156-115 Check Point Certified Security Master Practice Test Set 4

Misha is working on a stand-by firewall and deletes the connections table in error. He finds that
now the table is out of sync with the Active member. to get them completely synced again, Mish
should run the command pair ____________ and __________ .


Options are :

  • fw ctl sync stop, fw ctl sync start
  • fw ctl setsync off, fw ctl setsync on
  • fw ctl setsync stop, fw ctl setsync on
  • fw ctl setsync off, fw ctl setsync start (Correct)

Answer : fw ctl setsync off, fw ctl setsync start

You are troubleshooting an issue for your HR team. One of the users is using IP 10.10.10.24.

They having been trying to access the vacation servers but all connections are failing. You have
checked the logs and do not see any dropped traffic. You have a suspicion that the drop is not
being logged. What command could you use to confirm this?


Options are :

  • fw -t connections -s .
  • You cannot run a command for this; you must enable logging on all rules
  • fw ctl pstat host 10.10.10.24
  • fw ctl zdebug + log dynlog (Correct)

Answer : fw ctl zdebug + log dynlog

From a Best Practices perspective, what percentage of your packets should be accelerated?


Options are :

  • 75%
  • 65%
  • 90% (Correct)
  • 100%

Answer : 90%

156-315.77 Check Point Certified Security Expert Exam Set 1

What should you do after editing fwkern.conf to enable NAT templates?


Options are :

  • . Install database
  • Make sure the change shows up in Smartview Monitor
  • Install policy
  • Reboot (Correct)

Answer : Reboot

Why would you not see a CoreXL configuration option in cpconfig?


Options are :

  • The gateway only has one processor core. (Correct)
  • CoreXL is not enabled in the gateway object.
  • CoreXL is disabled via policy
  • CoreXL is not licensed.

Answer : The gateway only has one processor core.

When performing a Clean IPS procedure to resolve a corrupt IPS files issue, what file is modified
in order for the SDUU process to automatically update the IPS files after completing the
procedure?


Options are :

  • asm.C (Correct)
  • profiles.C
  • inspect.C
  • objects_5_0.C

Answer : asm.C

156-215.75 Check Point Certified Security Administrator Exam Set 7

What is required when changing the configuration of the number of workers in CoreXL?


Options are :

  • A reboot (Correct)
  • evstop/evstart
  • A policy installation
  • cpstop/cpstart

Answer : A reboot

You have just taken over as a firewall administrator. Your company is using Geo Protections on
your gateway, but you want to verify that the protections are up-to-date. How can you see when
these were updated?


Options are :

  • Check asm_update_version_geo in GuiDBedit.
  • In the IPS tree Protections > Geo Protections and check the profile name which is mm/dd/yy
  • Check the time stamp of $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv. (Correct)
  • In the IPS tree Protections > Select Check for Update.

Answer : Check the time stamp of $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv.

A firewall has 8 CPU cores and the correct license. CoreXL is enabled. How could you set kernel
instance #3 to run on processing core #5?


Options are :

  • Edit the file fwaffinity.conf and add the line “k3 cpuid 5”
  • Run fwaffinity_apply –t 3 -k 5 and then check that the settings have taken affect with the command fw ctl multik stat.
  • This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It is only when a daemon is bound to a dedicated core that CoreXL will ignore that CPU core when mapping Kernel instances to CPU cores.
  • fw ctl affinity -s -k 3 5 (Correct)

Answer : fw ctl affinity -s -k 3 5

156-315.77 Check Point Certified Security Expert Exam Set 5

Which of the following CANNOT be used as a source/destination for an IPS network exception?


Options are :

  • Any
  • Network Group .
  • IP Address
  • Identity Awareness Access Role (Correct)

Answer : Identity Awareness Access Role

Where do you configure the file user.def to change the encryption domain of the Security
Gateway?


Options are :

  • Security Gateway
  • Endpoint Client
  • interoperable device
  • Management Server (Correct)

Answer : Management Server

Check Point Certified Security Expert Exam Set 4

You have strict IPS corporate guidelines. This is having a performance impact on the firewall.
What steps could you take to minimize this impact without compromising the corporate policy?


Options are :

  • Select “Protect Internal hosts only” (Correct)
  • Without minimizing signatures you cannot improve performance
  • Select “Perform IPS inspection on all traffic”
  • Select “Bypass IPS inspection when gateway is under heavy load”

Answer : Select “Protect Internal hosts only”

Which of the following IPS Layers is responsible for ensuring that only valid retransmission
packets are allowed to proceed to destinations?


Options are :

  • Passive Streaming Library (PSL) (Correct)
  • Protocol Parsers
  • Context Management Interface layer (CMI)
  • Protections

Answer : Passive Streaming Library (PSL)

What type(s) of VTI interfaces do Edge gateways support?


Options are :

  • Both numbered and unnumbered
  • Neither numbered and unnumbered
  • Unnumbered interfaces
  • Numbered interfaces (Correct)

Answer : Numbered interfaces

156-315.77 Check Point Certified Security Expert Exam Set 23

In a ClusterXL that uses IPV6 Address, how do you configure the sync interface?


Options are :

  • You must configure synchronization interfaces with an IPv4 address only. (Correct)
  • You must configure synchronization interfaces with an IPv6 address only.
  • If an interface does not require IPv6, only the IPv4 definition address is necessary.
  • All interfaces configured with an IPv6 address must also have a corresponding IPv4 address.

Answer : You must configure synchronization interfaces with an IPv4 address only.

Which of these commands can be used to display the IPv6 status?


Options are :

  • show ipv6 all
  • show ipv6-status (Correct)
  • show ipv6 status
  • show ipv6-stat

Answer : show ipv6-status

In Check Point, Domain-based VPN's take precedence over route-based VPN. If implementing a
route-based VPN, what is one configuration step you must make on the gateway object taking part
in the route-based VPN?


Options are :

  • . You should remove the gateway from all communities.
  • You should check the "Use route-based VPN" checkbox in the community properties.
  • . You need to create a new simple group with no objects in it and apply this as the VPN domain under that gateway's topology tab (Correct)
  • Check Point does not support route-based VPN's.

Answer : . You need to create a new simple group with no objects in it and apply this as the VPN domain under that gateway's topology tab

156-315.77 Check Point Certified Security Expert Exam Set 2

How do you disable IPv6 on an IPSO gateway?


Options are :

  • You cannot disable IPv6.
  • A. Run $FWDIR/scripts/fwipv6_enable off and reboot. (Correct)
  • Remove the IPv6 license from the gateway.
  • In IPSO go to System Management > System Configuration, set IPv6 Support to off, and click Apply.

Answer : A. Run $FWDIR/scripts/fwipv6_enable off and reboot.

You have to establish a VPN communication between 2 spokes, routed through the Hub gateway.
Where do you configure VPN routing?


Options are :

  • VPN shell
  • WebUI
  • vpn_route.conf (Correct)
  • Security Gateway Object

Answer : vpn_route.conf

True or False: It is possible to operate a Security Gateway entirely with IPv6 addressing.


Options are :

  • True: Management can occur over IPv4 or IPv6 thus all gateways can have interfaces configured with valid IP addresses of either type’
  • False: There are many common IPv4 features that are not supported in IPv6’
  • False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses’ (Correct)
  • True: All IPv4 features are supported in IPv6’

Answer : False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses’

156-315.77 Check Point Certified Security Expert Exam Set 2

What operating systems support unnumbered VTIs?


Options are :

  • GAIA and Secure Platform
  • Solaris and IPSO
  • GAIA and IPSO (Correct)
  • Secure Platform and IPSO

Answer : GAIA and IPSO

Jerry is a network administrator for ACME Co. Their network contains 5 gateways all managed by
a single Management Server. They are currently receiving an exorbitant amount of false positive
for traffic traversing their network. Based on this information, what factor do you think is
contributing most to the high amount of false positives Jerry is receiving?


Options are :

  • She has created a dedicated IPS profile for each Security Gateway
  • She has enabled protections based on the network devices and requirements
  • She has set protections to run in “Detect” mode
  • She is performing IPS inspection on all traffic (Correct)

Answer : She is performing IPS inspection on all traffic

What VSX components do not support IPv6 in R77 VSX mode?


Options are :

  • Virtual Systems
  • Virtual Routers (Correct)
  • . VSX mode does not support IPv6
  • All devices support IPv6

Answer : Virtual Routers

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 7

You enabled IPv6 in your environment and would like to erase all IPv6 connection tables. How can
you do it?


Options are :

  • fw tab –t connections –x
  • clear connections table ipv6
  • fw6 tab –t connections –x (Correct)
  • fw tab –t connections6 –x

Answer : fw6 tab –t connections –x

Which of the following IPS Layers is a set of signatures and/or handlers, where:
?Signature is a malicious pattern that is searched for.
?Handler is the INSPECT code that performs more complex inspection.


Options are :

  • Protocol Parsers
  • Protections (Correct)
  • Context Management Interface layer (CMI)
  • Passive Streaming Library (PSL)

Answer : Protections

In the gateway object, under topology you select the “Get All Members Interfaces with Topology”
option and your newly configured unnumbered VTIs are not populated. Why is this information
missing?


Options are :

  • VTI information on unnumbered interfaces is not required information for the VPN to work.
  • In order to fetch VTI information on unnumbered interfaces you must add an explicit rule to the policy.
  • VTI information on unnumbered interfaces needs to be entered manually. (Correct)
  • VTI information on unnumbered interfaces should appear, so there is an issue with your configuration.

Answer : VTI information on unnumbered interfaces needs to be entered manually.

156-315.77 Check Point Certified Security Expert Exam Set 8

Which of the these dynamic route protocols CANNOT be used along with VTI (VPN Tunnel
Interface).


Options are :

  • IGRP (Correct)
  • BGP4
  • OSPFR
  • IPv1

Answer : IGRP

Where would an administrator set an email alert for a specific permanent VPN tunnel?


Options are :

  • You can only enable logging or SNMP traps.
  • In the Tunnel Properties select Mail Alert. (Correct)
  • Run sysconfig.
  • Edit the file vpnconf. .

Answer : In the Tunnel Properties select Mail Alert.

“If the machine is under stress, we do not want to leave the stress condition due to a single
measurement (which could be an anomaly), but rather wait for a given length of time, before
changing the condition.” …describes which of the following “Bypass under Load” setting kernel
parameters?


Options are :

  • ids_timeout
  • ids_tolerance_stress
  • ide_tolerance_no_stress
  • ids_assume_stress (Correct)

Answer : ids_assume_stress

Check Point Certified Security Administrator Set 1

A system administrator wants to convert an IPv6 gateway from a standard gateway into a gateway running VSX mode. What does he need to consider?


Options are :

  • There needs to be proper IPv6 routing setup.
  • It is not possible to convert a gateway with IPv6 enabled to VSX mode. (Correct)
  • Policy needs to be properly applied to the gateway before converting the system to VSX mode.
  • At least two interfaces need to be configured with IPv6.

Answer : It is not possible to convert a gateway with IPv6 enabled to VSX mode.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now