156-115 Check Point Certified Security Master Practice Test Set 8

When are rules that include identity awareness access roles accelerated through SecureXL?


Options are :

  • They have no bearing on whether the connection for the rule is accelerated.
  • Only when ‘Unauthenticated Guests’ is included in the access role.
  • Rules using Identity Awareness are never accelerated
  • Rules using Identity Awareness are always accelerated.

Answer : They have no bearing on whether the connection for the rule is accelerated.

A new packet has arrived to a firewall's interface. The packet was compared with the connection
table and there is no match. What process does the firewall start with that connection?


Options are :

  • The packet will be then forwarded to the outbound interface for handling.
  • The packet will be rejected by the kernel firewall.
  • The new packet represents a new flow and requires a new connection table entry.
  • The packet will be forwarded to the firewall to apply the Security Policy.

Answer : The packet will be forwarded to the firewall to apply the Security Policy.

Your company has grown significantly over the past few months. You are seeing that new
connections are being dropped but note that the connections table is not full. You suspect that the
kernel memory allocated to the firewall has reached its full capacity. To check the “Machine
Capacity Summary” statistics, you use command:


Options are :

  • top
  • cat /proc/net/capacity
  • fw ctl pstat
  • ps -aux

Answer : fw ctl pstat

When are rules that include Identity Awareness Access (IDA) roles accelerated through
SecureXL?


Options are :

  • Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated
  • Only when ‘Unauthenticated Guests’ is included in the access role.
  • . The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated.
  • Never, the inclusion of an IDA role disables SecureXL.

Answer : Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated

156-215.13 Check Point Certified Security Administrator Exam Set 1

If you need to use a Domain object in the Rule Base, where should this rule be located?


Options are :

  • No higher than the 2nd rule.
  • The first rule in the Rule Base.
  • The last rule after the clean up rule.
  • The last rule before the clean up rule.

Answer : The last rule before the clean up rule.

Which of the following is NEVER affected by incorrect OS time and date configuration?


Options are :

  • VPN PSK authentication
  • Identity Awareness Kerberos authentication
  • VPN certificate authentication
  • SIC

Answer : VPN PSK authentication

what command other than fw ctl pstat, will display your peak concurrent connections?


Options are :

  • fw tab -t connections -s
  • fw ctl get int fw_peak_connections .
  • netstat -ni
  • top

Answer : fw tab -t connections -s

156-215.13 Check Point Certified Security Administrator Exam Set 10

Your ARP cache is overflowing negatively impacting users experience on your network. Which
command can you issue to increase the ARP cache on the fly? You do not need this to survive
reboot.


Options are :

  • You cannot increase the size of the ARP cache on the fly.
  • echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
  • Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = 1024.
  • arp cache table > 1024

Answer : echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

In the process of troubleshooting traffic issues across a VPN tunnel, you notice on the output of fw
monitor -e host(172.21.1.10), accept; that packets are going through the inbound chain (i > I) and
then disappearing after the outbound chain (o > __), while you were expecting to see the packet
leave on O. What could be causing this issue?


Options are :

  • When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.
  • It’s not showing up on the fw monitor because it is exiting the wrong interface
  • The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.
  • The packet is getting silently dropped because there is no route for the packet.

Answer : When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.

In an HA cluster, you modify the number of cores given to CoreXL on only one member using
cpconfig and then issue a reboot. What is the expected ClusterXL status of this member when it
comes up?


Options are :

  • Active
  • Standby
  • Ready
  • Down

Answer : Standby

156-215.13 Check Point Certified Security Administrator Exam Set 11

Which of the following is a valid synchronization status as an output to fw ctl pstat?


Options are :

  • Sync member down
  • Communicating
  • Synchronized
  • Unable to receive sync packets

Answer : Unable to receive sync packets

You are running some diagnostics on your GAIA gateway. You are reviewing the number of
fragmented packets; you notice that there are a lot of large and duplicate packets. Which
command did you issue to get this information?


Options are :

  • cat /proc/cpuinfo
  • fw ctl pstat
  • sysconfig
  • fw ctl get int fw_frag_stats

Answer : fw ctl pstat

After disabling SecureXL you ran command fw monitor to help troubleshoot a VPN issue. In your
review you note that you only see pre-inbound traffic (“i”) and no other traffic after this. Which of
the following reasons could explain this output?


Options are :

  • Traffic is not destined to the correct MAC address because you failed to set up proxy ARP
  • Routes are set up incorrectly
  • You don’t have an “encrypt” rule
  • You have overlapping encryptio

Answer : You have overlapping encryptio

156-215.13 Check Point Certified Security Administrator Exam Set 2

What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and
cphwd_nat_templates_support?


Options are :

  • This would enable SecureXL NAT templates.
  • These parameters are mutually exclusive and cannot be used at the same time.
  • These are not valid parameters.
  • This would enable Hide NAT support.

Answer : This would enable SecureXL NAT templates.

When running a SecureXL debug how do you initialize the debug buffer to 32000?


Options are :

  • sim debug –buf 32000
  • fw ctl debug –buf 32000
  • fwaccel dbg –buf 32000
  • fwaccel debug –buf 32000

Answer : fw ctl debug –buf 32000

The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the
Linux kernel and has value of 1024. Knowing this, you know that gc_thresh2 and gc_thresh1 if are
automatically set to the values:


Options are :

  • gc_thresh2=1024 and gc_thresh1=1024
  • gc_thresh2=512 and gc_thresh1=256
  • gc_thresh2=256 and gc_thresh1=128
  • gc_thresh1=256 and gc_thresh2=128

Answer : gc_thresh2=512 and gc_thresh1=256

156-215.13 Check Point Certified Security Administrator Exam Set 3

What is the command to check how many connections the firewall has detected for the SecureXL
device?


Options are :

  • fw tab –t connections –s
  • fw tab –t connection –s | grep template
  • fw tab -t cphwd_db –s
  • fwaccel conns

Answer : fw tab -t cphwd_db –s

What is the difference between “connection establishment acceleration” (templating) and “traffic
acceleration”?


Options are :

  • These are the same technologies with different names.
  • “Traffic acceleration” only accelerates a single connection, while “connection establishment acceleration” accelerates similar traffic.
  • “Connection establishment acceleration” only accelerates a single connection, while “traffic acceleration” accelerates similar traffic.
  • Traffic acceleration” is accelerated through hardware, and “connection establishment acceleration” is accelerated in software.

Answer : “Traffic acceleration” only accelerates a single connection, while “connection establishment acceleration” accelerates similar traffic.


The command fwaccel stat displays what information?


Options are :

  • Accelerator status, accelerated rules, drop templates
  • Accelerator status, accept templates, drop templates
  • Accelerator status, CoreXL state, drop templates
  • Accelerated packets, accept templates, dropped packets

Answer : Accelerator status, accept templates, drop templates

156-215.13 Check Point Certified Security Administrator Exam Set 4

From which version can you add Proxy ARP entries through the GAiA portal?


Options are :

  • R76
  • R77.10
  • R75.40
  • R77

Answer : R75.40

What does the command fwaccel templates do?


Options are :

  • The Rule Base mapping between actual rules and the template built up in Layer 2.
  • Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by using the command cpconfig.
  • Shows templates existing in the SecureXL device. This is so that an administrator can look for the template that matches the specific traffic.
  • That SecureXL has been enabled in the cpconfig command menu.

Answer : Shows templates existing in the SecureXL device. This is so that an administrator can look for the template that matches the specific traffic.

You have a user-defined SMTP trap configured to send an alert to your mail server, and you also
have SmartView Monitor configured to trigger the alert whenever policy is pushed to your gateway.
However, you are not getting any mails even when you test for pushing policy. What process
should you troubleshoot on the Management Server?


Options are :

  • cpwd_admin
  • fwd
  • cpstat_monitor
  • fwm

Answer : cpstat_monitor

156-215.13 Check Point Certified Security Administrator Exam Set 5

You are finding that some users are complaining about slow connection speed. You would like to
review a summary of your connections, including which connections are accelerated and those
that are not. What command could you use?


Options are :

  • fw ctl pstat
  • fwaccel perf
  • fw tab -t connections -s
  • fwaccel stats -s

Answer : fwaccel stats -s

In order to perform some connection troubleshooting, you run the command fw monitor –e accept
dport = 443. You do NOT see the TCP ACK packet. Why is this?


Options are :

  • The connection is accelerated
  • The connection is NATted.
  • The connection is dropped.
  • The connection is encrypted.

Answer : The connection is accelerated

What command would you use to determine if a particular connection is being accelerated by
SecureXL?


Options are :

  • fw tab –t connections –u
  • fw ctl kdebug
  • fwaccel conns
  • fwaccel stat

Answer : fwaccel conns

156-215.13 Check Point Certified Security Administrator Exam Set 6

A firewall administrator knows the details of the packet header for an already established
connection going through a firewall. What command will show if SecureXL will accelerate that
packet?


Options are :

  • fw tab –t connections –f | grep ‘dest. port #’ | grep ‘source port #’ | grep ‘dest. IP address’
  • fw ctl zdebug + sxl error warning asm
  • fwaccel conns
  • fwaccel templates

Answer : fwaccel templates

You have a requirement to implement a strict security policy. With this in mind, you must create a
stealth rule. How will this impact your packet acceleration?


Options are :

  • There will be no impact as long as the rule is not logged.
  • There will be no impact, since stealth rules do not affect SecureXL.
  • Using a stealth rule disables SecureXL.
  • NAT templates will not work.

Answer : There will be no impact, since stealth rules do not affect SecureXL.

What command show the same information as fwaccel stats –l?


Options are :

  • fwaccell stats –s –u -k
  • cphaprob –a hconf
  • cat /proc/ppk/cpls
  • cat /proc/ppk/statistics

Answer : cat /proc/ppk/statistics

156-215.13 Check Point Certified Security Administrator Exam Set 7

What do the ‘F’ flags mean in the output of fwaccel conns?


Options are :

  • Flag set for debug
  • Flow established
  • Forward to firewall
  • Fast path packets

Answer : Forward to firewall

What type of connections cannot be templated?


Options are :

  • Complex connections such as FTP, H323, SQL, ETC
  • Any connections that contain Hide NAT .
  • UDP because it is not connection oriented
  • TCP

Answer : Complex connections such as FTP, H323, SQL, ETC

What command should a firewall administrator use to begin debugging SecureXL?


Options are :

  • fwaccel dbg api + verbose add
  • fwaccel debug –m
  • SecureXL cannot be dubugged and the kernel debug will give enough output to help the firewall administrator to understand the firewalls behaviour. The right command to use is fw ctl debug –m fw.
  • fwaccel dbg -m

Answer : fwaccel dbg -m

156-215.13 Check Point Certified Security Administrator Exam Set 8

Where would you find CPU information like model, number of cores, vendor and architecture?


Options are :

  • Right click the gateway object in Smart Dashboard and view properties
  • In the file cpuinfo in the directory /proc. .
  • sysconfig
  • WebUI

Answer : In the file cpuinfo in the directory /proc. .

Your gateway object is currently defined with a max connection count of 25k connections in Smart
Dashboard. Which of the following commands would show you the current and peak connection
counts?


Options are :

  • fw ctl pstat
  • fw ctl chain
  • fw ctl conn
  • show connections all

Answer : fw ctl pstat

What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP
entries through the GAiA portal or Clish?


Options are :

  • If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or Clish.
  • Nothing.
  • They are merged with the new entries added from the GAiA Portal / Clish.
  • They are overwritten.

Answer : They are overwritten.

156-215.13 Check Point Certified Security Administrator Exam Set 9

How to check the overall SecureXL statistics:


Options are :

  • fwaccel conns
  • cat /proc/ppk/statistics
  • fwaccel on
  • fwaccel stat

Answer : cat /proc/ppk/statistics

Certain rules will disable connection rate acceleration (templates) in the Rule Base. What
command should be used to determine on what rule templates are disabled?


Options are :

  • fw ctl pstat
  • cphaprob -a if
  • cpconfig
  • fwaccel stat

Answer : fwaccel stat

When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis?


Options are :

  • At the top of the Rule Base.
  • Using the hit count column.
  • Using the Compliance Software Blade.
  • With the command fwaccel stat followed by the command fwaccel stats.

Answer : With the command fwaccel stat followed by the command fwaccel stats.

156-215.70 Check Point Certified Security Administrator Exam Set 1

Which information CANNOT be displayed by issuing the command cat /proc/cpuinfo?


Options are :

  • NFS_Unstable
  • fpu
  • vendor_id
  • CPU family

Answer : NFS_Unstable

You have just configured HA and find that connections are not being synced. When you have a
failover, users complain that they are losing their connections. What command could you run to
see the state synchronization statistics?


Options are :

  • fw sync stats
  • cphaprob stat
  • fw ctl get int fw_state_sync_stats
  • fw ctl pstat

Answer : fw ctl pstat

When VPN user-based authentication fails, which of the following debug logs is essential to
understanding the issue?


Options are :

  • fw monitor trace
  • Vpnd.elg
  • IKE.elg
  • VPN-1 kernel debug logs

Answer : IKE.elg

156-215.70 Check Point Certified Security Administrator Exam Set 2

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions