156-115 Check Point Certified Security Master Practice Test Set 1

In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?


Options are :

  • Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push policy.
  • . Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }.
  • Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy. (Correct)
  • Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };

Answer : Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy.

156-315.77 Check Point Certified Security Expert Exam Set 9

Using the default values in R77 how many kernel instances will there be on a 16-core gateway?


Options are :

  • 14 (Correct)
  • 12
  • 8
  • . 16

Answer : 14

Which command should you run to debug the VPN-1 kernel module?


Options are :

  • fw ctl debug -m VPN all (Correct)
  • fw debug vpn on
  • vpn debug on TDERROR_ALL_ALL=5
  • fw ctl zdebug crypt kbuf

Answer : fw ctl debug -m VPN all

What is the log file that shows the processes that participate in the tunnel initiation stage?


Options are :

  • $FWDIR/log/ike.xmll
  • $FWDIR/log/vpnd.elg (Correct)
  • $FWDIR/log/ike.elg
  • A. $FWDIR/log/ikev2.xmll

Answer : $FWDIR/log/vpnd.elg

156-315.71 Check Point Security Expert R71 Practical Exam Set 8

You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop
log on your gateway that states Clear text packet should be encrypted. Which of the following would be the best troubleshooting step?


Options are :

  • Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text.
  • Your phase one algorithms are mismatched between gateways.
  • This is management traffic and we need to enable implied rule to address this issue.
  • Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text. (Correct)

Answer : Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text.

Of the following answer choices, which best describes a possible effect of expanding the
connections table?


Options are :

  • Increased memory consumption (Correct)
  • Decreased memory consumption
  • Increased connection duration
  • Decreased connection duration

Answer : Increased memory consumption

Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one
would expect for this behaviour?


Options are :

  • One cluster member is configured for 32 bit and the other is configured for 64 bit
  • Firewall policy has not yet been installed to the firewall
  • CoreXL is configured differently on the two machines
  • The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded (Correct)

Answer : The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded

156-315.77 Check Point Certified Security Expert Exam Set 2

You run the command fw tab -t connections -s on both members in the cluster. Both members
report differing values for "vals" and "peaks". Which may NOT be a reason for this difference?


Options are :

  • Synchronization is not working between the two members
  • Heavily used short-lived services have had synchronization disabled for performance improvement.
  • Standby member does not synchronize until a failover is needed. (Correct)
  • SGMs in a 61k environment only sync selective parts of the connections table.

Answer : Standby member does not synchronize until a failover is needed.

What is the log file that shows the keep alive packets during the debug process?


Options are :

  • $FWDIR/log/ike.xmll
  • $FWDIR/log/vpnd.elg
  • $FWDIR/log/ikev2.xmll
  • $FWDIR/log/ike.elg (Correct)

Answer : $FWDIR/log/ike.elg

You run the commands:
fw ctl debug 0
fw ctl debug -buf 32000
Which of the following commands would be best to troubleshoot a clustering issue?


Options are :

  • fw ctl kdebug -m CLUSTER all
  • fw ctl zdebug -m cluster + all
  • fw ctl debug -m CLUSTER + conf stat
  • fw ctl debug -m cluster + pnote stat if (Correct)

Answer : fw ctl debug -m cluster + pnote stat if

156-315.13 Check Point Security Expert R76 (GAiA) Exam Set 1

What is the function of the setting "no_hide_services_ports" in the tables.def files?


Options are :

  • Preventing outbound traffic from being hidden behind the cluster IP address.
  • Allowing management traffic to be accepted in an applied rule ahead of the stealth rule
  • . Preventing the secondary member from hiding its presence by not forwarding any packets.
  • Hiding the particular tables from being synchronized to the other cluster member. (Correct)

Answer : Hiding the particular tables from being synchronized to the other cluster member.

Your customer receives an alert from their network operation center, they are seeing ARP and
Ping scans of their network originating from the firewall. What could be the reason for the
behaviour?


Options are :

  • IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to originate from the firewall.
  • Check Point firewalls probe adjacent networking devices during normal operation.
  • Check Point's Antibot blade performs anti-bot scans of the surrounding network.
  • One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface. (Correct)

Answer : One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.

In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see
an entry that states Invalid ID. Which of the following is the most likely cause?


Options are :

  • IKEv1 is not supported by the peer.
  • The encryption parameters (hash, encryption type, etc.) do not match.
  • Wrong subnets are being negotiated. (Correct)
  • Time is not matching between two members.

Answer : Wrong subnets are being negotiated.

Check Point Certified Security Expert Exam Set 12

How many sync interfaces are supported on Check Point R77 GAiA?


Options are :

  • 2
  • 1 (Correct)
  • 3
  • 4

Answer : 1

Which command would a troubleshooter use to verify table connection info (peak, concurrent) and
verify information about cluster synchronization state?


Options are :

  • fw tab t connections s
  • Show info all (Correct)
  • fw ctl pstat
  • fw ctl multik stat

Answer : Show info all

Each connection allowed by a Security Gateway, will have a real entry and some symbolic link
entries in the connections state table. The symbolic link entries point back to the real entry using
this:


Options are :

  • memory pointer.
  • 6-tuple. (Correct)
  • serial number of the real entry.
  • date and time of the connection establishment

Answer : 6-tuple.

156-315.77 Check Point Certified Security Expert Exam Set 4


You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party
vendor. When attempting to send traffic to the peer gateway it is failing. You look in SmartView
Tracker and see that the failure is due to Encryption failure: no response from peer. After running
a VPN debug on the problematic gateway, what is one of the files you would want to analyze?


Options are :

  • $FWDIR/log/fwd.elg
  • /var/log/fw_debug.txt
  • $FWDIR/log/ike.elg (Correct)
  • $FWDIR/log/fw.log

Answer : $FWDIR/log/ike.elg

What file contains IKEv2 debug messages?


Options are :

  • $FWDIR/log/ike.xml
  • $FWDIR/log/ike.elg
  • $FWDIR/log/ikev2 (Correct)
  • $FWDIR/log/vpnd.elg

Answer : $FWDIR/log/ikev2

Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70
and R77 versions. A change was made to the file $FWDIR/lib/tables.def on one of the domains.
However, it was found that the change was not applied to the R70 firewalls. What could be the
problem?


Options are :

  • To support R70, the file in the compatibility directory should have been modified (Correct)
  • R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not.
  • In order to make changes on R70 machines you need work within GuiDBedit
  • Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to upgrade the firewalls to the same version as the firewall.

Answer : To support R70, the file in the compatibility directory should have been modified

Check Point Certified Security Expert Exam Set 8

Which command displays compression/decompression statistics?


Options are :

  • . vpn compstat (Correct)
  • vpn ver k
  • vpn crlview
  • vpn compreset

Answer : . vpn compstat

Which program could you use to analyze Phase I and Phase II packet exchanges?


Options are :

  • Check PointView
  • . vpnView
  • IKEView (Correct)
  • vpndebugView

Answer : IKEView

You are experiencing an issue where Endpoint Connect client connects successfully however, it
disconnects every 20 seconds. What is the most likely cause of this issue?


Options are :

  • The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules. (Correct)
  • You have selected IKEv2 only in Global Properties > Remote Access > VPN Authentication and Encryption.
  • Your remote access community is not configured
  • You are not licensed for Endpoint Connect client.

Answer : The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.

156-215.77 Check Point Certified Security Administrator Test Set 3

You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best
command that can be used to achieve this goal?


Options are :

  • vpn debug ikeon
  • vpn debug truncf (Correct)
  • vpn debug on TDERR_ALL_ALL=5
  • vpn debug trunc

Answer : vpn debug truncf

Which definition best describes the file table.def function? It is a placeholder for:


Options are :

  • definitions of various kernel tables for Security Gateways. (Correct)
  • user defined implied rules for Security Gateways.
  • definitions of various kernel tables for Management Servers.
  • user defined implied rules for Management Servers

Answer : definitions of various kernel tables for Security Gateways.

Which command clears all the connection table entries on a Security Gateway?


Options are :

  • fw tab t connections -x (Correct)
  • fw tab t connetion -s
  • fw tab t connetion u .
  • fw ctl tab t connetions u

Answer : fw tab t connections -x

156-315.77 Check Point Certified Security Expert Exam Set 7


Which command can be used to see all active modules on the Security Gateway:


Options are :

  • fw ctl debug -m
  • fw ctl zdebug drop
  • fw ctl debug -h
  • fw ctl chain (Correct)

Answer : fw ctl chain

Check Point Best Practices suggest that when you finish a kernel debug, you should run the
command _____________________ .


Options are :

  • fw ctl debug 0 (Correct)
  • fw debug 0
  • fw debug off
  • fw ctl debug default

Answer : fw ctl debug 0

Which of the following commands shows the high watermark threshold for triggering the cluster
under load mechanism in R77?


Options are :

  • fw ctl get int fwha_cul_member_cpu_load_limit (Correct)
  • fw ctl get int fwha_cul_mechanism_enable
  • . fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec
  • fw ctl get int fwha_cul_cluster_short_timeout

Answer : fw ctl get int fwha_cul_member_cpu_load_limit

Check Point Certified Security Expert Exam Set 2

Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a
gateway in the cluster is being spoofed?


Options are :

  • The source MAC address of the packet
  • The source IP of the packet. .
  • . The packet has a TTL value of less than 255. (Correct)
  • The destination IP of the packet.

Answer : . The packet has a TTL value of less than 255.

After creating and pushing out a new policy, Joe finds that an old connection is still being allowed
that should have been closed after his changes. He wants to delete the connection on the
gateway, and looks it up with fw tab t connections u. Joe finds the connection he is looking for.
What command should Joe use to remove this connection?
<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c,
0,0,0,0,0,0,0,0,0,0,0,0,0,0>


Options are :

  • None
  • fw tab t connections x e "0,a128c22,00000089,0a158508,00000089,00000011" (Correct)
  • fw tab t connections x d 0,a128c22,89,0a158508,89,11"
  • fw tab t connections x d 00000000,a128c22,00000089,0a158508,00000089,00000011
  • fw tab t connections x e 0,a128c22,89,0a158508,89,11"

Answer : fw tab t connections x e "0,a128c22,00000089,0a158508,00000089,00000011"

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions