Which operating systems support Wire mode?
Options are :
- IPSO and GAIA
- SecurePlatform and GAIA
(Correct)
- Solaris and SecurePlatform
- IPSO and SecurePlatform
Answer : SecurePlatform and GAIA
Check Point Certified Security Expert Exam Set 4
The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is this file located?
Options are :
- /opt/CPshrd-R77/log
- /var/log/opt/CPsuite-R77/fg1/log
- /opt/CPsuite-R77/fg1/log
- /opt/CPsuite-R77/fw1/log
(Correct)
Answer : /opt/CPsuite-R77/fw1/log
Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?
Options are :
- Optimal Service Upgrade
- Automatic Incremental Upgrade
(Correct)
- Full Connectivity Upgrade
- Minimal Effort Upgrade
Answer : Automatic Incremental Upgrade
You
are troubleshooting a VPN issue between your gateway and a partner site
and you get a drop log on your gateway that states “Clear text packet
should be encrypted”. Which of the following would be the best
troubleshooting step?
Options are :
- This is management traffic and we need to enable implied rule to address this issue.
- Your phase one algorithms are mismatched between gateways.
- Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text.
(Correct)
- Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text.
Answer : Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text.
156-315.71 Check Point Security Expert R71 Practical Exam Set 5
What would be a reason to use the command cphaosu stat?
Options are :
- To see the policy install dates on each of the members in the cluster.
- To decide when to fail over traffic to a new cluster member.
(Correct)
- To determine the number of connections from OPSEC software using Open Source Licenses
- This is not a valid command.
Answer : To decide when to fail over traffic to a new cluster member.
What is the log file that shows the keep alive packets during the debug process?
Options are :
- $FWDIR/log/ike.xmll
- $FWDIR/log/ike.elg
(Correct)
- $FWDIR/log/vpnd.elg
- $FWDIR/log/ikev2.xmll
Answer : $FWDIR/log/ike.elg
The command fwaccel stat displays what information?
Options are :
- Accelerator status, accept templates, drop templates
(Correct)
- Accelerator status, CoreXL state, drop templates
- Accelerated packets, accept templates, dropped packets
- Accelerator status, accelerated rules, drop templates
Answer : Accelerator status, accept templates, drop templates
Check Point Certified Security Expert Exam Set 5
You
are experiencing an issue where Endpoint Connect client connects
successfully however, it disconnects every 20 seconds. What is the most
likely cause of this issue?
Options are :
- Your remote access community is not configured.
- You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.
- You are not licensed for Endpoint Connect client.
- The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.
(Correct)
Answer : The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.
When running a SecureXL debug how do you initialize the debug buffer to 32000?
Options are :
- sim debug –buf 32000
- fwaccel dbg –buf 32000
- fwaccel debug –buf 32000
- fw ctl debug –buf 32000
(Correct)
Answer : fw ctl debug –buf 32000
Your
customer reports that the time on the standby cluster member is not
correct. After failing over and making it active, the time is now
correct. NTP has been configured on both machines, so it is expected
that both machines be in sync with the NTP server. Upon investigating,
it was found that the standby member was never able to communicate with
the NTP server while it was in standby configuration. What could be the
problem?
Options are :
- You should be syncing your backup to the primary for time setting
- raffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.
(Correct)
- Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP updates.
- NTP is not supported in active-passive mode.
Answer : raffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.
Check Point Certified Security Expert Exam Set 2
What is the function of the setting "no_hide_services_ports" in the tables.def files?
Options are :
- Preventing outbound traffic from being hidden behind the cluster IP address.
(Correct)
- Hiding the particular tables from being synchronized to the other cluster member.
- Allowing management traffic to be accepted in an applied rule ahead of the stealth rule.
- Preventing the secondary member from hiding its presence by not forwarding any packets.
Answer : Preventing outbound traffic from being hidden behind the cluster IP address.
Which of the following is NEVER affected by incorrect OS time and date configuration?
Options are :
- SIC
- VPN certificate authentication
- VPN PSK authentication
(Correct)
- Identity Awareness Kerberos authentication
Answer : VPN PSK authentication
Where can you configure Wire mode?
Options are :
- In the gateway object in “Stateful Inspection”
- In the VPN community in “Advanced Settings”
(Correct)
- In cpconfig
- In Global Properties
Answer : In the VPN community in “Advanced Settings”
156-315.13 Check Point Security Expert R76(GAiA) Exam Set 4
Your
customer has an R77 Multi-domain Management Server managing a mix of
firewalls of R70 and R77 versions. A change was made to the file
$FWDIR/lib/tables.def on one of the domains. However, it was found that
the change was not applied to the R70 firewalls. What could be the
problem?
Options are :
- To support R70, the file in the compatibility directory should have been modified.
(Correct)
- In order to make changes on R70 machines you need work within GuiDBedit
- Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to upgrade the firewalls to the same version as the firewall.
- R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not.
Answer : To support R70, the file in the compatibility directory should have been modified.
While
troubleshooting a VPN issue between your gateway and a partner site you
see an entry in Smartview Tracker that states “Info: encryption
failure: Different community ID: possible NAT problem”. Which of the
following is the most likely cause?
Options are :
- You have an encryption method mismatch.
- You have not created a specific rule allowing VPN traffic.
- You have the wrong encryption domains configured.
- Implied rules in global properties such as ICMP and DNS are set to first instead of before last.
(Correct)
Answer : Implied rules in global properties such as ICMP and DNS are set to first instead of before last.
What file contains IKEv2 debug messages?
Options are :
- $FWDIR/log/ike.xml
- $FWDIR/log/ike.elg
- $FWDIR/log/ikev2
(Correct)
- $FWDIR/log/vpnd.elg
Answer : $FWDIR/log/ikev2
156-315.77 Check Point Certified Security Expert Exam Set 4
You
are attempting to establish a VPN tunnel between a Check Point gateway
and a 3rd party vendor. When attempting to send traffic to the peer
gateway it is failing. You look in SmartView Tracker and see that the
failure is due to “Encryption failure: no response from peer”. After
running a VPN debug on the problematic gateway, what is one of the files
you would want to analyze?
Options are :
- $FWDIR/log/fw.log
- $FWDIR/log/ike.elg
(Correct)
- /var/log/fw_debug.txt
- $FWDIR/log/fwd.elg
Answer : $FWDIR/log/ike.elg
SecureXL
uses templating to accelerate traffic passing through the gateway. What
command should you run to determine if Accept, Drop and NAT templating
is enabled?
Options are :
- fw ctl pstat
- cphaprob -a if
- cpconfig
- fwaccel stat
(Correct)
Answer : fwaccel stat
In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall enforcement.
Options are :
- Hub Mode can be used to bypass stateful inspection
- There is no such mode that can bypass firewall enforcement
- Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic
- Wire mode can be used to bypass stateful inspection
(Correct)
Answer : Wire mode can be used to bypass stateful inspection
Check Point Certified Security Expert Exam Set 7
Check Point Best Practices suggest that when you finish a kernel debug, you should run the command _____________________ .
Options are :
- fw ctl debug default
- fw debug 0
- fw debug off
- fw ctl debug 0
(Correct)
Answer : fw ctl debug 0
Which command displays compression/decompression statistics?
Options are :
- vpn crlview
- vpn ver –k
- vpn compstat
(Correct)
- vpn compreset
Answer : vpn compstat
After
disabling SecureXL you ran command fw monitor to help troubleshoot a
VPN issue. In your review you note that you only see pre-inbound traffic
(“i”) and no other traffic after this. Which of the following reasons
could explain this output?
Options are :
- Routes are set up incorrectly
- You don?t have an “encrypt” rule
- You have overlapping encryption domains with the remote site
(Correct)
- Traffic is not destined to the correct MAC address because you failed to set up proxy ARP
Answer : You have overlapping encryption domains with the remote site
156-315.13 Check Point Security Expert R76(GAiA) Exam Set 11
In
IKEView while troubleshooting a VPN issue between your gateway and a
partner site you see an entry that states “Invalid ID”. Which of the
following is the most likely cause?
Options are :
- Time is not matching between two members.
- Wrong subnets are being negotiated
(Correct)
- IKEv1 is not supported by the peer.
- The encryption parameters (hash, encryption type, etc.) do not match.
Answer : Wrong subnets are being negotiated
You
are having issues with dynamic routing after a failover. The traffic is
now coming from the backup and is being dropped as out of state. What
is the BEST configuration to avoid stateful inspection dropping your
dynamic routing traffic?
Options are :
- Enable Visitor mode.
- Create additional explicit rules.
- In Global Properties select Accept other IP protocols stateful replies for unknown services.
- Implement Wire mode.
(Correct)
Answer : Implement Wire mode.
Which command will you run to list established VPN tunnels?
Options are :
- fw tab -t vpn_active
- fw tab -t vpn_routing
- vpn compstat
- vpn tu
(Correct)
Answer : vpn tu
156-215.70 Check Point Certified Security Administrator Exam Set 1
You
are in VPN troubleshooting with a Partner and you suspect a mismatch
configuration in Diffie-Hellman (DH) group to Phase1. After starting a
vpn debug, in which packet would you look to analyze this option in your
debug file?
Options are :
- Packet4
- Packet 1
(Correct)
- Packet5
- Packet3
Answer : Packet 1
You
want to run VPN debug that will generate both ike.elg and vpn.elg
files. What is the best command that can be used to achieve this goal?
Options are :
- vpn debug trunc
(Correct)
- vpn debug on TDERR_ALL_ALL=5
- vpn debug trunc
- vpn debug ikeon
Answer : vpn debug trunc
When VPN user-based authentication fails, which of the following debug logs is essential to understanding the issue?
Options are :
- fw monitor trace
- VPN-1 kernel debug logs
- IKE.elg
(Correct)
- Vpnd.elg
Answer : IKE.elg
156-315.65 Check Point Security Administration NGX R65 Exam Set 5
In
Tracker you are troubleshooting a VPN issue between your gateway and a
partner site and you get a drop log that states “No proposal chosen”
what is the most likely cause?
Options are :
- A mismatch in the settings between the two peers
(Correct)
- The peer machine is not accepting multicast packets
- There is a time mismatch
- Using IKEv1 when peer uses IKEv2
Answer : A mismatch in the settings between the two peers
You
are using an IPV6 environment and find that you need additional access
control and want to set up some directional VPN rules. How can you
restrict access based on destination?
Options are :
- Directional VPN enforcement feature is not supported for IPv6.
(Correct)
- Set your rule match to “All_gwtogw” and create a new rule.
- Enable Global Properties > Advanced > IPv6 for directional VPN enforcement.
- This can only be done in Traditional Mode VPN.
Answer : Directional VPN enforcement feature is not supported for IPv6.
