156-115 Check Point Certified Security Master Practice Test Set 2

How do you clear the connections table?


Options are :

  • In Gateway Properties > Optimizations click Clear connections table
  • Run the command fw tab –t connections –c
  • Run the command fw tab –t conns –c
  • . Run the command fw tab –t connections –x

Answer : . Run the command fw tab –t connections –x

156-115 Check Point Certified Security Master Practice Test Set 3

Which of the following is NOT a cphaprob status?


Options are :

  • “Down Attention” (or “Down!” in VSX mode)
  • “Standby”
  • “Active”
  • “Backup”

Answer : “Down Attention” (or “Down!” in VSX mode)

While troubleshooting a VPN issue between your gateway and a partner site you see an entry in
Smartview Tracker that states “Info: encryption failure: Different community ID: possible NAT
problem”. Which of the following is the most likely cause?


Options are :

  • You have an encryption method mismatch.
  • You have not created a specific rule allowing VPN traffic.
  • You have the wrong encryption domains configured
  • Implied rules in global properties such as ICMP and DNS are set to first instead of before last.

Answer : Implied rules in global properties such as ICMP and DNS are set to first instead of before last.

From the output of the following cphaprob -i list, what is the most likely cause of the clustering
issue?
Cluster B> cphaprob -i list
Built-in Devices:
Device Name: Interface Active Check Current state: OK
Device Name: HA Initialization Current state: OK
Device Name: Recovery Delay Current state: OK
Registered Devices:
Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time
since last report: 3651.5 sec
Device Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last
report: 139 sec
Device Name: routed Registration number: 2 Timeout: none Current state: OK Time since last
report: 3651.9 sec
Device Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last
report: 3696.5 sec
Device Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report:
3696.5 sec


Options are :

  • . There is a sync network issue between Cluster A and Cluster B
  • There is an interface down on Cluster A
  • Cluster B and Cluster A have different versions of policy installed.
  • The routing table on Cluster B is different from Cluster A

Answer : Cluster B and Cluster A have different versions of policy installed.

156-115 Check Point Certified Security Master Practice Test Set 4

What debug file would you check to see what IKE version is being used?


Options are :

  • fwpnd.elg
  • vpnd.elg
  • debug.txt
  • vpn.txt

Answer : vpnd.elg

Which command will you run to list established VPN tunnels?


Options are :

  • fw tab -t vpn_routing
  • vpn compstat
  • fw tab -t vpn_active
  • vpn tu

Answer : vpn tu

What mechanism solves asymmetric routing issues in a load sharing cluster?


Options are :

  • Flush and ACK
  • SYN Defender
  • Stateful Inspection
  • State Synchronization

Answer : Flush and ACK

156-115 Check Point Certified Security Master Practice Test Set 5

The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is
this file located?


Options are :

  • /var/log/opt/CPsuite-R77/fg1/log
  • /opt/CPsuite-R77/fw1/log
  • /opt/CPsuite-R77/fg1/log
  • /opt/CPshrd-R77/log

Answer : /opt/CPsuite-R77/fw1/log

You are in VPN troubleshooting with a Partner and you suspect a mismatch configuration in Diffie-
Hellman (DH) group to Phase1. After starting a vpn debug, in which packet would you look to
analyze this option in your debug file?


Options are :

  • . Packet3
  • Packet5
  • Packet4
  • Packet1

Answer : Packet1

Your customer reports that the time on the standby cluster member is not correct. After failing
over and making it active, the time is now correct. NTP has been configured on both machines, so
it is expected that both machines be in sync with the NTP server. Upon investigating, it was found
that the standby member was never able to communicate with the NTP server while it was in
standby configuration. What could be the problem?


Options are :

  • Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP updates
  • You should be syncing your backup to the primary for time settings.
  • Traffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.
  • NTP is not supported in active-passive mode.

Answer : Traffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.

156-115 Check Point Certified Security Master Practice Test Set 6

What are the kernel parameters that control “Magic MACs”?


Options are :

  • cpha_mac_magic and cp_mac_forward_magic
  • cpha_magic_mac and cpha_mac_forward_magic
  • fwha_mac_magic and fw_mac_forward_magic
  • fwha_magic_mac and fw_forward_magic_mac

Answer : fwha_mac_magic and fw_mac_forward_magic

When you have edited the local.arp configuration, to support a manual NAT, what must be done to
ensure proxy arps for both manual and automatic NAT rules function?


Options are :

  • In Global Properties > NAT tree select Translate on client side check box
  • Run the command fw ctl ARP –a on the gateway
  • In Global Properties > NAT tree select Merge manual proxy ARP configuration check box
  • Create and run a script to forward changes to the local.arp tables of your gateway

Answer : In Global Properties > NAT tree select Merge manual proxy ARP configuration check box

How can you see a dropped connection and the cause from the kernel?


Options are :

  • fw ctl zdebug drop
  • fw ctl debug drop on
  • fw zdebug drop
  • fw debug drop on

Answer : fw ctl zdebug drop

156-115 Check Point Certified Security Master Practice Test Set 7

What would be a reason to use the command cphaosu stat?


Options are :

  • To see the policy install dates on each of the members in the cluster.
  • This is not a valid command.
  • To determine the number of connections from OPSEC software using Open Source Licenses.
  • To decide when to fail over traffic to a new cluster member.

Answer : To decide when to fail over traffic to a new cluster member.

In a VPN configuration, the following mode can be used to increase throughput by bypassing
firewall enforcement.


Options are :

  • Wire mode can be used to bypass stateful inspection
  • Hub Mode can be used to bypass stateful inspection
  • There is no such mode that can bypass firewall enforcement
  • Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic

Answer : Wire mode can be used to bypass stateful inspection

In some situations, switches may not play nicely with a Check Point Cluster and it is necessary to
change from multicast to broadcast. What command should you invoke to correct the issue?


Options are :

  • This can only be changed via GuiDbEdit.
  • set ccp broadcast
  • cphaconf set_ccp broadcast
  • cpha_conf set ccp broadcast

Answer : cphaconf set_ccp broadcast

156-115 Check Point Certified Security Master Practice Test Set 8

Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?


Options are :

  • Full Connectivity Upgrade
  • Minimal Effort Upgrade
  • Automatic Incremental Upgrade
  • Optimal Service Upgrade B.C. D.

Answer : Automatic Incremental Upgrade

What would be a reason for changing the “Magic MAC”?


Options are :

  • To allow for automatic upgrades.
  • To allow two or more clusters to exist on the same network.
  • To allow two or more cluster members to exist on the same network.
  • To allow the two cluster members to use the same virtual IP address.

Answer : To allow two or more clusters to exist on the same network.

Adam wants to find idle connections on his gateway. Which command would be best suited for
viewing the connections table?


Options are :

  • fw tab -t connections -u –f
  • fw tab -t connections –s
  • . fw tab -t connections
  • . fw tab -t connections –x

Answer : fw tab -t connections -u –f

156-215.13 Check Point Certified Security Administrator Exam Set 1

When viewing connections using the command fw tab -t connections, all entries are displayed with
a 6-tuple key, the elements of the 6-tuple include the following EXCEPT:


Options are :

  • interface id
  • direction (inbound / outbound)
  • destination port number
  • source port number
  • None

Answer : interface id

What does the output of the commands fw ctl multik stat and fw6ctl multik stat show?


Options are :

  • Only the number of total connections currently being handled by all Kernels on a CoreXL enabled firewalls.
  • The number of Firewall Kernels that are installed
  • Which CPU cores are Kernel and SND bound cores.
  • Information for each kernel instance. The output displays state and processing core number of each instance

Answer : Information for each kernel instance. The output displays state and processing core number of each instance

156-215.13 Check Point Certified Security Administrator Exam Set 10

CoreXL on IPSO R77.20 does NOT support which of the following features?


Options are :

  • Overlapping NAT
  • Check Point QoS
  • IPv6
  • Route-based VPN

Answer : Check Point QoS

What is one way to check cluster status on two gateways running in HA mode?


Options are :

  • cp ha prob stat
  • cphaprob stat
  • show cluster
  • show cluster ha status

Answer : cphaprob stat

To check what is currently set in the Firewall kernel debug input the command:


Options are :

  • A. fw ctl multistate
  • fw ctl pstat
  • fw ctl debug
  • fw ctl debug –x

Answer : fw ctl debug

156-215.13 Check Point Certified Security Administrator Exam Set 11

What command displays the Connections Table for a specified CoreXL firewall instance?


Options are :

  • fw tab –t connections –s
  • fw tab –t connection | grep fw
  • fw tab –t connections
  • fw -i FW_INSTANCE_ID tab -t connections [flags]

Answer : fw -i FW_INSTANCE_ID tab -t connections [flags]

You are a system administrator and would like to configure Geo Protection on your gateway to
comply with a new corporate policy. What must you have to do this?


Options are :

  • Geo Protection is enabled by default
  • Valid IPS contract and software blade licensing
  • DNS resolution on the gateway
  • The latest IPS update

Answer : Valid IPS contract and software blade licensing

Which file holds global Kernel values to survive reboot in a Check Point R77 gateway?


Options are :

  • $FWDIR/boot/modules/fwkern.conf
  • $FWDIR/conf/fwkern.conf
  • $FWDIR/boot/confwkern.conf
  • $FWDIR/boot/fwkern.conf

Answer : $FWDIR/boot/modules/fwkern.conf

156-215.13 Check Point Certified Security Administrator Exam Set 2

How would you determine the value of 'Maximum concurrent connections' of the NAT Table?


Options are :

  • fwx_alloc
  • fwx_max_conns
  • fwx_auth
  • objects_5_0.C

Answer : fwx_alloc

PXL is considered to be what type of acceleration?


Options are :

  • Fast Path
  • Medium Path
  • Slow Path
  • PXL is not related to acceleration

Answer : Medium Path

What is the method to change the number of cores that CoreXL will use?


Options are :

  • SmartDashboard
  • sysconfig
  • cpconfig
  • CoreXL automatically recognizes the number of cores on a system at startup so there is no method or reason to modify the setting.

Answer : cpconfig

156-215.13 Check Point Certified Security Administrator Exam Set 3

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now