156-215.13 Check Point Certified Security Administrator Exam Set 9

You install and deploy GAiA with default settings. You allow Visitor Mode in the Gateway object's Remote Access properties and install policy; but SecureClient refuses to connect. What is the cause of this?


Options are :

  • You need to start SSL Network Extender first, then use Visitor Mode.
  • Set Visitor Mode in Policy > Global Properties > Remote-Access > VPN - Advanced.
  • Office mode is not configured.
  • The WebUI on GAiA runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port. (Correct)

Answer : The WebUI on GAiA runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port.

How many packets does the IKE exchange use for Phase 1 Main Mode?


Options are :

  • 12
  • 6 (Correct)
  • 1
  • 3

Answer : 6

What statement is true regarding Visitor Mode?


Options are :

  • VPN authentication and encrypted traffic are tunneled through port TCP 443. (Correct)
  • Only ESP traffic is tunneled through port TCP 443.
  • All VPN traffic is tunneled through UDP port 4500
  • Only Main mode and Quick mode traffic are tunneled on TCP port 443

Answer : VPN authentication and encrypted traffic are tunneled through port TCP 443.

Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?


Options are :

  • Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.
  • Peers authenticate using certificates or preshared secrets.
  • The DH public keys are exchanged.
  • Symmetric IPsec keys are generated. (Correct)

Answer : Symmetric IPsec keys are generated.

When using vpn tu, which option must you choose if you only want to clear phase 2 for a specific IP (gateway)?


Options are :

  • (5) Delete all IPsec SAs for a given peer (GW) (Correct)
  • (8) Delete all IPsec+IKE SAs for a given User (Client)
  • (7) Delete all IPsec+IKE SAs for a given peer (GW)
  • (6) Delete all IPsec SAs for a given User (Client)

Answer : (5) Delete all IPsec SAs for a given peer (GW)

When using an encryption algorithm, which is generally considered the best encryption method?


Options are :

  • Triple DES
  • CAST cipher
  • DES
  • AES (Correct)

Answer : AES

As you review this Security Policy, what changes could you make to accommodate Rule 4?


Options are :

  • Remove the service HTTP from the column Service in Rule 4
  • Modify the column VPN in Rule 2 to limit access to specific traffic (Correct)
  • Modify the columns Source or Destination in Rule 4.
  • Nothing at all

Answer : Modify the column VPN in Rule 2 to limit access to specific traffic

You are troubleshooting NAT entries in SmartView Tracker. Which column do you check to view the new source IP?


Options are :

  • XlateSrc (Correct)
  • XlateDst
  • XlateSPort
  • XlateDPort

Answer : XlateSrc

Your customer, Mr. Smith needs access to other networks and should be able to use all services. Session authentication is not suitable. You select Client Authentication with HTTP. The standard authentication port for client HTTP authentication (Port 900) is already in use. You want to use Port 9001 but are having connectivity problems. Why are you having problems?


Options are :

  • You can't use any port other than the standard port 900 for Client Authentication via HTTP
  • The Security Policy is not correct.
  • The configuration file $FWDIR/conf/fwauthd.conf is incorrect. (Correct)
  • The service FW_clntauth_http configuration is incorrect.

Answer : The configuration file $FWDIR/conf/fwauthd.conf is incorrect.

How many packets are required for IKE Phase 2?


Options are :

  • 6
  • 2
  • 12
  • 3 (Correct)

Answer : 3

If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange?


Options are :

  • 9
  • 6 (Correct)
  • 2
  • 3

Answer : 6

With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted domain. But when your mobile users move outside of your company, they often cannot use SecureClient because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?


Options are :

  • Allow your users to turn off SecureClient
  • Allow for unencrypted traffic
  • Enable Hot Spot/Hotel Registration (Correct)
  • Allow traffic outside the encrypted domain

Answer : Enable Hot Spot/Hotel Registration

You are using SmartView Tracker to troubleshoot NAT entries. Which column do you check to view the NAT'd source port if you are using Source NAT?


Options are :

  • XlateDPort
  • XlateDst
  • XlateSPort (Correct)
  • XlateSrc

Answer : XlateSPort

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?


Options are :

  • All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel. (Correct)
  • The two algorithms do not have the same key length and so don't work together. You will get the error …. No proposal chosen….
  • All is fine and can be used as is.
  • Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.

Answer : All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.

How many packets does the IKE exchange use for Phase 1 Aggressive Mode?


Options are :

  • 12
  • 6
  • 1
  • 3 (Correct)

Answer : 3

Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?


Options are :

  • This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.
  • You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.
  • Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway. (Correct)
  • This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.

Answer : Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

When attempting to connect with SecureClient Mobile you get the following error message:The certificate provided is invalid. Please provide the username and password. What is the probable cause of the error?


Options are :

  • Your user credentials are invalid.
  • Your user configuration does not have an office mode IP address so the connection failed.
  • Your certificate is invalid. (Correct)
  • There is no connection to the server, and the client disconnected.

Answer : Your certificate is invalid.

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA). (Correct)
  • Create a new logical-server object to represent your partner's CA.
  • Manually import your partner's Certificate Revocation List.
  • Manually import your partner's Access Control List.

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA).

Which of the following actions do NOT take place in IKE Phase 1?


Options are :

  • Peers agree on integrity method.
  • Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key. (Correct)
  • Each side generates a session key from its private key and the peer's public key.
  • Peers agree on encryption method

Answer : Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key.

You start to use SmartView Monitor to analyze the packet size distribution of your traffic. Unfortunately, you get the message: "There are no machines that contain Firewall Blade and SmartView Monitor." What should you do to analyze the packet size distribution of your traffic? Give the BEST answer


Options are :

  • Purchase the SmartView Monitor license for your Security Management Server
  • Purchase the SmartView Monitor license for your Security Gateway
  • Enable Monitoring on your Security Management Server.
  • Enable Monitoring on your Security Gateway. (Correct)

Answer : Enable Monitoring on your Security Gateway.

Which do you configure to give remote access VPN users a local IP address?


Options are :

  • Authentication pool
  • NAT pool
  • Encryption domain pool
  • Office mode IP pool (Correct)

Answer : Office mode IP pool

Which of the following commands can be used to remove site-to-site IPsec Security Association (SA)?


Options are :

  • vpn debug ipsec
  • vpn ipsec
  • fw ipsec tu
  • vpn tu (Correct)

Answer : vpn tu

What happens when you open the Gateway object window Trusted Communication and press and confirm Reset?


Options are :

  • The Gateway certificate will be revoked on the Security Managment Server only. (Correct)
  • Sic will be reset on the Gateway only.
  • The Gateway certificate will be revoked on the Gateway only
  • The Gateway certificate will be revoked on the Security Management Server and SIC will be reset on the Gateway.

Answer : The Gateway certificate will be revoked on the Security Managment Server only.

Why are certificates preferred over pre-shared keys in an IPsec VPN?


Options are :

  • Weak performancE. PSK takes more time to encrypt than Diffie-Hellman.
  • Weak security: PSKs can only have 112 bit length
  • Weak Security: PSK are static and can be brute-forced. (Correct)
  • Weak scalability: PSKs need to be set on each and every Gateway

Answer : Weak Security: PSK are static and can be brute-forced.

How do you configure the Security Policy to provide user access to the Captive Portal through an external (Internet) interface?


Options are :

  • Change the gateway settings to allow Captive Portal access via an external interface. (Correct)
  • Change the Identity Awareness settings under Global Properties to allow Captive Portal access for an external interface
  • No action is necessary. This access is available by default
  • Change the Identity Awareness settings under Global Properties to allow Captive Portal access on all interfaces.

Answer : Change the gateway settings to allow Captive Portal access via an external interface.

Access Role objects define users, machines, and network locations as:


Options are :

  • One object (Correct)
  • Credentialed objects
  • Linked objects
  • Separate objects

Answer : One object

Which of the following is NOT defined by an Access Role object?


Options are :

  • Source Server (Correct)
  • Source User
  • Source Network
  • Source Machine

Answer : Source Server

Which of the following authentication methods can be configured in the Identity Awareness setup wizard?


Options are :

  • TACACS
  • Check Point Password
  • Captive Portal (Correct)
  • Windows password

Answer : Captive Portal

Which set of objects have an Authentication tab?


Options are :

  • Users, Networks
  • Users, User Groups
  • Templates, Users (Correct)
  • Networks, Hosts

Answer : Templates, Users

Which of these attributes would be critical for a site-to-site VPN?


Options are :

  • Centralized management
  • Strong data encryption (Correct)
  • Strong authentication
  • Scalability to accommodate user groups

Answer : Strong data encryption

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions