156-115 Check Point Certified Security Master Practice Exam Set 3

Which process should you debug when SmartDashboard authentication is rejected?


Options are :

  • fwm (Correct)
  • cpd
  • DAService
  • fwd

Answer : fwm

Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT?


Options are :

  • Static NAT does not adjust the destination IP
  • Between the “i” and “I” (Correct)
  • Between the “I” and “o”
  • Between the “o” and “O”

Answer : Between the “i” and “I”

Check Point Certified Security Expert Exam Set 4

Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards to address translation what will happen when Server A initiates outbound communication?


Options are :

  • This is called hairpin NAT, the traffic will return to the server.
  • The Hide NAT will take precedence.
  • The static NAT will take precedence. (Correct)
  • This will cause a policy verification error.

Answer : The static NAT will take precedence.

You are running a debugging session and you have set the debug environment to TDERROR_ALL_ALL=5 using the command export TDERROR_ALL_ALL=5. How do you return the debug value to defaults?


Options are :

  • fw debug 0x1ffffe0
  • unset TDERROR_ALL_ALL (Correct)
  • export TDERROR_ALL_ALL
  • w ctl debug 0x1ffffe0

Answer : unset TDERROR_ALL_ALL

What is the limit to the number of VPN directions that can be configured in a single rule?


Options are :

  • After configuring ten you must use a standard bi-directional condition.
  • It is limited to the number of communities that exist in your dashboard.
  • You may only configure one direction per rule.
  • There is no limit. (Correct)

Answer : There is no limit.

156-315.77 Check Point Certified Security Expert Exam Set 6

True or False: Software blades perform their inspection primarily through the kernel chain modules


Options are :

  • True. Most software blades are inspected by the TCP streaming or Passive Streaming chain module.
  • False. Software blades do not pass through the chain modules.
  • True. All software blades are inspected by the IP Options chain module.
  • True. Many software blades have their own dedicated kernel chain module for inspection. (Correct)

Answer : True. Many software blades have their own dedicated kernel chain module for inspection.

You are troubleshooting a Security Gateway, attempting to determine which chain is causing a problem. What command would you use to show all the chains through which traffic passed?


Options are :

  • [Expert@HostName]# fw ctl debug –m
  • [Expert@HostName]# fw ctl zdebug all
  • [Expert@HostName]# fw ctl chain
  • [Expert@HostName]# fw monitor -e "accept;" -p all (Correct)

Answer : [Expert@HostName]# fw monitor -e "accept;" -p all

The command _____________ shows which firewall chain modules are active on a gateway.


Options are :

  • fw ctl chain (Correct)
  • fw ctl debug
  • fw ctl multik stat
  • fw stat

Answer : fw ctl chain

156-315.77 Check Point Certified Security Expert Exam Set 22

What command would give you a summary of all the tables available to the firewall kernel?


Options are :

  • fw tab -o
  • fw tab -h
  • fw tab -s (Correct)
  • fw tab

Answer : fw tab -s

When finished running a debug on the Management Server using the command fw debug fwm on how do you turn this debug off?


Options are :

  • fw debug fwm off (Correct)
  • fwm debug off
  • fw ctl debug off
  • fw debug off

Answer : fw debug fwm off

When performing a fwm debug, to which directory are the logs written?


Options are :

  • $FWDIR/log/fwm.elg (Correct)
  • $CPDIR/log/fwm.elg
  • $FWDIR/log
  • $FWDIR/conf/fwm.elg

Answer : $FWDIR/log/fwm.elg

Check Point Certified Security Expert Exam Set 7

For URL Filtering in the Cloud in R75 and above, what table is used to contain the URL Filtering cache values?


Options are :

  • url_scheme_tab
  • urlf_blade_on_gw
  • urlf_cache_tbl
  • urlf_cache_table (Correct)

Answer : urlf_cache_table

What command would you use to view which debugs are set in your current working environment?


Options are :

  • “env” and “fw ctl debug” (Correct)
  • “fw ctl debug all”
  • “cat /proc/etc”
  • “export”

Answer : “env” and “fw ctl debug”

What does the IP Options Strip represent under the fw chain output?


Options are :

  • IP Options Strip is not a valid fw chain output.
  • The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions. (Correct)
  • The IP Options Strip copies the header details to forward the details for further IPS inspections.
  • IP Options Strip is only used when VPN is involved

Answer : The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions.

Check Point Certified Security Expert Exam Set 7

When you perform an install database, the status window is filled with large amounts of text. What could be the cause?


Options are :

  • There is an active fw monitor running.
  • There is an active debug on the SmartConsole.
  • There is an environment variable of TDERROR_ALL_ALL set on the gateway.
  • There is an active debug on the FWM process. (Correct)

Answer : There is an active debug on the FWM process.

You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify a connection is correctly translated to its NAT address. What flags should you use for the kernel debug?


Options are :

  • fw ctl debug -m nat + conn drop nat xlate xltrc
  • fw ctl debug -m nat + conn drop fw xlate xltrc
  • fw ctl debug -m fw + conn drop ld
  • fw ctl debug -m fw + conn drop nat vm xlate xltrc (Correct)

Answer : fw ctl debug -m fw + conn drop nat vm xlate xltrc

When troubleshooting and trying to understand which chain is causing a problem on the Security Gateway, you should use the command:


Options are :

  • fw ctl chain
  • fw monitor -e "accept;" -p all (Correct)
  • fw tab –t connections
  • fw ctl zdebug drop

Answer : fw monitor -e "accept;" -p all

Check Point Certified Security Administrator Set 2

When using the command fw monitor, what command ensures the capture is accurate?


Options are :

  • fw accel off
  • export TDERROR_ALL_ALL=5
  • fwaccel on
  • fwaccel off (Correct)

Answer : fwaccel off

The command fw ctl kdebug <params> is used to:


Options are :

  • list enabled debug parameters.
  • read the kernel debug buffer to obtain debug messages. (Correct)
  • enable kernel debugging.
  • select specific kernel modules for debugging.

Answer : read the kernel debug buffer to obtain debug messages.

Which flag in the fw monitor command is used to print the position of the kernel chain?


Options are :

  • #NAME?
  • -c
  • #NAME?
  • #NAME? (Correct)

Answer : #NAME?

156-315.71 Check Point Security Expert R71 Practical Exam Set 7

What would be considered Best Practice to determine which IPS protections you can safely disable for your environment?


Options are :

  • You should set all protections to “Detect”.
  • Work through turning on each protection to see which signatures get alerts.
  • You should not disable any IPS protections.
  • You should use vulnerability tools to perform an assessment of your environment. (Correct)

Answer : You should use vulnerability tools to perform an assessment of your environment.

156-315.77 Check Point Certified Security Expert Exam Set 16

You have configured IPS on your network; you find you are being overwhelmed with what you believe are false positives. You investigated this traffic and confirmed they are false positives. What can you do to stop these IPS alerts?


Options are :

  • Use a SAM rule to categorize this traffic
  • Right click the alert and “ignore”
  • Add an exception for this traffic under the IPS protection (Correct)
  • Disable the IPS protection for this network

Answer : Add an exception for this traffic under the IPS protection

SNORT is a popular open source IDS, you would like to import SNORT rules from plain text into Check Point Smart Center. How can you accomplish this?


Options are :

  • Check Point does not support third party signatures.
  • From the command line, run: ips_export_import import -f [-p ].
  • IPS profiles must be manually configured on each gateway.
  • Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option. (Correct)

Answer : Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option.

OF the following, which is NOT a kernel parameter relating to the IPS “Bypass Under Load” settings:


Options are :

  • ids_limit_stress (Correct)
  • ids_tolerance_no_stress
  • ids_assume_stress
  • ids_timeout

Answer : ids_limit_stress

156-315.77 Check Point Certified Security Expert Exam Set 2

Which of the following CANNOT be used as a source/destination for an IPS network exception?


Options are :

  • Identity Awareness Access Role (Correct)
  • Any
  • IP Address
  • Network Group

Answer : Identity Awareness Access Role

In IPS what does a high confidence rating mean?


Options are :

  • This is a rating for how confident Check Point is with catching this attack
  • This is a rating for how likely this attack is to penetrate most systems
  • There is a low likelihood of false positives (Correct)
  • There is a high likelihood of false positives

Answer : There is a low likelihood of false positives

Jerry is a network administrator for ACME Co. Their network contains 5 gateways all managed by a single Management Server. They are currently receiving an exorbitant amount of false positive for traffic traversing their network. Based on this information, what factor do you think is contributing most to the high amount of false positives Jerry is receiving?


Options are :

  • She has created a dedicated IPS profile for each Security Gateway
  • She has enabled protections based on the network devices and requirements
  • She has set protections to run in “Detect” mode
  • She is performing IPS inspection on all traffic (Correct)

Answer : She is performing IPS inspection on all traffic

156-315.77 Check Point Certified Security Expert Exam Set 2

“Tuning” IPS protections to suit the specific needs of an environment can be accomplished by all of the following EXCEPT:


Options are :

  • Focusing on low performance impact protections.
  • Focusing on low capacity protections. (Correct)
  • Focusing on high severity protections.
  • Focusing on high confidence level protections.

Answer : Focusing on low capacity protections.

When using Geo Protections, you find there are logs for a country that you believe is incorrect. What file do you review to verify what country Geo Protections should identify the traffic as?


Options are :

  • IpToCountry.csv (Correct)
  • objects.C
  • asm.C
  • objects_5_0.C

Answer : IpToCountry.csv

You are at a customer site, and when you run cphaprob stat you are not seeing a normal ClusterXL Health. What command could you run verify the number of cores are not matched on both cluster members?


Options are :

  • cpconfig
  • cphaprob stat
  • cphaprob -a if
  • fw ctl multik stat (Correct)

Answer : fw ctl multik stat

156-115 Check Point Certified Security Master - Final Exam Set 7

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions