When
troubleshooting a performance problem on multicore firewall that is
using CoreXL, what command checks the number of connections each core is
processing?
Options are :
- fw ctl multik stat
(Correct)
- sim affinity -l
- cat fwkern.conf
- fw CTL pstat
Answer : fw ctl multik stat
What is the difference between “connection establishment acceleration” (templating) and “traffic acceleration”?
Options are :
- “Connection establishment acceleration” only accelerates a single connection, while “traffic acceleration” accelerates similar traffic.
- “Traffic acceleration” only accelerates a single connection, while “connection establishment acceleration” accelerates similar traffic.
(Correct)
- These are the same technologies with different names.
- “Traffic acceleration” is accelerated through hardware, and “connection establishment acceleration” is accelerated in software.
Answer : “Traffic acceleration” only accelerates a single connection, while “connection establishment acceleration” accelerates similar traffic.
156-315.77 Check Point Certified Security Expert Exam Set 8
Why would you not see a CoreXL configuration option in cpconfig?
Options are :
- CoreXL is not licensed.
- CoreXL is not enabled in the gateway object.
- The gateway only has one processor core.
(Correct)
- CoreXL is disabled via policy.
Answer : The gateway only has one processor core.
Which command will allow you to change firewall affinity and survive a reboot with no further modification?
Options are :
- fw affinity –l
- sim affinity –s
(Correct)
- sim affinity –l
- fw ctl affinity –s
Answer : sim affinity –s
How does the Check Point Security Administrator enable NAT Templates?
Options are :
- Set Firewall object > NAT > Advanced
- Run commands with syntax fw ctl set int cphwd_nat_templates_support 1 and fw ctl set int cphwd_nat_templates_enabled 1
- Set Global properties > NAT-Network address translation
- Edit file $FWDIR/boot/modules/fwkern.conf with the lines “cphwd_nat_templates_support=1” and “cphwd_nat_templates_enabled=1”.
(Correct)
Answer : Edit file $FWDIR/boot/modules/fwkern.conf with the lines “cphwd_nat_templates_support=1” and “cphwd_nat_templates_enabled=1”.
Check Point Certified Security Administrator Set 3
To check what is currently set in the Firewall kernel debug input the command:
Options are :
- fw ctl debug –x
- fw ctl debug
(Correct)
- fw ctl pstat
- fw ctl multistate
Answer : fw ctl debug
You
want to verify that the majority of your connections are being
optimized by SecureXL. What command would you run to establish this
information?
Options are :
- sim_dbg -s
- fwaccel conns -s
(Correct)
- fw tab -t connections -s
- fw ctl pstat
Answer : fwaccel conns -s
Which command displays FireWall internal statistics about memory and traffic?
Options are :
- cpstat os –f memory
- fw getifs
- cpstat os –f cpu
- fw ctl pstat
(Correct)
Answer : fw ctl pstat
156-315.71 Check Point Security Expert R71 Practice Exam Set 5
ACME
Corp has a cluster consisting of two 13500 appliances. As the Firewall
Administrator, you notice that on an output of top, you are seeing high
CPU usage of the cores assigned as SNDs, but low CPU usage on cores
assigned to individual fw_worker_X processes. What command should you
run next to performance tune your cluster?
Options are :
- fw ctl debug –m cluster + all – this will show you all the connections being processed by ClusterXL and explain the high CPU usage on your appliance.
- fw tab –t connections –s – this will show you a summary of your connections table, and allow you to determine whether there is too much traffic traversing your firewall.
- fwaccel stats –s – this will show you the acceleration profile of your connections and potentially why your SNDs are running high while other cores are running low.
(Correct)
- fwaccel off – this will turn off SecureXL, which is causing your SNDs to be running high in the first place
Answer : fwaccel stats –s – this will show you the acceleration profile of your connections and potentially why your SNDs are running high while other cores are running low.
From a Best Practices perspective, what percentage of your packets should be accelerated?
Options are :
- 75%
- 65%
- 90%
(Correct)
- 100%
Answer : 90%
How would you determine the value of 'Maximum concurrent connections' of the NAT Table?
Options are :
- fwx_max_conns
- fwx_auth
- fwx_alloc
(Correct)
- objects_5_0.C
Answer : fwx_alloc
156-315.77 Check Point Certified Security Expert Exam Set 7
What is one way to check cluster status on two gateways running in HA mode?
Options are :
- cphaprob stat
(Correct)
- show cluster
- show cluster ha status
- cp ha prob stat
Answer : cphaprob stat
In a ClusterXL cluster with delayed synchronization, which of the following is not true?
Options are :
- The length of time for the delay can be edited.
(Correct)
- Delayed Synchronization is performed only for connections matching a SecureXL Connection
- Delayed Synchronization is disabled if the Track option in the rule is set to Log or Account.
- It applies only to TCP services whose Protocol Type is set to HTTP or None.
Answer : The length of time for the delay can be edited.
What command displays the Connections Table for a specified CoreXL firewall instance?
Options are :
- fw tab –t connection | grep fw
- fw tab –t connections –s
- fw tab –t connections
- fw -i FW_INSTANCE_ID tab -t connections [flags]
(Correct)
Answer : fw -i FW_INSTANCE_ID tab -t connections [flags]
Check Point Certified Security Expert Exam Set 5
What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and cphwd_nat_templates_support?
Options are :
- This would enable SecureXL NAT templates.
(Correct)
- These parameters are mutually exclusive and cannot be used at the same time.
- These are not valid parameters.
- This would enable Hide NAT support.
Answer : This would enable SecureXL NAT templates.
A
firewall has 8 CPU cores and the correct license. CoreXL is enabled.
How could you set kernel instance #3 to run on processing core #5?
Options are :
- fw ctl affinity -s -k 3 5
(Correct)
- Edit the file fwaffinity.conf and add the line “k3 cpuid 5”
- Run fwaffinity_apply –t 3 -k 5 and then check that the settings have taken affect with the command fw ctl multik stat.
- This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It is only when a daemon is bound to a dedicated core that CoreXL will ignore that CPU core when mapping Kernel instances to CPU cores.
Answer : fw ctl affinity -s -k 3 5
CoreXL on IPSO R77.20 does NOT support which of the following features?
Options are :
- Overlapping NAT
- Check Point QoS
(Correct)
- IPv6
- Route-based VPN
Answer : Check Point QoS
Check Point Certified Security Expert Exam Set 2
What command verifies which core each gateway interface and firewall instance is currently running on?
Options are :
- show corexl stat
- fw ctl pstat
- fw ctl affinity -l
(Correct)
- fw accel stat
Answer : fw ctl affinity -l
Misha
is working on a stand-by firewall and deletes the connections table in
error. He finds that now the table is out of sync with the Active
member. to get them completely synced again, Mish should run the command
pair ____________ and __________ .
Options are :
- fw ctl setsync stop, fw ctl setsync on
- fw ctl sync stop, fw ctl sync start
- fw ctl setsync off, fw ctl setsync on
- fw ctl setsync off, fw ctl setsync start
(Correct)
Answer : fw ctl setsync off, fw ctl setsync start
What type of connections cannot be templated?
Options are :
- Complex connections such as FTP, H323, SQL, ETC
(Correct)
- UDP because it is not connection oriented
- Any connections that contain Hide NAT
- TCP
Answer : Complex connections such as FTP, H323, SQL, ETC
Check Point Certified Security Administrator Set 1
Jane wants to create a VPN using OSPF. Which VPN configuration would you recommend she use?
Options are :
- Site-to-site VPN
- Domain-based VPN
- Route-based VPN
(Correct)
- Remote-access VPN
Answer : Route-based VPN
Where would you go to adjust the number of Kernels in CoreXL?
Options are :
- Cpconfig
(Correct)
- fw ctl multik stat
- fw ctl affinity
- fw ctl conf
Answer : Cpconfig
Which routing protocols are not supported with GAIA OS running VTIs?
Options are :
- Static routes
- BGP
- OSPF
- RIPv1; RIPv2
(Correct)
Answer : RIPv1; RIPv2
156-315.77 Check Point Certified Security Expert Exam Set 3
You
are finding that some users are complaining about slow connection
speed. You would like to review a summary of your connections, including
which connections are accelerated and those that are not. What command
could you use?
Options are :
- fw ctl pstat
- fw tab -t connections -s
- fwaccel stats -s
(Correct)
- fwaccel perf
Answer : fwaccel stats -s
What
is the best way to see how a firewall is performing while processing
packets in the firewall path, including resource usage?
Options are :
- fw getperf
- fwaccel stats
- fw ctl pstat
(Correct)
- SecureXL stat
Answer : fw ctl pstat
When a cluster member is completely powered down, how will the other member identify if there is network connectivity?
Options are :
- The working member will look for replies to traffic sent from internal hosts.
- The working member will Ping IPs in the subnet until it gets a response.
(Correct)
- The working member will ARP for the default gateway.
- The working member will automatically assume connectivity.
Answer : The working member will Ping IPs in the subnet until it gets a response.
156-315.77 Check Point Certified Security Expert Exam Set 16
Which command will NOT display information related to memory usage?
Options are :
- free
- memoryinfo.conf
(Correct)
- fw ctl pstat
- cat /proc/meminfo
Answer : memoryinfo.conf
156-315.77 Check Point Certified Security Expert Exam Set 6
You
have a requirement to implement a strict security policy. With this in
mind, you must create a stealth rule. How will this impact your packet
acceleration?
Options are :
- NAT templates will not work.
- There will be no impact, since stealth rules do not affect SecureXL.
(Correct)
- Using a stealth rule disables SecureXL.
- There will be no impact as long as the rule is not logged.
Answer : There will be no impact, since stealth rules do not affect SecureXL.
What is the command to check how many connections the firewall has detected for the SecureXL device?
Options are :
- fw tab –t connections –s
- fw tab -t cphwd_db –s
(Correct)
- fw tab –t connection –s | grep template
- fwaccel conns
Answer : fw tab -t cphwd_db –s
What do the „F? flags mean in the output of fwaccel conns?
Options are :
- Fast path packets
- Flag set for debug
- Forward to firewall
(Correct)
- Flow established
Answer : Forward to firewall
156-315.77 Check Point Certified Security Expert Exam Set 1