156-115 Check Point Certified Security Master Practice Test Set 3

In R77, Under what circumstances would IPS bypass be enforced?


Options are :

  • Single CoreXL fw instance usage over ‘Low’ threshold, Average Memory over ‘High’ threshold
  • Single CoreXL fw instance usage over ‘High’ threshold, Average Memory over ‘High’ threshold (Correct)
  • Average CPU over ‘High’ threshold, Average Memory over ‘High’ threshold
  • Average CPU over ‘High’ threshold, Average Memory over ‘Low’ threshold

Answer : Single CoreXL fw instance usage over ‘High’ threshold, Average Memory over ‘High’ threshold

In IPS which of the two initial profiles is the more resource intensive?


Options are :

  • Prevention
  • Standard
  • Default (Correct)
  • Recommended

Answer : Default

A Security Administrator wants to increase the amount of processing cores on a Check Point
Security Gateway. He starts by increasing the number of cores, however the number of kernel
instances remain the same way. What is the correct process to increase the number of kernel
instances?


Options are :

  • Cpconfig- Enable Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-cprestart
  • Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-cpstop,cpstart
  • Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-reboot (Correct)
  • Cpconfig- Enable Check Point ClusterXL- Change the number of firewall instances-define how many firewall instances to enable-reboot

Answer : Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-reboot

156-215.77 Check Point Certified Security Administrator Exam Set 6

What command would you use to check if CoreXL is enabled?


Options are :

  • cpconfig
  • fw ctl pstat
  • fw ctl multik stat (Correct)
  • fw ctl affinity -1

Answer : fw ctl multik stat

What command verifies which core each gateway interface and firewall instance is currently
running on?


Options are :

  • fw accel stat
  • show corexl stat
  • fw ctl pstat
  • fw ctl affinity -l (Correct)

Answer : fw ctl affinity -l

How does the Check Point Security Administrator enable NAT Templates?


Options are :

  • Edit file $FWDIR/boot/modules/fwkern.conf with the lines “cphwd_nat_templates_support=1” and “cphwd_nat_templates_enabled=1” (Correct)
  • Set Global properties > NAT-Network address translation
  • Run commands with syntax fw ctl set int cphwd_nat_templates_support 1 and fw ctl set int cphwd_nat_templates_enabled 1.
  • Set Firewall object > NAT > Advanced

Answer : Edit file $FWDIR/boot/modules/fwkern.conf with the lines “cphwd_nat_templates_support=1” and “cphwd_nat_templates_enabled=1”

156-215.77 Check Point Certified Security Administrator Test Set 1

In IPS what does a high confidence rating mean?


Options are :

  • There is a low likelihood of false positives (Correct)
  • This is a rating for how likely this attack is to penetrate most systems
  • This is a rating for how confident Check Point is with catching this attack
  • There is a high likelihood of false positives

Answer : There is a low likelihood of false positives

You have configured IPS on your network; you find you are being overwhelmed with what you
believe are false positives. You investigated this traffic and confirmed they are false positives.
What can you do to stop these IPS alerts?


Options are :

  • Right click the alert and “ignore”
  • Disable the IPS protection for this network
  • Use a SAM rule to categorize this traffic
  • Add an exception for this traffic under the IPS protection (Correct)

Answer : Add an exception for this traffic under the IPS protection

When troubleshooting a performance problem on multicore firewall that is using CoreXL, what
command checks the number of connections each core is processing?


Options are :

  • fw ctl multik stat
  • sim affinity -l
  • cat fwkern.conf
  • fw CTL pstat (Correct)

Answer : fw CTL pstat

156-215.77 Check Point Certified Security Administrator Exam Set 3

What is the best way to see how a firewall is performing while processing packets in the firewall
path, including resource usage?


Options are :

  • fw getperf
  • SecureXL stat
  • fw ctl pstat (Correct)
  • fwaccel stats

Answer : fw ctl pstat

A Rule Base has been improperly configured with a rule which disables templating at the top of the
Rule Base. How will this impact traffic acceleration?


Options are :

  • Templates are disabled but throughput acceleration is still taking place (Correct)
  • Templates are disabled, and throughput acceleration only functions for rules above this one.
  • Templates are disabled for this rule but it does not impact the rest of the Rule Base.
  • SecureXL is disabled.

Answer : Templates are disabled but throughput acceleration is still taking place

Which command will allow you to change firewall affinity and survive a reboot with no further
modification?


Options are :

  • fw affinity –l (Correct)
  • fw ctl affinity –s .
  • sim affinity –l
  • fw affinity –l

Answer : fw affinity –l

156-315.77 Check Point Certified Security Expert Exam Set 7

How would one enable ‘INSPECT debugging’ if one suspects IPS false positives?


Options are :

  • Run command fw ctl set int enable_inspect_debug 1 from the command line.
  • WebUI
  • Toggle the checkbox in Global Properties > Firewalls > Inspection section.
  • Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation (Correct)

Answer : Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation

What does “cphwd_nat_templates_enabled=1” do when entered into fwkern.conf?


Options are :

  • Disables NAT templates at all times.
  • Disables NAT templates when SecureXL is turned on.
  • Enables NAT templates at all times.
  • Enables NAT templates when SecureXL is turned on. (Correct)

Answer : Enables NAT templates when SecureXL is turned on.

Which command displays FireWall internal statistics about memory and traffic?


Options are :

  • cpstat os –f cpu
  • fw ctl pstat (Correct)
  • fw getifs .
  • cpstat os –f memory

Answer : fw ctl pstat

156-215.77 Check Point Certified Security Administrator Test Set 5

You are at a customer site, and when you run cphaprob stat you are not seeing a normal
ClusterXL Health. What command could you run verify the number of cores are not matched on
both cluster members?


Options are :

  • cphaprob -a if
  • cpconfig
  • cphaprob stat
  • fw ctl multik stat (Correct)

Answer : fw ctl multik stat

You are running an inventory process within your corporate environment (R77) and need to find
out CPU, memory, disk space, and information regarding the software blades enabled. What
command could you use to easily gather this information?


Options are :

  • cpconfig
  • fw ctl pstat
  • SmartView Tracker
  • cpview (Correct)

Answer : cpview

In a ClusterXL cluster with delayed synchronization, which of the following is not true?


Options are :

  • Delayed Synchronization is disabled if the Track option in the rule is set to Log or Account.
  • The length of time for the delay can be edited. (Correct)
  • It applies only to TCP services whose Protocol Type is set to HTTP or None.
  • Delayed Synchronization is performed only for connections matching a SecureXL Connection Template.

Answer : The length of time for the delay can be edited.

156-215.77 Check Point Certified Security Administrator Exam Set 6

You would like to import SNORT rules but to comply with corporate policy you need to test the
conversion prior to import. How can you do this?


Options are :

  • You must manually review each signature.
  • Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option
  • SnortConvertor update -f --dry-run (Correct)
  • Check Point does not support third party signatures.

Answer : SnortConvertor update -f --dry-run

ACME Corp has a cluster consisting of two 13500 appliances. As the Firewall Administrator, you
notice that on an output of top, you are seeing high CPU usage of the cores assigned as SNDs,
but low CPU usage on cores assigned to individual fw_worker_X processes. What command
should you run next to performance tune your cluster?


Options are :

  • fwaccel off – this will turn off SecureXL, which is causing your SNDs to be running high in the first place.
  • fw tab –t connections –s – this will show you a summary of your connections table, and allow you to determine whether there is too much traffic traversing your firewall.
  • fwaccel stats –s – this will show you the acceleration profile of your connections and potentially why your SNDs are running high while other cores are running low. (Correct)
  • fw ctl debug –m cluster + all – this will show you all the connections being processed by ClusterXL and explain the high CPU usage on your appliance.

Answer : fwaccel stats –s – this will show you the acceleration profile of your connections and potentially why your SNDs are running high while other cores are running low.

If the number of Firewall Workers for CoreXL is set higher on one member of a cluster than the
other, the cluster will be in what state?


Options are :

  • Active/Standby
  • Active/Down
  • Active Attention/Down
  • Active/Ready (Correct)

Answer : Active/Ready

156-315.77 Check Point Certified Security Expert Exam Set 7

When using Geo Protections, you find there are logs for a country that you believe is incorrect.
What file do you review to verify what country Geo Protections should identify the traffic as?


Options are :

  • objects_5_0.C
  • objects.C
  • asm.C
  • IpToCountry.csv (Correct)

Answer : IpToCountry.csv

What is the best way to see how much traffic went through the firewall that was TCP, UDP and
ICMP?


Options are :

  • fw ctl pstat (Correct)
  • fw tab –t connections –p
  • fwaccel conns
  • fwaccel stats

Answer : fw ctl pstat

You are adding a new gateway into your network. You must make sure that it is running the latest
Corporate approved IPS profile. How can you get this information to your new gateway?


Options are :

  • From the command line, run: ips_import -f [-p ].
  • From the Smart Dashboard IPS tab select import IPS profiles and select the gateway to get the profile from.
  • From the command line, run: ips_export_import import -f [-p ]. (Correct)
  • IPS profiles must be manually configured on each gateway.

Answer : From the command line, run: ips_export_import import -f [-p ].

156-315.77 Check Point Certified Security Expert Exam Set 3

Where would you go to adjust the number of Kernels in CoreXL?


Options are :

  • fw ctl multik stat
  • Cpconfig (Correct)
  • fw ctl affinity
  • fw ctl conf

Answer : Cpconfig

You have spent time configuring the IPS profile on your primary gateway firewall. You want to
ensure that this profile can be applied to all gateway firewalls in your environment. How can you
share this information between firewalls?


Options are :

  • IPS profiles must be manually configured on each gateway
  • . From the command line, run: ips_export [-o ] [-p ]. .
  • From the Smart Dashboard IPS tab select export IPS profiles and select the gateway to send this export to.
  • From the command line, run: ips_export_import export [-o ] [-p ]. (Correct)

Answer : From the command line, run: ips_export_import export [-o ] [-p ].

When a cluster member is completely powered down, how will the other member identify if there is
network connectivity?


Options are :

  • The working member will Ping IPs in the subnet until it gets a response (Correct)
  • The working member will ARP for the default gateway.
  • The working member will automatically assume connectivity.
  • The working member will look for replies to traffic sent from internal hosts.

Answer : The working member will Ping IPs in the subnet until it gets a response

156-215.75 Check Point Certified Security Administrator Exam Set 5

What would be considered Best Practice to determine which IPS protections you can safely
disable for your environment?


Options are :

  • You should not disable any IPS protections.
  • You should use vulnerability tools to perform an assessment of your environment. (Correct)
  • Work through turning on each protection to see which signatures get alerts.
  • You should set all protections to “Detect”

Answer : You should use vulnerability tools to perform an assessment of your environment.

SNORT is a popular open source IDS, you would like to import SNORT rules from plain text into
Check Point Smart Center. How can you accomplish this?


Options are :

  • Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option. (Correct)
  • IPS profiles must be manually configured on each gateway.
  • From the command line, run: ips_export_import import -f [-p ].
  • Check Point does not support third party signatures.

Answer : Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option.

The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the responsibilities of SND is to:


Options are :

  • Dispatch the packet securely through the VPN link
  • Dispatch the packet securely through the physical link
  • Processing outgoing traffic from the network interfaces
  • Distribute non-accelerated packets among kernel instances (Correct)

Answer : Distribute non-accelerated packets among kernel instances

156-315.77 Check Point Certified Security Expert Exam Set 5

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions