment and find that you need additional access control and want to set up some directional VPN rules. How can you restrict access based on destination?

Options are :

• Directional VPN enforcement feature is not supported for IPv6. (Correct)
• Set your rule match to “All_gwtogw” and create a new rule.
• Enable Global Properties > Advanced > IPv6 for directional VPN enforcement.
• This can only be done in Traditional Mode VPN.

Answer : Directional VPN enforcement feature is not supported for IPv6.