156-215.75 Check Point Certified Security Administrator Exam Set 6

Which do you configure to give remote access VPN users a local IP address?


Options are :

  • Office mode IP pool (Correct)
  • NAT pool
  • Authentication pool
  • Encryption domain pool

Answer : Office mode IP pool

Message digests use which of the following?


Options are :

  • SSL and MD4 (Correct)
  • IDEA and RC4
  • SHA-1 and MD5
  • DES and RC4

Answer : SSL and MD4

Check Point Certified Security Expert Exam Set 3

The URL Filtering Policy can be configured to monitor URLs in order to:


Options are :

  • Block sites only once.
  • Alert the Administrator to block a suspicious site.
  • Redirect users to a new URL
  • Log sites from blocked categories. (Correct)

Answer : Log sites from blocked categories.

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?


Options are :

  • All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.
  • Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1. (Correct)
  • The 2 algorithms do not have the same key length and so don't work together. You will get the error ".... No proposal chosen...."
  • All is fine and can be used as is.

Answer : Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.

Check Point Certified Security Expert Exam Set 8

You wish to configure a VPN and you want to encrypt not just the data packet, but the original header. Which encryption scheme would you select?


Options are :

  • In-place encryption
  • Both encrypt the data and header
  • Tunneling-mode encryption (Correct)

Answer : Tunneling-mode encryption

Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruderís access after the next Phase 2 exchange occurs?


Options are :

  • M05 Hash Completion
  • Phase 3 Key Revocation
  • SHA1 Hash Completion
  • Perfect Forward Secrecy (Correct)

Answer : Perfect Forward Secrecy

Phase 1 uses________.


Options are :

  • Conditional
  • Sequential
  • Symmetric
  • Asymmetric (Correct)

Answer : Asymmetric

Check Point Certified Security Administrator Set 4

Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?


Options are :

  • This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.
  • Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway. (Correct)
  • This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
  • You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.

Answer : Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

What is used to validate a digital certificate?


Options are :

  • PKCS
  • S/MIME
  • CRL (Correct)
  • IPsec

Answer : CRL

You wish to view the current state of the customer's VPN tunnels, including those that are down and destroyed. Which SmartConsole application will provide you with this information?


Options are :

  • SmartView Monitor (Correct)
  • SmartView Status
  • SmartUpdate
  • SmartView Tracker

Answer : SmartView Monitor

Check Point Certified Security Expert Exam Set 7

For VPN routing to succeed, what must be configured?


Options are :

  • No rules need to be created; implied rules that cover inbound and outbound traffic on the central (HUB) Gateway are already in place from Policy > Properties > Accept VPN-1 Control Connections.
  • A single rule in the Rule Base must cover all traffic on the central (HUB) Security Gateway for the VPN domain. (Correct)
  • At least two rules in the Rule Base must be created, one to cover traffic inbound and the other to cover traffic outbound on the central (HUB) Security Gateway.
  • VPN routing is not configured in the Rule Base or Community objects. Only the nativerouting mechanism on each Gateway can direct the traffic via its VTI configured interfaces

Answer : A single rule in the Rule Base must cover all traffic on the central (HUB) Security Gateway for the VPN domain.

Your organization has many Edge Gateways at various branch offices allowing users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the Edge Gateways first be inspected by your headquarters' R75 Security Gateway. How do you configure VPN routing in this star VPN Community?


Options are :

  • To center and other satellites, through center
  • To center or through the center to other satellites, to Internet and other VPN targets (Correct)
  • To Internet and other targets only
  • To center only

Answer : To center or through the center to other satellites, to Internet and other VPN targets

What can NOT be selected for VPN tunnel sharing?


Options are :

  • One tunnel per Gateway pair
  • One tunnel per VPN domain pair (Correct)
  • One tunnel per subnet pair
  • One tunnel per pair of hosts

Answer : One tunnel per VPN domain pair

Check Point Certified Security Expert Exam Set 7

Your organization maintains several IKE VPNs. Executives in your organization want to know which mechanism Security Gateway R75 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?


Options are :

  • Key-exchange protocols
  • Digital signatures (Correct)
  • Application Intelligence
  • Certificate Revocation Lists

Answer : Digital signatures

Multi-Corp must comply with industry regulations in implementing VPN solutions among multiple sites. The corporate Information Assurance policy defines the following requirements: What is the most appropriate setting to comply with these requirements? Portability Standard Key management Automatic, external PKI Session keys changed at configured times during a connectionís lifetime Key length No less than 128-bit Data integrity Secure against inversion and brute-force attacks What is the most appropriate setting to comply with theses requirements?


Options are :

  • IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash (Correct)
  • IKE VPNs: CAST encryption for IKE Phase 1, and SHA 1 encryption for phase 2, DES hash
  • IKE VPNs: DES encryption for IKE phase 1, and 3DES encryption for phase 2, MD 5 hash
  • IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for phase 2, AES hash

Answer : IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash

How can you access the Certificate Revocation List (CRL) on the firewall, if you have configured a Stealth Rule as the first explicit rule?


Options are :

  • The CRL is encrypted, so it is useless to attempt to access it.
  • You can access the Revocation list by means of a browser using the URL: http://IPFW:18264/ICA CRL1.crl1 provided the implied rules are activated per default. (Correct)
  • You can only access the CRI via the Security Management Server as the internal CA is located on that server
  • You cannot access the CRL, since the Stealth Rule will drop the packets

Answer : You can access the Revocation list by means of a browser using the URL: http://IPFW:18264/ICA CRL1.crl1 provided the implied rules are activated per default.

156-315.77 Check Point Certified Security Expert Exam Set 18

In which IKE phase are IKE SA's negotiated?


Options are :

  • Phase 3
  • . Phase 1 (Correct)
  • Phase 4
  • Phase 2

Answer : . Phase 1

Which of the following is NOT supported with office mode?


Options are :

  • Secure Client
  • L2TP
  • Transparent mode (Correct)
  • SSL Network Extender

Answer : Transparent mode

Your company has two headquarters, one in London, and one in New York. Each office includes several branch offices. The branch offices need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities for this company? VPN Communities comprised of:


Options are :

  • Two mesh and one star Community One mesh Community is set up for each of the headquarters and its branch offices The star Community is configured with London as the center of the Community and New York is the satellite.
  • One star Community with the option to "mesh" the center of the star: New York and London Gateways added to the center of the star with the mesh canter Gateways option checked, all London branch offices defined m one satellite window, but all New York branch offices defined m another satellite window.
  • Three mesh Communities: One for London headquarters and its branches, one for New York headquarters and its branches, and one f;or London and New York headquarters.
  • Two star and one mesh Community: One star Community is set up for each site, with headquarters as the center of the Community and its branches as satellites. The mesh Community includes only New York and London Gateways. (Correct)

Answer : Two star and one mesh Community: One star Community is set up for each site, with headquarters as the center of the Community and its branches as satellites. The mesh Community includes only New York and London Gateways.

156-315.77 Check Point Certified Security Expert Exam Set 11

Which of the following is NOT true for Clientless VPN?


Options are :

  • The Gateway can enforce the use of strong encryption
  • User Authentication is supported
  • The Gateway accepts any encryption method that is proposed by the client and supported in the VPN
  • Secure communication is provided between clients and servers that support HTTP (Correct)

Answer : Secure communication is provided between clients and servers that support HTTP

Marc is a Security Administrator configuring a VPN tunnel between his site and a partner site. He just created the partner city's firewall object and a community. While trying to add the firewalls to the community only his firewall could be chosen. The partner city's firewall does not appear. What is a possible reason for the problem?


Options are :

  • The partner city's Gateway is running VPN-1 NG AI.
  • The partner city's firewall object was created as an interoperable device.
  • IPsec VPN Software Blade on the partner city's firewall object is not activated. (Correct)
  • Only Check Point Gateways could be added to a community.

Answer : IPsec VPN Software Blade on the partner city's firewall object is not activated.

Which operating system is NOT supported by Endpoint Connect R75?


Options are :

  • Windows XP SP2 O C
  • Windows 2000 SP1
  • Windows Vista 64-bit SP1
  • MacOS X (Correct)

Answer : MacOS X

156-115 Check Point Certified Security Master Practice Exam Set 6

How many packets does the IKE exchange use for Phase 1 Main Mode?


Options are :

  • 12
  • 6 (Correct)
  • 3
  • 1

Answer : 6

Which of the following SSL Network Extender server-side prerequisites is NOT correct?


Options are :

  • The specific Security Gateway must be configured as a member of the Remote Access Community
  • There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender users. (Correct)
  • The Gateway must be configured to work with Visitor Mode.
  • To use Integrity Clientless Security (ICS), you must install the IC3 server or configuration tool.

Answer : There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender users.

Why are certificates preferred over pre-shared keys in an IPsec VPN?


Options are :

  • Weak performance: PSK takes more time to encrypt than Drffie-Hellman
  • Weak scalability: PSKs need to be set on each and every Gateway
  • Weak security: PSKs can only have 112 bit length.
  • Weak Security: PSK are static and can be brute-forced. (Correct)

Answer : Weak Security: PSK are static and can be brute-forced.

156-215.13 Check Point Certified Security Administrator Exam Set 9

You install and deploy SecurePlatform with default settings. You allow Visitor Mode in the Remote Access properties of the Gateway object and install policy, but SecureClient refuses to connect. What is the cause of this?


Options are :

  • Set Visitor Mode in Policy > Global Properties / Remote-Access / VPN - Advanced
  • You need to start SSL Network Extender first, than use Visitor Mode.
  • Office mode is not configured.
  • The WebUI on SecurePlatform runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port. (Correct)

Answer : The WebUI on SecurePlatform runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port.

Which statement defines Public Key Infrastructure? Security is provided:


Options are :

  • By authentication
  • Via both private and public keys, without the use of digital Certificates.
  • By Certificate Authorities, digital certificates, and public key encryption. (Correct)
  • By Certificate Authorities, digital certificates, and two-way symmetric- key encryption

Answer : By Certificate Authorities, digital certificates, and public key encryption.

Of the following VPN Community options, which is most likely to provide a balance between IKE compatibility to VPN-capable devices (Check Point and non-Check Point) and preserving resources on the R75 Gateway? VPN tunnel sharing per:


Options are :

  • pair of hosts, permanent tunnels, Diffie-Hellman Group 2 for Phase 1.
  • pair of hosts, no permanent tunnels, Diffie-Hellman Group 1 for Phase 1.
  • subnet, no permanent tunnels, Diffie-Hellman Group 2 for Phase 1. (Correct)
  • subnet, permanent tunnels, Diffie-Hellman Group 1 for Phase 1.

Answer : subnet, no permanent tunnels, Diffie-Hellman Group 2 for Phase 1.

156-115 Check Point Certified Security Master Practice Exam Set 4

When a user selects to allow Hot-spot, SecureClient modifies the Desktop Security Policy and/or Hub Mode routing to enable Hot-spot registration. Which of the following is NOT true concerning this modification?


Options are :

  • The number of IP addresses accessed is unrestricted. (Correct)
  • The modification is restricted by time.
  • Ports accessed during registration are recorded.
  • IP addresses accessed during registration are recorded.

Answer : The number of IP addresses accessed is unrestricted.

Which of the following provides confidentiality services for data and messages in a Check Point VPN?


Options are :

  • Asymmetric Encryption
  • Cryptographic checksums
  • Digital signatures
  • Symmetric Encryption (Correct)

Answer : Symmetric Encryption

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions