156-215.13 Check Point Certified Security Administrator Exam Set 10

For remote user authentication, which authentication scheme is NOT supported?


Options are :

  • TACACS (Correct)
  • RADIUS
  • Check Point Password
  • SecurID

Answer : TACACS

Check Point Certified Security Expert Exam Set 11

What command with appropriate switches would you use to test Identity Awareness connectivity?


Options are :

  • test_ldap_connectivity
  • test_ad_connectivity (Correct)
  • test_ad
  • test_ldap

Answer : test_ad_connectivity

What is the purpose of an Identity Agent?


Options are :

  • Manual entry of user credentials for LDAP authentication
  • Provide user and machine identity to a gateway (Correct)
  • Audit a user's access, and send that data to a log server
  • Disable Single Sign On

Answer : Provide user and machine identity to a gateway

Complete this statement from the options provided. Using Captive Portal, unidentified users may be either; blocked, allowed to enter required credentials, or required to download the _____________.


Options are :

  • SecureClient
  • Identity Awareness Agent (Correct)
  • ICA Certificate
  • Full Endpoint Client

Answer : Identity Awareness Agent

Check Point Certified Security Expert Exam Set 3

Which of the following allows administrators to allow or deny traffic to or from a specific network based on the user's credentials?


Options are :

  • Access Certificate
  • Access Policy
  • Access Role (Correct)
  • Access Rule

Answer : Access Role

What command syntax would you use to see accounts the gateway suspects are service accounts?


Options are :

  • adlog a service_accounts (Correct)
  • adlog check_accounts
  • pdp check_log
  • . pdp show service

Answer : adlog a service_accounts

What mechanism does a gateway configured with Identity Awareness and LDAP initially use to communicate with a Windows 2003 or 2008 server?


Options are :

  • LDAP
  • WMI (Correct)
  • RCP
  • CIFS

Answer : WMI

Check Point Certified Security Expert Exam Set 12

Identity Awareness can be deployed in which of the following modes?


Options are :

  • Detect
  • Router (Correct)
  • High Availability
  • Load Sharing

Answer : Router

To qualify as an Identity Awareness enabled rule, which column MAY include an Access Role?


Options are :

  • User
  • Track
  • Destination (Correct)
  • Action

Answer : Destination

What command syntax would you use to turn on PDP logging in a distributed environment?


Options are :

  • pdp track=1
  • pdp tracker on (Correct)
  • pdp logging on
  • pdp log=1

Answer : pdp tracker on

156-315.77 Check Point Certified Security Expert Exam Set 8

The Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO). What is not a recommended usage of this method?


Options are :

  • When accuracy in detecting identity is crucial
  • Identity based enforcement for non-AD users (non-Windows and guest users) (Correct)
  • Protecting highly sensitive servers
  • Leveraging identity for Data Center protection

Answer : Identity based enforcement for non-AD users (non-Windows and guest users)

Which authentication type requires specifying a contact agent in the Rule Base?


Options are :

  • Session Authentication (Correct)
  • Client Authentication with Manual Sign On
  • User Authentication
  • Client Authentication with Partially Automatic Sign On

Answer : Session Authentication

Captive Portal is a __________ that allows the gateway to request login information from the user.


Options are :

  • Transparent network inspection tool
  • LDAP server add-on
  • Pre-configured and customizable web-based tool (Correct)
  • Separately licensed feature

Answer : Pre-configured and customizable web-based tool

156-315.77 Check Point Certified Security Expert Exam Set 17

In which Rule Base can you implement a configured Access Role?


Options are :

  • Mobile Access
  • Firewall (Correct)
  • IPS
  • DLP

Answer : Firewall

What is the difference between Standard and Specific Sign On methods?


Options are :

  • Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user re-authenticate for each service.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect. (Correct)

Answer : Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect.

John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19.John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. What should John do when he cannot access the web server from a different personal computer?


Options are :

  • Investigate this as a network connectivity issue
  • The access should be changed to authenticate the user instead of the PC (Correct)
  • John should lock and unlock his computer
  • John should install the Identity Awareness Agent

Answer : The access should be changed to authenticate the user instead of the PC

Check Point Certified Security Expert Exam Set 2

Where does the security administrator activate Identity Awareness within SmartDashboard?


Options are :

  • Gateway Object > General Properties (Correct)
  • Security Management Server > Identity Awareness
  • LDAP Server Object > General Properties
  • Policy > Global Properties > Identity Awareness

Answer : Gateway Object > General Properties

Which of the following is an authentication method used by Identity Awareness?


Options are :

  • SSL
  • PKI
  • RSA
  • Captive Portal (Correct)

Answer : Captive Portal

What gives administrators more flexibility when configuring Captive Portal instead of LDAP query for Identity Awareness authentication?


Options are :

  • Nothing, LDAP query is required when configuring Captive Portal
  • Captive Portal works with both configured users and guests (Correct)
  • Captive Portal is more secure than standard LDAP
  • Captive Portal is more transparent to the user

Answer : Captive Portal works with both configured users and guests

156-315.77 Check Point Certified Security Expert Exam Set 6

When using AD Query to authenticate users for Identity Awareness, identity data is received seamlessly from the Microsoft Active Directory (AD). What is NOT a recommended usage of this method?


Options are :

  • Basic identity enforcement in the internal network
  • Identity-based enforcement for non-AD users (non-Windows and guest users) (Correct)
  • Identity-based auditing and logging
  • Leveraging identity in the application control blade

Answer : Identity-based enforcement for non-AD users (non-Windows and guest users)

John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to a set of designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19.He has received a new laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19).He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources, and installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams access the HR Web Server from any machine and from any location and installs policy. John plugged in his laptop to the network on a different network segment and was not able to connect to the HR Web server. What is the next BEST troubleshooting step?


Options are :

  • He should lock and unlock the computer (Correct)
  • After enabling Identity Awareness, reboot the gateway
  • John should install the Identity Awareness Agent
  • Investigate this as a network connectivity issue

Answer : He should lock and unlock the computer

The Captive Portal tool:


Options are :

  • Is deployed from the Identity Awareness page in the Global Properties settings.
  • Allows access to users already identified
  • Is only used for guest user authentication.
  • Acquires identities from unidentified users (Correct)

Answer : Acquires identities from unidentified users

Check Point Certified Security Administrator Set 4

Your users are defined in a Windows 2008 R2 Active Directory server. You must add LDAP users to a Client Authentication rule. Which kind of user group do you need in the Client Authentication rule in R76?


Options are :

  • External-user group
  • LDAP group (Correct)
  • A group with a generic user
  • All Users

Answer : LDAP group

Which of the following objects is a valid source in an authentication rule?


Options are :

  • Host@Any
  • User@Any
  • User_group@Network (Correct)
  • User@Network

Answer : User_group@Network

What type of traffic can be re-directed to the Captive Portal?


Options are :

  • All of the above (Correct)
  • FTP
  • SMTP
  • HTTP

Answer : All of the above

156-315.77 Check Point Certified Security Expert Exam Set 3

John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19.John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server.To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. John plugged in his laptop to the network on a different network segment and he is not able to connect.How does he solve this problem?


Options are :

  • John should install the Identity Awareness Agent
  • John should lock and unlock the computer
  • The firewall admin should install the Security Policy (Correct)
  • Investigate this as a network connectivity issue

Answer : The firewall admin should install the Security Policy

Which of the following methods is NOT used by Identity Awareness to catalog identities?


Options are :

  • Identity Agent
  • Captive Portal
  • GPO (Correct)
  • AD Query

Answer : GPO

Your company has two headquarters, one in London, one in New York. Each of the headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:


Options are :

  • Three star Communities: The first one is between New York headquarters and its branches. The second star Community is between London headquarters and its branches. The third star Community is between New York and London headquarters but it is irrelevant which site is "center" and which "satellite". (Correct)
  • Two mesh and one star Community: Each mesh Community is set up for each site between headquarters their branches. The star Community has New York as the center and London as its satellite.
  • One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the "mesh center Gateways" option checked; all London branch offices defined in one satellite window; but, all New York branch offices defined in another satellite window.
  • Three mesh Communities: one for London headquarters and its branches; one for New York headquarters and its branches; and one for London and New York headquarters.

Answer : Three star Communities: The first one is between New York headquarters and its branches. The second star Community is between London headquarters and its branches. The third star Community is between New York and London headquarters but it is irrelevant which site is "center" and which "satellite".

Check Point Certified Security Expert Exam Set 12

Which of the following items should be configured for the Security Management Server to authenticate using LDAP?


Options are :

  • WMI object
  • Windows logon password
  • Domain Admin username (Correct)
  • Check Point Password

Answer : Domain Admin username

Can you use Captive Portal with HTTPS?


Options are :

  • No, it only works with FTP and HTTP
  • No, it only works with HTTP
  • No, it only works with FTP
  • Yes (Correct)

Answer : Yes

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions