156-115 Check Point Certified Security Master Practice Exam Set 2

Certain rules will disable connection rate acceleration (templates) in the Rule Base. What command should be used to determine on what rule templates are disabled?


Options are :

  • cpconfig
  • fw ctl pstat
  • cphaprob -a if
  • fwaccel stat (Correct)

Answer : fwaccel stat

Check Point Certified Security Expert Exam Set 1

When you have your directional VPN enforcement rule set to “Internal_Clear” , what does this represent?


Options are :

  • All interfaces are designated “External”
  • Do not perform directional VPN enforcements on this traffic
  • VOIP traffic
  • All interfaces are designated as “Internal” (Correct)

Answer : All interfaces are designated as “Internal”

You run the commands: fw ctl debug 0 fw ctl debug -buf 32000 Which of the following commands would be best to troubleshoot a clustering issue?


Options are :

  • fw ctl zdebug -m cluster + all
  • fw ctl debug -m CLUSTER + conf stat
  • fw ctl debug -m cluster + pnote stat if (Correct)
  • fw ctl kdebug -m CLUSTER all

Answer : fw ctl debug -m cluster + pnote stat if

What debug file would you check to see what IKE version is being used?


Options are :

  • fwpnd.elg
  • vpnd.elg (Correct)
  • vpn.txt
  • debug.txt

Answer : vpnd.elg

156-315.65 Check Point Security Administration NGX R65 Exam Set 6

Which program could you use to analyze Phase I and Phase II packet exchanges?


Options are :

  • vpnView
  • Check PointView
  • vpndebugView
  • IKEView (Correct)

Answer : IKEView

You run the command fw tab -t connections -s on both members in the cluster. Both members report differing values for "vals" and "peaks". Which may NOT be a reason for this difference?


Options are :

  • Standby member does not synchronize until a failover is needed. (Correct)
  • SGMs in a 61k environment only sync selective parts of the connections table.
  • Heavily used short-lived services have had synchronization disabled for performance improvement.
  • Synchronization is not working between the two members

Answer : Standby member does not synchronize until a failover is needed.

What is the log file that shows the processes that participate in the tunnel initiation stage?


Options are :

  • $FWDIR/log/ikev2.xmll
  • $FWDIR/log/ike.elg
  • $FWDIR/log/vpnd.elg (Correct)
  • $FWDIR/log/ike.xmll

Answer : $FWDIR/log/vpnd.elg

156-315.71 Check Point Security Expert R71 Practice Exam Set 6

Where can you configure Wire mode?


Options are :

  • In sysconfig
  • In Global properties
  • In CLISH
  • In the gateway object on the “IPSec VPN” > “VPN Advanced” page (Correct)

Answer : In the gateway object on the “IPSec VPN” > “VPN Advanced” page

In the process of troubleshooting traffic issues across a VPN tunnel, you notice on the output of fw monitor -e host(172.21.1.10), accept; that packets are going through the inbound chain (i > I) and then disappearing after the outbound chain (o > __), while you were expecting to see the packet leave on O. What could be causing this issue?


Options are :

  • It?s not showing up on the fw monitor because it is exiting the wrong interface C. The packet is getting silently dropped because there is no route for the packet.
  • When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor. (Correct)
  • The packet is getting silently dropped because there is no route for the packet.
  • The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.

Answer : When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.

How many sync interfaces are supported on Check Point R77 GAiA?


Options are :

  • 2
  • 3
  • 1 (Correct)
  • 4

Answer : 1

Check Point Certified Security Expert Exam Set 7

What causes the SIP Early NAT chain module to appear in the chain?


Options are :

  • A VOIP domain is configured.
  • The SIP traffic is trying to pass through the firewall.
  • SIP is configured in IPS.
  • The default SIP service is used in the Rule Base. (Correct)

Answer : The default SIP service is used in the Rule Base.

156-315.77 Check Point Certified Security Expert Exam Set 7

Which directory below contains the URL Filtering engine update info? Here you can also go to see the status of the URL Filtering and Application Control updates


Options are :

  • $FWDIR/update/appi
  • $FWDIR/appi/update (Correct)
  • $FWDIR/urlf/update
  • $FWDIR/appi/urlf

Answer : $FWDIR/appi/update

Which of the following BEST describes the command fw ctl chain function?


Options are :

  • View the inbound and outbound kernel modules and the order in which they are applied. (Correct)
  • View how CoreXL is distributing traffic among the firewall kernel instances.
  • View established connections in the connections table.
  • Determine if VPN Security Associations are being established.

Answer : View the inbound and outbound kernel modules and the order in which they are applied.

John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that points to the Rule Base. To obtain information about the issue, John runs the command:


Options are :

  • fw kdebug fwm on and checks the file fw.elg.
  • fw kdebug fwm on and checks the file fwm.elg.
  • fw debug fw on and checks the file fwm.elg.
  • fw debug fwm on and checks the file fwm.elg. (Correct)

Answer : fw debug fwm on and checks the file fwm.elg.

156-315.77 Check Point Certified Security Expert Exam Set 9

You are attempting to establish an FTP session between your computer and a remote server, but it is not being completed successfully. You think the issue may be due to IPS. Viewing SmartView Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the gateway?


Options are :

  • Run a fw monitor packet capture on the gateway.
  • Run fw ctl zdebug drop on the gateway. (Correct)
  • Look in SmartView Monitor for that connection to see why it?s being dropped.
  • Search the connections table for that connection.

Answer : Run fw ctl zdebug drop on the gateway.

Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote VPN clients, even though the policy is configured to allow it. You think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?


Options are :

  • Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote VPN clients, even though the policy is configured to allow it. You think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?
  • fw ctl pstat
  • fwaccel stats misp
  • fw ctl debug -m fw + conn drop packet xlate xltrc nat (Correct)

Answer : fw ctl debug -m fw + conn drop packet xlate xltrc nat

How do you add the route entry for the “Enforcement Point Gateway” on the Management Server?


Options are :

  • Update file $FWDIR/conf/user.def on each peer with a route entry to the enforcement point gateway.
  • Designate this gateway in the VPN community properties.
  • Edit peers? WebUI to add a static route to the “designated enforcement point”.
  • Edit file $FWDIR/conf/vpn_route.conf with a new route entry. (Correct)

Answer : Edit file $FWDIR/conf/vpn_route.conf with a new route entry.

156-215.13 Check Point Certified Security Administrator Exam Set 4

Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?


Options are :

  • Hide NAT does not adjust the source IP
  • Between the “o” and “O” (Correct)
  • Between the “i” and “I”
  • Between the “I” and “o”

Answer : Between the “o” and “O”

The fw tab –t ___________ command displays the NAT table


Options are :

  • tablist
  • conns
  • loglist
  • fwx_alloc (Correct)

Answer : fwx_alloc

The command that lists the firewall kernel modules on a Security Gateway is:


Options are :

  • fw list modules
  • fw ctl debug -m (Correct)
  • fw ctl kernel chain
  • fw list kernel modules

Answer : fw ctl debug -m

156-315.71 Check Point Security Expert R71 Practical Exam Set 3

What flag option(s) must be used to dump the complete table in friendly format, assuming there are more than one hundred connections in the table?


Options are :

  • fw tab -t connections -s
  • fw tab -t connections -f
  • fw tab -t connect -f -u (Correct)
  • fw tab -t connections -f –u

Answer : fw tab -t connect -f -u

Which of the following items is NOT part of the columns of the chain modules?


Options are :

  • Function Pointer
  • Chain position
  • Module location
  • Inbound/Outbound chain (Correct)

Answer : Inbound/Outbound chain

Since switching your network to ISP redundancy you find that your outgoing static NAT connections are failing. You use the command _________ to debug the issue.


Options are :

  • fwaccel stats misp
  • fw ctl pstat
  • fw ctl debug -m fw + nat drop (Correct)
  • fw tab -t fwx_alloc -x

Answer : fw ctl debug -m fw + nat drop

156-315.77 Check Point Certified Security Expert Exam Set 5

What command would you use for a packet capture on an absolute position for TCP streaming (out) 1ffffe0


Options are :

  • fw monitor -e 0x1ffffe0 -o monitor.out
  • fw monitor -pr 1ffffe0 -o monitor.out
  • fw ctl chain -po 1ffffe0 -o monitor.out
  • fw monitor -po -0x1ffffe0 -o monitor.out (Correct)

Answer : fw monitor -po -0x1ffffe0 -o monitor.out

While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output: ;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed; Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster. What is the most likely cause of this drop?


Options are :

  • An outbound collision due to a Rule Base check, and dropped by incorrectly configuring DHCP in the firewall policy.
  • A link collision due to more than one NAT symbolic link being created for outgoing connections to the DHCP server.
  • A link collision due to more than one NAT symbolic link being created for connections returning from the DHCP server back to the VIP of the Cluster. (Correct)
  • An inbound collision due to a connections table check on pre-existing connections.

Answer : A link collision due to more than one NAT symbolic link being created for connections returning from the DHCP server back to the VIP of the Cluster.

In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step needs to be completed?


Options are :

  • No further actions are required.
  • Edit or create the file local.arp. (Correct)
  • Edit the file netconf.conf.
  • Edit or create the file discntd.if.

Answer : Edit or create the file local.arp.

156-215.13 Check Point Certified Security Administrator Exam Set 1

How do you set up Port Address Translation?


Options are :

  • Create a manual NAT rule and specify the source and destination ports. (Correct)
  • Since Hide NAT changes to random high ports it is by definition PAT (Port Address Translation).
  • Edit the service in SmartDashboard, click on the NAT tab and specify the translated port.
  • Port Address Translation is not support in Check Point environment

Answer : Create a manual NAT rule and specify the source and destination ports.

The command fw monitor -p all displays what type of information?


Options are :

  • It captures all points of the chain as the packet goes through the firewall kernel. (Correct)
  • The -p is used to resolve MAC address in the firewall capture.
  • It does a firewall monitor capture on all interfaces.
  • This is not a valid command.

Answer : It captures all points of the chain as the packet goes through the firewall kernel.

How does the “Directional Enforcement” rule“Directional Enforcement” is only applied to the first packet of the connection, including packets in the opposite direction. manage subsequent packet inspection?


Options are :

  • “Directional Enforcement” is applied to all packets in the connection.
  • “Directional Enforcement” is only applied to the first packet of the connection, including packets in the opposite direction. (Correct)
  • “Directional Enforcement” applies only to the first packet of the connection, but does not include the packets in the opposite direction.
  • “Directional Enforcement” is considered trusted traffic and therefore is not inspected

Answer : “Directional Enforcement” is only applied to the first packet of the connection, including packets in the opposite direction.

Check Point Certified Security Expert Exam Set 8

Which commands will properly set the debug level to maximum and then run a policy install in debug mode for the policy Standard on gateway A-GW from an R77 GAiA Management Server?


Options are :

  • setenv TDERROR_ALL_ALL=5 fwm –d load Standard A-GW
  • export TDERROR_ALL_ALL=5 fwm –d load A-GW Standard
  • setenv TDERROR_ALL_ALL=5fwm –d load A-GW Standard
  • export TDERROR_ALL_ALL=5 fwm –d load Standard A-GW (Correct)

Answer : export TDERROR_ALL_ALL=5 fwm –d load Standard A-GW

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions