156-215.70 Check Point Certified Security Administrator Exam Set 4

If you check the box Use Aggressive Mode in the IKE Properties dialog box, the standard:


Options are :

  • three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.
  • three-packet IKE Phase 2 exchange is replaced by a two-packet exchange.
  • six-packet IKE Phase 1 exchange is replaced by a three-packet exchange. (Correct)
  • three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.

Answer : six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.

156-315.77 Check Point Certified Security Expert Exam Set 5

What statement is true regarding Visitor Mode?


Options are :

  • Only Main mode and Quick mode traffic are tunneled on TCP port 443.
  • VPN authentication and encrypted traffic are tunneled through port TCP 443. (Correct)
  • All VPN traffic is tunneled through UDP port 4500.
  • Only ESP traffic is tunneled through port TCP 443.

Answer : VPN authentication and encrypted traffic are tunneled through port TCP 443.

If Henry wanted to configure Perfect Forward Secrecy for his VPN tunnel, in which phase would he be configuring this?


Options are :

  • Diffie-Hellman
  • Phase 1
  • Aggressive Mode
  • Phase 2 (Correct)

Answer : Phase 2

Your users are defined in a Windows 2003 Active Directory server. You must add LDAP users to a Client Authentication rule. Which kind of user group do you need in the Client Authentication rule in R70?


Options are :

  • All Users
  • A group with a generic user
  • External-user group
  • LDAP group (Correct)

Answer : LDAP group

156-315.77 Check Point Certified Security Expert Exam Set 1

All R70 Security Servers can perform authentication with the exception of one. Which of the Security Servers cannot perform authentication?


Options are :

  • RLOGIN
  • SMTP (Correct)
  • HTTP
  • FTP

Answer : SMTP

You wish to configure a VPN and you want to encrypt not just the data packet, but the original header. Which encryption scheme would you select?


Options are :

  • Tunneling-mode encryption (Correct)
  • Both encrypt the data and header
  • In-place encryption

Answer : Tunneling-mode encryption

Which operating system is not supported by SecureClient?


Options are :

  • MacOS X
  • Windows XP SP2
  • Windows Vista
  • IPSO 3.9 (Correct)

Answer : IPSO 3.9

156-215.75 Check Point Certified Security Administrator Exam Set 2

Marc is a Security Administrator configuring a VPN tunnel between his site and a partner site. He just created the partner city’s firewall object and a community. While trying to add the firewalls to the community only his firewall could be chosen. The partner city’s firewall does not appear. What is a possible reason for the problem?


Options are :

  • IPsec VPN Software Blade on the partner city’s firewall object is not activated. (Correct)
  • The partner city’s Gateway is running VPN-1 NG AI.
  • The partner city’s firewall object was created as an interoperable device.
  • Only Check Point Gateways could be added to a community.

Answer : IPsec VPN Software Blade on the partner city’s firewall object is not activated.

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Manually import your partner’s Certificate Revocation List.
  • Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA). (Correct)
  • Manually import your partner’s Access Control List
  • Create a new logical-server object to represent your partner’s CA

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA).

As a Security Administrator, you must refresh the Client Authentication authorization timeout every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting:


Options are :

  • in the Limit tab of the Client Authentication Action Properties screen. (Correct)
  • in the Global Properties Authentication screen.
  • .in the Gateway object's Authentication screen.
  • .in the user object's Authentication screen.

Answer : in the Limit tab of the Client Authentication Action Properties screen.

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 5

Of the following VPN Community options, which is most likely to provide a balance between IKE compatibility to VPN-capable devices (Check Point and non-Check Point) and preserving resources on the R70 Gateway? VPN tunnel sharing per:


Options are :

  • pair of hosts, permanent tunnels, Diffie-Hellman Group 2 for Phase 1.
  • subnet, no permanent tunnels, Diffie-Hellman Group 2 for Phase 1. (Correct)
  • subnet, permanent tunnels, Diffie-Hellman Group 1 for Phase 1.
  • pair of hosts, no permanent tunnels, Diffie-Hellman Group 1 for Phase 1.

Answer : subnet, no permanent tunnels, Diffie-Hellman Group 2 for Phase 1.

Which Client Authentication sign-on method requires the user to first authenticate via the User Authentication mechanism when logging in to a remote server with Telnet?


Options are :

  • Agent Automatic Sign On
  • Partially Automatic Sign On (Correct)
  • Manual Sign On
  • Standard Sign On

Answer : Partially Automatic Sign On

With the User Directory Software Blade, you can create R70 user definitions on a(n) _________ Server.


Options are :

  • LDAP (Correct)
  • NT Domain
  • SecureID
  • Radius

Answer : LDAP

156-315.77 Check Point Certified Security Expert Exam Set 8

You wish to view the current state of the customer’s VPN tunnels, including those that are down and destroyed. Which SmartConsole application will provide you with this information?


Options are :

  • SmartView Monitor (Correct)
  • SmartView Tracker
  • SmartUpdate
  • SmartView Status

Answer : SmartView Monitor

The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember?


Options are :

  • Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
  • The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server. (Correct)
  • You can limit the authentication attempts in the Authentication tab of the User Properties screen.
  • You can only use the rule for Telnet, FTP, SMTP, and rlogin services.

Answer : The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server.

What can NOT be selected for VPN tunnel sharing?


Options are :

  • One tunnel per subnet pair
  • One tunnel per pair of hosts
  • One tunnel per Gateway pair
  • One tunnel per VPN domain pair (Correct)

Answer : One tunnel per VPN domain pair

156-315.13 Check Point Security Expert R76 (GAiA) Exam Set 2

What is the difference between Standard and Specific Sign On methods?


Options are :

  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect. (Correct)
  • Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user re-authenticate for each service.

Answer : Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect.

There are three options available for configuring a firewall policy on the SecureClient Mobile device. Which of the following is NOT an option?


Options are :

  • yes
  • configured on endpoint client
  • no
  • configured on server (Correct)

Answer : configured on server

When a user selects to allow Hotspot, SecureClient modifies the Desktop Security Policy and/or Hub Mode routing to enable Hotspot registration. Which of the following is NOT true concerning this modification?


Options are :

  • The modification is restricted by time.
  • .IP addresses accessed during registration are recorded.
  • Ports accessed during registration are recorded.
  • The number of IP addresses accessed is unrestricted (Correct)

Answer : The number of IP addresses accessed is unrestricted

156-315.77 Check Point Certified Security Expert Exam Set 4

Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?


Options are :

  • Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway. (Correct)
  • You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.
  • This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
  • This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.

Answer : Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

What happens in relation to the CRL cache after a cpstop and cpstart have been initiated?


Options are :

  • The Gateway continues to use the old CRL, as long as it is valid (Correct)
  • The Gateway retrieves a new CRL on startup, and then discards the old CRL as invalid.
  • The Gateway continues to use the old CRL even if it is not valid, until a new CRL is cached.
  • The Gateway issues a crl_zap on startup, which empties the cache and forces Certificate retrieval.

Answer : The Gateway continues to use the old CRL, as long as it is valid

If you are experiencing LDAP issues, which of the following should you check?


Options are :

  • Secure Internal Communications (SIC)
  • Overlapping VPN Domains
  • Connectivity between the R70 Gateway and LDAP server (Correct)
  • Domain name resolution

Answer : Connectivity between the R70 Gateway and LDAP server

Check Point Certified Security Expert Exam Set 5

Public keys and digital certificates do NOT provide which of the following?


Options are :

  • Availability (Correct)
  • Data integrity
  • Nonrepudiation
  • Authentication

Answer : Availability

Your company has two headquarters, one in London, one in New York. Each of the headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:


Options are :

  • Three star Communities: The first one is between New York headquarters and its branches. The second star Community is between London headquarters and its branches. The third star Community is between New York and London headquarters but it is irrelevant which site is “center” and which “satellite”. (Correct)
  • Two mesh and one star Community: Each mesh Community is set up for each site between headquarters their branches. The star Community has New York as the center and London as its satellite.
  • One star Community with the option to “mesh” the center of the star: New York and London Gateways added to the center of the star with the “mesh center Gateways” option checked; all London branch offices defined in one satellite window; but, all New York branch offices defined in another satellite window.
  • Three mesh Communities: one for London headquarters and its branches; one for New York headquarters and its branches; and one for London and New York headquarters.

Answer : Three star Communities: The first one is between New York headquarters and its branches. The second star Community is between London headquarters and its branches. The third star Community is between New York and London headquarters but it is irrelevant which site is “center” and which “satellite”.

In the SmartView Tracker you receive the error, “…peer send invalid ID information…” while trying to establish an IKE VPN tunnel. Where does this error normally result from and how can you solve it? This error normally results from:


Options are :

  • an invalid IP address configured on one tunnel endpoint, normally the internal one in the General tab. This can be resolved by adding the correct IPs to the Topology tab of both Gateways on both sites.
  • a mismatch in the IPs of the VPN tunnel endpoints and can not be resolved.
  • an invalid IP address configured on one tunnel endpoint; normally the internal one in the General tab. This can be solved with link selection or by changing this IP to the one facing the other tunnel endpoint. (Correct)
  • a mismatch in the authentication algorithms used in IKE phase one and can be corrected by changing them to match.

Answer : an invalid IP address configured on one tunnel endpoint; normally the internal one in the General tab. This can be solved with link selection or by changing this IP to the one facing the other tunnel endpoint.

Check Point Certified Security Administrator Set 1

With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted domain. But when your mobile users move outside of your company, they often cannot use SecureClient because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?


Options are :

  • Allow for unencrypted traffic
  • Allow your users to turn off SecureClient
  • Enable Hot Spot/Hotel Registration (Correct)
  • Allow traffic outside the encrypted domain

Answer : Enable Hot Spot/Hotel Registration

How do you define a service object for a TCP port range?


Options are :

  • Manage Services > New Group, provide name and add all service ports for range individually to the group object
  • Manage Services > New Other, provide name and define protocol: x-y
  • Manage Services > New Other, provide name and define protocol: 17, Range: x-y
  • Manage Services > New TCP, provide name and define port: x-y (Correct)

Answer : Manage Services > New TCP, provide name and define port: x-y

Check Point Certified Security Expert Exam Set 3

Where do you enable popup alerts for IPS settings that have detected suspicious activity?


Options are :

  • In SmartView Monitor, select Tools > Alerts (Correct)
  • .In SmartDashboard, edit the Gateway object, and select IPS > Alerts
  • In SmartView Tracker, select Tools > Custom Commands
  • In SmartDashboard, select Global Properties > Log and Alert > Alert Commands

Answer : In SmartView Monitor, select Tools > Alerts

What are the results of the command: fw sam [Target IP Address]?


Options are :

  • Connections to and from the specified target are blocked with the need to change the Security Policy.
  • Connections from the specified target are blocked without the need to change the Security Policy
  • Connections to the specified target are blocked without the need to change the Security Policy.
  • Connections to and from the specified target are blocked without the need to change the Security Policy. (Correct)

Answer : Connections to and from the specified target are blocked without the need to change the Security Policy.

You want to configure a mail alert for every time the policy is installed to a specific Gateway. Where would you configure this alert?


Options are :

  • In SmartView Monitor, select Gateway > Configure Thresholds.
  • In SmartView Monitor, select Gateway > Configure Thresholds and in SmartDashboard select Global Properties > Alerts. (Correct)
  • You cannot create a mail alert for Policy installation.
  • In SmartDashboard, select Global Properties > Alerts.

Answer : In SmartView Monitor, select Gateway > Configure Thresholds and in SmartDashboard select Global Properties > Alerts.

156-315.77 Check Point Certified Security Expert Exam Set 5

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions