156-115 Check Point Certified Security Master Practice Test Set 7

By default, the size of the fwx_alloc table is:


Options are :

  • 65536
  • 1024
  • . 65535
  • . 25000 (Correct)

Answer : . 25000

156-315.77 Check Point Certified Security Expert Exam Set 11

With the default ClusterXL settings what will be the state of an active gateway upon using the
command ClusterXL_admin up?


Options are :

  • Ready
  • . Standby (Correct)
  • Active
  • Down

Answer : . Standby

You are attempting to establish an FTP session between your computer and a remote server, but
it is not being completed successfully. You think the issue may be due to IPS. Viewing SmartView
Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the
gateway?


Options are :

  • . Run a fw monitor packet capture on the gateway.
  • Search the connections table for that connection.
  • Run fw ctl zdebug drop on the gateway. (Correct)
  • Look in SmartView Monitor for that connection to see why it’s being dropped.

Answer : Run fw ctl zdebug drop on the gateway.

You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify
a connection is correctly translated to its NAT address. What flags should you use for the kernel
debug?


Options are :

  • fw ctl debug -m fw + conn drop ld
  • fw ctl debug -m nat + conn drop fw xlate xltrc
  • fw ctl debug -m nat + conn drop nat xlate xltrc
  • . fw ctl debug -m fw + conn drop nat vm xlate xltrc (Correct)

Answer : . fw ctl debug -m fw + conn drop nat vm xlate xltrc

156-315.65 Check Point Security Administration NGX R65 Exam Set 5

True or False: Software blades perform their inspection primarily through the kernel chain
modules.


Options are :

  • True. Many software blades have their own dedicated kernel chain module for inspection. (Correct)
  • True. All software blades are inspected by the IP Options chain module.
  • True. Most software blades are inspected by the TCP streaming or Passive Streaming chain module.
  • False. Software blades do not pass through the chain modules.

Answer : True. Many software blades have their own dedicated kernel chain module for inspection.

While troubleshooting a connectivity issue with an internal web server, you know that packets are
getting to the upstream router, but when you run a tcpdump on the external interface of the
gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the
problem lie on the Check Point Gateway?


Options are :

  • No – This is a layer 2 connectivity issue and has nothing to do with the firewall.
  • Yes – This could be due to a misconfigured Static NAT in the firewall policy. (Correct)
  • No – The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.
  • . Yes – This could be due to a misconfigured route on the firewall.

Answer : Yes – This could be due to a misconfigured Static NAT in the firewall policy.

When performing a fwm debug, to which directory are the logs written?


Options are :

  • $FWDIR/log
  • $FWDIR/log/fwm.elg (Correct)
  • $CPDIR/log/fwm.elg
  • $FWDIR/conf/fwm.elg

Answer : $FWDIR/log/fwm.elg

156-315.77 Check Point Certified Security Expert Exam Set 23

The fw tab –t ___________ command displays the NAT table.


Options are :

  • tablist
  • fwx_alloc (Correct)
  • conns
  • loglist

Answer : fwx_alloc

Since switching your network to ISP redundancy you find that your outgoing static NAT
connections are failing. You use the command _________ to debug the issue.


Options are :

  • . fwaccel stats misp
  • fw ctl debug -m fw + nat drop (Correct)
  • fw ctl pstat
  • fw tab -t fwx_alloc -x

Answer : fw ctl debug -m fw + nat drop

Server A is subject to automatically static NAT and also resides on a network which is subject to
automatic Hide NAT. With regards to address translation what will happen when Server A initiates
outbound communication?


Options are :

  • The Hide NAT will take precedence.
  • This is called hairpin NAT, the traffic will return to the server.
  • C. The static NAT will take precedence. (Correct)
  • . This will cause a policy verification error.

Answer : C. The static NAT will take precedence.

Check Point Certified Security Expert Exam Set 5

The command fw monitor -p all displays what type of information?


Options are :

  • It does a firewall monitor capture on all interfaces.
  • The -p is used to resolve MAC address in the firewall capture.
  • . It captures all points of the chain as the packet goes through the firewall kernel. (Correct)
  • This is not a valid command.

Answer : . It captures all points of the chain as the packet goes through the firewall kernel.

In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating
the proper NAT rule what step needs to be completed?


Options are :

  • Edit or create the file discntd.if.
  • Edit the file netconf.conf
  • Edit or create the file local.arp. (Correct)
  • No further actions are required.

Answer : Edit or create the file local.arp.

Which flag in the fw monitor command is used to print the position of the kernel chain?


Options are :

  • -all
  • -c
  • -p (Correct)
  • -k

Answer : -p

Check Point Certified Security Expert Exam Set 8

How do you set up Port Address Translation?


Options are :

  • . Since Hide NAT changes to random high ports it is by definition PAT (Port Address Translation).
  • Create a manual NAT rule and specify the source and destination ports. (Correct)
  • . Edit the service in SmartDashboard, click on the NAT tab and specify the translated port.
  • Port Address Translation is not support in Check Point environment

Answer : Create a manual NAT rule and specify the source and destination ports.

The command _____________ shows which firewall chain modules are active on a gateway.


Options are :

  • fw ctl debug
  • fw ctl chain (Correct)
  • fw ctl multik stat
  • . fw stat

Answer : fw ctl chain

Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to
initiate connections with the remote VPN clients, even though the policy is configured to allow it.
You think that this is caused by NAT. What command can you run to see if NAT is occurring on a
packet?


Options are :

  • . fw tab -t fwx_alloc -x
  • fw ctl debug -m fw + conn drop packet xlate xltrc nat (Correct)
  • fw ctl pstat
  • C. fwaccel stats misp

Answer : fw ctl debug -m fw + conn drop packet xlate xltrc nat

Check Point Certified Security Expert Exam Set 11

Which of the following BEST describes the command fw ctl chain function?
A.


Options are :

  • View how CoreXL is distributing traffic among the firewall kernel instances.
  • Determine if VPN Security Associations are being established
  • View the inbound and outbound kernel modules and the order in which they are applied (Correct)
  • View established connections in the connections table

Answer : View the inbound and outbound kernel modules and the order in which they are applied

What does the IP Options Strip represent under the fw chain output?


Options are :

  • IP Options Strip is only used when VPN is involved.
  • The IP Options Strip copies the header details to forward the details for further IPS inspections. .
  • A. IP Options Strip is not a valid fw chain output.
  • . The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions. (Correct)

Answer : . The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions.

Which process should you debug when SmartDashboard authentication is rejected?


Options are :

  • DAService
  • cpd
  • fwm (Correct)
  • fwd

Answer : fwm

156-315.71 Check Point Security Expert R71 Practical Exam Set 5

What causes the SIP Early NAT chain module to appear in the chain?


Options are :

  • The default SIP service is used in the Rule Base. (Correct)
  • A VOIP domain is configured
  • SIP is configured in IPS
  • . The SIP traffic is trying to pass through the firewall.

Answer : The default SIP service is used in the Rule Base.

You want to verify that the majority of your connections are being optimized by SecureXL. What
command would you run to establish this information?


Options are :

  • fw ctl pstat
  • fwaccel conns -s (Correct)
  • sim_dbg -s
  • . fw tab -t connections -s

Answer : fwaccel conns -s

156-315.77 Check Point Certified Security Expert Exam Set 24

You are analyzing your firewall logs, /var/log/messages, and repeatedly see the following kernel
message:
'kernel: neighbor table overflow'
What is the cause?


Options are :

  • OSPF neighbor down
  • Nothing, you can disconsider it.
  • Arp cache overflow (Correct)
  • Cluster member table overflow

Answer : Arp cache overflow

You find that your open server SecurePlatform system is lagging although you know you have
plenty of memory and the complexity of the Rule Base has not changed significantly. You think
that upgrading the CPU frequency speed could help your performance. Which command could
help you see what speed and model of CPU you are using?


Options are :

  • . cat /proc/cpuinfo
  • fw tab
  • top
  • sysconfig (Correct)

Answer : sysconfig

Which command will NOT display information related to memory usage?


Options are :

  • memoryinfo.conf (Correct)
  • fw ctl pstat
  • . free
  • cat /proc/meminfo

Answer : memoryinfo.conf

Check Point Certified Security Expert Exam Set 7

Running the command fw ctl pstat –l would return what information?


Options are :

  • General Security Gateway statistics
  • Additional kmem details (Correct)
  • Additional hmem details
  • Additional smem details

Answer : Additional kmem details

Which of the following statements are TRUE about SecureXL?
I. SecureXL is able to accelerate all connections through the firewall.
II. Medium path acceleration will still cause some CPU utilization of CoreXL cores.
III. F2F connections represent “forwarded to firewall” connections that are not accelerated and fully
processed through the firewall kernel.
IV. Packets going through SecureXL must be inspected by the firewall kernel before being
accelerated.


Options are :

  • I and IV
  • I, II, and III
  • II and III . (Correct)
  • III and IV

Answer : II and III .

SecureXL uses templating to accelerate traffic passing through the gateway. What command
should you run to determine if Accept, Drop and NAT templating is enabled?


Options are :

  • fw ctl pstat
  • cphaprob -a if
  • fwaccel stat (Correct)
  • cpconfig

Answer : fwaccel stat

Check Point Certified Security Expert Exam Set 7

In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log that states “No proposal chosen” what is the most likely cause?


Options are :

  • Using IKEv1 when peer uses IKEv2
  • The peer machine is not accepting multicast packets
  • There is a time mismatch
  • A mismatch in the settings between the two peers (Correct)

Answer : A mismatch in the settings between the two peers

What is the corresponding connection template entered into the SecureXL connection table from the connection: “10.0.0.100:1024 > 216.239.59.59:80”


Options are :

  • “10.0.0.100:1024 > 216.239.59.59:80”
  • “10.0.0.100:1024 > 216.239.59.59:*”
  • “10.0.0.100:* > 216.239.59.59:80” (Correct)
  • “10.0.0.100:* > 216.239.59.59:*”

Answer : “10.0.0.100:* > 216.239.59.59:80”

Under which scenario would you most likely consider the use of Multi-Queue?


Options are :

  • When most of the traffic is accelerated. (Correct)
  • When IPS is heavily used. .
  • When most of the processing is done in CoreXL.
  • When trying to increase session rate.

Answer : When most of the traffic is accelerated.

156-315.77 Check Point Certified Security Expert Exam Set 7

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions