156-115 Check Point Certified Security Master Practice Test Set 5

What is the length of an IPv6 address?


Options are :

  • 54 bits
  • 128 Bytes
  • 128 bits
  • 6 Bytes

Answer : 128 bits

Which of these commands can be used to display the IPv6 routes?


Options are :

  • show ipv6 route
  • show route
  • show routes all
  • show route ipv6

Answer : show ipv6 route

156-115 Check Point Certified Security Master Practice Test Set 6

Your Customer would like to enable IPS in his Corporate Cluster, but he is concerned about high
CPU usage because if the IPS inspection. What feature would you configure to disable inspection
if a high CPU usage develops?


Options are :

  • Bypass Inspection. (In IPS Option on Gateway Properties)
  • It is not possible. In this case no enable IPS
  • Disable Inspection. (In IPS Option on Gateway Properties)
  • Bypass Under Load. (In IPS Option on Gateway Properties)

Answer : Bypass Under Load. (In IPS Option on Gateway Properties)

What steps can be taken if IPS is causing a High Performance Impact?


Options are :

  • Determine if different or custom IPS profiles are better suited for different gateways in your organization
  • Consider activating the "Bypass under Load" IPS setting on the gateway .
  • All options listed
  • Check your IPS configuration assigned to this gateway and deactivate protections with critical or high performance impact

Answer : All options listed

Which technology is not supported with route-based VPNs?


Options are :

  • Unnumbered VTI
  • OSPF
  • Numbered VTI
  • IKEv2

Answer : IKEv2

156-115 Check Point Certified Security Master Practice Test Set 7

You would like to configure unnumbered VTIs and your environment uses load sharing clustering.
Would this clustering technology be supported by your unnumbered VTI’s?


Options are :

  • Yes, all HA modes are supported.
  • Yes, unnumbered VTIs only support clustering load sharing.
  • No, unnumbered VTIs do not support any HA modes.
  • No, unnumbered VTIs only support VRRP HA active-passive mode.

Answer : No, unnumbered VTIs only support VRRP HA active-passive mode.

You have created a number of profiles and activated the relevant protections. Afterwards, you
decide that the ‘Enterprise gateway’ should allow instant messaging. The current profile enabled
for Enterprise gateway blocks instant messaging. The profile for the Enterprise gateway is
currently being used on the Voyager gateway and the Bird of Prey gateway. What is the best
process for making this change on the Enterprise gateway only?


Options are :

  • Create an exception for the Enterprise gateway
  • Edit the existing profile
  • Create a new profile and apply to the Enterprise gateway
  • Create a rule allowing that traffic and install it on the Enterprise gateway

Answer : Create an exception for the Enterprise gateway

What command allows you to monitor IPV6 packets in the kernel module?


Options are :

  • ip -6 neigh show
  • ip -6 addr show
  • fw6 monitor
  • tcpdump -nni eth ip6

Answer : fw6 monitor

156-115 Check Point Certified Security Master Practice Test Set 8

OF the following, which is NOT a kernel parameter relating to the IPS “Bypass Under Load”
settings:


Options are :

  • ids_timeout
  • ids_tolerance_no_stress
  • ids_limit_stress
  • ids_assume_stress

Answer : ids_limit_stress

Which of the following is true when IPv6 is enabled on a Security Gateway?


Options are :

  • An interface on the Gateway can either have IPv4 or IPv6 IP address but cannot have both
  • An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.
  • IPv4 will be completely disabled when IPv6 has been enabled.
  • As of version R77, IPv6 is only supported on Security Management Server.

Answer : An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.

How do you enable IPv6 support on a R77 gateway running the GAiIA OS?


Options are :

  • IPv6 is enabled by default.
  • Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.
  • Enable the IPv6 Software Blade for the gateway in Smart Dashboard.
  • Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

Answer : Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

156-215.13 Check Point Certified Security Administrator Exam Set 1

Which of the following is true about Node / Host objects?


Options are :

  • A Node / Host object can either have IPv4 or IPv6 IP address but not have both. Separate objects need to be created for hosts that use dual stack.
  • A Node / Host object can either have IPv4 or IPv6 IP address or have both.
  • A Node / Host object can only have IPv4 IP address. For IPv6, a Node / Host6 object must be used.
  • Node / Host object does not support IPv6, hence a Network object must be created for IPv6

Answer : A Node / Host object can either have IPv4 or IPv6 IP address or have both.

When configuring a Numbered VPN-Tunnel, what parameters are necessary?


Options are :

  • VPN Tunnel ID, Local Address, Remote Address .
  • Peer, Local Address, Remote Address
  • VPN Tunnel ID, Peer, Physical Device
  • VPN Tunnel ID, Peer, Local Address, Remote Address

Answer : VPN Tunnel ID, Peer, Local Address, Remote Address

Does R77 SmartDashboard support IPv6?


Options are :

  • R77.20 and above provides the support for Smart Dashboard and IPv6 support.
  • IPv6 needs to be tunneled through IPv4 to support IPv6
  • SmartDashboard does not support IPv6.
  • . Yes provided the operating system on which Smart Dashboard is installed is configured with IPv6.

Answer : . Yes provided the operating system on which Smart Dashboard is installed is configured with IPv6.

156-215.13 Check Point Certified Security Administrator Exam Set 10

How can an administrator stay up-to-date on the status of their VPN Tunnels?


Options are :

  • Run vpn tu and select the option Live Monitoring
  • Make a change in /proc/net/tun.
  • In Smartview Tracker
  • Tracking settings can be configured on the Tunnel Management screen of the Community Properties screen for all VPN tunnels.

Answer : Tracking settings can be configured on the Tunnel Management screen of the Community Properties screen for all VPN tunnels.

When the IPS ‘Bypass under Load’ mechanism detects that the certain CPU and memory usage
thresholds have been reached, which of the following occurs?


Options are :

  • The mechanism disables all IPS protections by placing them under ‘exception’
  • IPS is disabled completely
  • The mechanism configures all IPS protections in ‘Detect Mode’
  • Stateful Inspection is disabled

Answer : The mechanism disables all IPS protections by placing them under ‘exception’

What does the command vpn shell interface add numbered 192.168.0.1 192.168.0.2 Gateway_A
to_B accomplish?


Options are :

  • Between Security Gateways A and B 192.168.0.2 is assigned as the endpoint IP address to Gateway A. 192.168.0.1 is assigned to Gateway B.
  • shell is not a valid option for the command vpn.
  • Between Security Gateways A and B, 192.168.0.1 is assigned as the endpoint IP address to Gateway A. 192.168.0.2 is assigned to Gateway B.
  • This command can be used to create a VPN tunnel from the command line without having any VPN configuration in Smart Dashboard (although “IPSec VPN” must still be enabled on the gateway).

Answer : Between Security Gateways A and B, 192.168.0.1 is assigned as the endpoint IP address to Gateway A. 192.168.0.2 is assigned to Gateway B.

156-215.13 Check Point Certified Security Administrator Exam Set 11

Which of the following IPS Layers is the "brain" of the IPS? That is, what coordinates between
different components, decides which protections should run on a certain packet, decides the final
action to be performed on the packet and issues an event log?


Options are :

  • Protections
  • Protocol Parsers
  • Context Management Interface layer (CMI
  • Passive Streaming Library (PSL)

Answer : Context Management Interface layer (CMI

Where do you enable Route-based VPN?


Options are :

  • WebUI
  • vpn_route.conf
  • Security Gateway Object
  • VPN shell

Answer : Security Gateway Object

What utility would you use to configure route-based VPNs?


Options are :

  • vpn shell
  • vpn sw_topology
  • vpn set_slim_server
  • vpn tu

Answer : vpn shell

156-215.13 Check Point Certified Security Administrator Exam Set 2

Which feature is not supported with unnumbered VTI?


Options are :

  • Anti-spoofing
  • Proxy interfaces
  • Policy based routing
  • High availability

Answer : Anti-spoofing

Henry is attempting to verify VPN connectivity between two hosts, x and y. Of the following
commands, which could be BEST used to verify connectivity of this VPN?


Options are :

  • [[email protected]]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y, dst=x.x.x.x)), accept;" x-o /var/log/fw_mon.cap
  • [[email protected]]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.capw monitor -e "accept;" -o /var/log/fw_mon.cap
  • [[email protected]]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap
  • [[email protected]]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap

Answer : [[email protected]]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y, dst=x.x.x.x)), accept;" x-o /var/log/fw_mon.cap

One of IPS Layers’ main functions are to ensure compliance to well-defined protocol standards,
detect anomalies if any exist, and assemble the data for further inspection by other components of
the IPS engine. Which component is responsible for these functions?


Options are :

  • Context Management Interface layer (CMI)
  • Protections
  • Passive Streaming Library (PSL)
  • Protocol Parsers

Answer : Protocol Parsers

156-215.13 Check Point Certified Security Administrator Exam Set 3

The current release of Check Point R77, what is a potential performance-related drawback to using Virtual Tunnel Interfaces (VTI) rather than Domain-based VPNs? 


Options are :

  • Domain-based VPNs are easier to configure than VTIs and therefore is the preferred implementation.
  • Dynamic routing protocols will work across a domain-based VPN, but will not work across a VTI.
  • Use of VTIs will disable CoreXL and therefore will negatively impact hardware platforms running more than one CPU core.
  • Use of VTIs will disable the entire SecureXL mechanism and prevent any traffic acceleration.

Answer : Use of VTIs will disable CoreXL and therefore will negatively impact hardware platforms running more than one CPU core.

When troubleshooting a VPN site-to-site to a peer, it may be necessary to "down" the tunnel. What
is the best method to remove ONLY the tunnel to this peer?


Options are :

  • Change the vpn tunnel sharing parameters to force the tunnel down.B. C. D.
  • Delete the IKE and IPsec Security Associations using the command vpn tu.
  • Reboot your gateway.
  • Remove the peer from the community and install policy.

Answer : Delete the IKE and IPsec Security Associations using the command vpn tu.

“Tuning” IPS protections to suit the specific needs of an environment can be accomplished by all
of the following EXCEPT:


Options are :

  • Focusing on low performance impact protections.
  • Focusing on low capacity protections.
  • Focusing on high severity protections.
  • Focusing on high confidence level protections.

Answer : Focusing on low capacity protections.

156-215.13 Check Point Certified Security Administrator Exam Set 4

Which of the following statements about Full HA support with IPv6 is NOT true?


Options are :

  • . IPv6 does not support a Secondary Management Server.
  • Mirrored Interfaces must have IPv4 addresses.
  • Sync traffic must be IPv4.
  • There is no Dynamic Routing with IPv6.

Answer : . IPv6 does not support a Secondary Management Server.

What is the prefix name for the interface when creating an unnumbered VTI in GAIA?


Options are :

  • VTii
  • VTI
  • tun
  • vpnt

Answer : vpnt

Where do you run the command get_ips_statistics.sh from?


Options are :

  • $FWDIR/conf on the gateway
  • $FWDIR/scripts on the Management Server
  • . $FWDIR/conf on the Management Server
  • $FWDIR/scripts on the gateway

Answer : $FWDIR/scripts on the Management Server

156-215.13 Check Point Certified Security Administrator Exam Set 5

You are configuring dynamic routing on Secure Platform, as the administrator you run the
command pro enable and reboot. You are confident that your configuration has been done
correctly. When you check, you find the dynamic routing daemon has not started. What is the
likely cause of this issue?


Options are :

  • You need to apply the license and push the policy.
  • Dynamic routing needs to be enabled in cpconfig.
  • Secure Platform does not support dynamic routing.
  • You must push the policy after your reboot.

Answer : You need to apply the license and push the policy.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now