156-215.75 Check Point Certified Security Administrator Exam Set 7

When attempting to connect with SecureClient Mobile the following error message is received. The certificate provided is invalid. Please provide the username and password. What is the probable cause of the error?


Options are :

  • The certificate provided is invalid. (Correct)
  • The user attempting to connect is not configured to have an office mode IP address so the connection failed.
  • There is no connection to the server, and the client disconnected.
  • The user's credentials are invalid.

Answer : The certificate provided is invalid.

156-315.77 Check Point Certified Security Expert Exam Set 24

Using the output below, what type of VPN Community is configured for fw-stlouis?


Options are :

  • Meshed (Correct)
  • Star
  • Domain-Based
  • Traditional

Answer : Meshed

What statement is true regarding Visitor Mode?


Options are :

  • All VPN traffic is tunneled through UDP port 4500.
  • Only Main mode and Quick mode traffic are tunneled on TCP port 443.
  • VPN authentication and encrypted traffic are tunneled through port TCP 443 (Correct)
  • Only ESP traffic is tunneled through port TCP 443.

Answer : VPN authentication and encrypted traffic are tunneled through port TCP 443

Which of these attributes would be critical for a site-to-site VPN?


Options are :

  • Strong data encryption (Correct)
  • Scalability to accommodate user groups
  • Strong authentication
  • Centralized management

Answer : Strong data encryption

Check Point Certified Security Expert Exam Set 9

If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange?


Options are :

  • 3
  • 2
  • 9
  • 6 (Correct)

Answer : 6

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Manually import your partnerís Certificate Revocation List.
  • Manually import your partnerís Control List.
  • Create a new logical-server object to represent your partnerís CA
  • Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA). (Correct)

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA).

Which of the following commands can be used to remove site-to-site IPsec Security Association (SA)?


Options are :

  • fw ipsec tu
  • vpn ipsec
  • vpn tu (Correct)
  • vpn debug ipsec

Answer : vpn tu

Check Point Certified Security Expert Exam Set 1

You have traveling salesmen connecting to your VPN community from all over the world. Which technology would you choose?


Options are :

  • SSL VPN: It only requires HTTPS connections between client and server. These are most likely open from all networks, unlike IPsec, which uses protocols and ports which are blocked by many sites. (Correct)
  • SSL VPN: It has more secure and robust encryption schemes than IPsec
  • IPseC.It allows complex setups that match any network situation available to the client, i.e. connection from a private customer network or various hotel networks.
  • IPseC.It offers encryption, authentication, replay protection and all algorithms that are state of the art (AES) or that perform very well. It is native to many client operating systems, so setup can easily be scripted.

Answer : SSL VPN: It only requires HTTPS connections between client and server. These are most likely open from all networks, unlike IPsec, which uses protocols and ports which are blocked by many sites.

Which of the following is NOT supported with Office Mode?


Options are :

  • SecureClient
  • SSL Network Extender
  • SecuRemote (Correct)
  • Endpoint Connect

Answer : SecuRemote

Which operating system is not supported by SecureClient?


Options are :

  • IPSO 3.9 (Correct)
  • Windows Vista
  • Windows XP SP2
  • MacOS X

Answer : IPSO 3.9

156-315.77 Check Point Certified Security Expert Exam Set 9

You wish to configure an IKE VPN between two R75 Security Gateways, to protect two networks. The network behind one Gateway is 10.15.0.0/16, and network 192.168.9.0/24 is behind the peer's Gateway. Which type of address translation should you use to ensure the two networks access each other through the VPN tunnel?


Options are :

  • Manual NAT
  • Hide NAT
  • None (Correct)
  • Static NAT

Answer : None

What happens in relation to the CRL cache after a cpstop and cpstart have been initiated?


Options are :

  • The Gateway continuous to use the old CRL even if it is not valid, until a new CRL is cashed.
  • The Gateway issues a crl_zap on startup, which empties the cache and forces certificate retrieval.
  • The Gateway continues to use the old CRL, as long as it is valid. (Correct)
  • The Gateway retrieves a new CRL on startup, and discards the old CRL as invalid.

Answer : The Gateway continues to use the old CRL, as long as it is valid.

Which of the following is TRUE concerning control connections between the Security Management Server and the Gateway in a VPN Community? Control Connections are:


Options are :

  • encrypted using SIC. (Correct)
  • encrypted using SIC and re-encrypted again by the Community regardless of VPN domain configuration.
  • encrypted by the Community
  • not encrypted, only authenticated

Answer : encrypted using SIC.

Check Point Certified Security Expert Exam Set 7

How many packets does the IKE exchange use for Phase 1 Aggressive Mode?


Options are :

  • 12
  • 3 (Correct)
  • 1
  • 6

Answer : 3

How many times is the firewall kernel invoked for a packet to be passed through a VPN connection?


Options are :

  • None The IPSO kernel handles it
  • Twice (Correct)
  • Once
  • Three times

Answer : Twice

In which IKE phase are IPsec SA's negotiated?


Options are :

  • Phase 4
  • Phase 3
  • Phase 2 (Correct)
  • Phase 1

Answer : Phase 2

Check Point Certified Security Expert Exam Set 5

With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted domain. But when your mobile users move outside of your company, they often cannot use SecureClient because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?


Options are :

  • Enable Hot Spot/Hotel Registration (Correct)
  • Allow your users to turn off SecureClient
  • Allow for unencrypted traffic
  • Allow traffic outside the encrypted domain

Answer : Enable Hot Spot/Hotel Registration

Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?


Options are :

  • Symmetric IPsec keys are generated. (Correct)
  • The DH public keys are exchanged.
  • Peers authenticate using certificates or preshared secrets.
  • Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.

Answer : Symmetric IPsec keys are generated.

Review the following list of actions that Security Gateway R75 can take when it controls packets. The Policy Package has been configured for Simplified Mode VPN. Select the response below that includes the available actions:


Options are :

  • Accept, Reject, Encrypt, Drop
  • Accept, Drop, Encrypt, Session Auth
  • Accept, Hold, Reject, Proxy
  • Accept, Drop, Reject, Client Auth (Correct)

Answer : Accept, Drop, Reject, Client Auth

156-215.77 Check Point Certified Security Administrator Exam Set 3

There are three options available for configuring a firewall policy on the SecureClient Mobile device. Which of the following is NOT an option?


Options are :

  • Configured on server (Correct)
  • No
  • yes
  • Configured on endpoint client

Answer : Configured on server

If you need strong protection for the encryption of user data, what option would be the BEST choice?


Options are :

  • Disable Diffie Hellman by using stronger certificate based key-derivation. Use AES-256 bit on all encrypted channels and add PFS to QuickMode. Use double encryption by implementing AH and ESP as protocols.
  • Use Diffie Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in Quick Mode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.
  • When you need strong encryption, IPsec is not the best choice. SSL VPNs are a better choice.
  • Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol. (Correct)

Answer : Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.

Which VPN Community object is used to configure Hub Mode VPN routing in SmartDashboard?


Options are :

  • Routed
  • Star (Correct)
  • Remote Access
  • Mesh

Answer : Star

156-315.77 Check Point Certified Security Expert Exam Set 14

If Henry wanted to configure Perfect Forward Secrecy for his VPN tunnel, in which phase would he be configuring this?


Options are :

  • .Phase 1
  • Aggressive Mode
  • Phase 2 (Correct)
  • Diffie-Hellman

Answer : Phase 2

What is the size of a hash produced by SHA-1?


Options are :

  • 56
  • 160 (Correct)
  • 40
  • 128

Answer : 160

156-315.77 Check Point Certified Security Expert Exam Set 4

What is the bit size of a DES key?


Options are :

  • 168
  • 112
  • 56 (Correct)
  • 64

Answer : 56

Can you upgrade a clustered deployment with zero downtime?


Options are :

  • Yes, this is the default setting
  • No, this is not possible.
  • No, you must bring all gateways down.
  • Yes, if you select the option zero downtime, it will keep one member active (Correct)

Answer : Yes, if you select the option zero downtime, it will keep one member active

As a Security Administrator, you must refresh the Client Authentication authorization timeout every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting:


Options are :

  • in the Limit tab of the Client Authentication Action Properties screen (Correct)
  • in the Global Properties Authentication screen
  • in the user objectís Authentication screen
  • in the Gateway objectís Authentication screen

Answer : in the Limit tab of the Client Authentication Action Properties screen

156-315.71 Check Point Security Expert R71 Practice Exam Set 7

What is the difference between Standard and Specific Sign On methods?


Options are :

  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user re-authenticate for each service.
  • Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties.
  • Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect. (Correct)

Answer : Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect.

Your users are defined in a Windows 2003 R2 Active Directory server. You must add LDAP users to a Client Authentication rule. Which kind of user group do you need in the Client Authentication rule in R75?


Options are :

  • A group with a generic user
  • LDAP group (Correct)
  • All Users
  • External-user group

Answer : LDAP group

As a Security Administrator, you are required to create users for authentication. When you create a user for user authentication, the data is stored in the ___________


Options are :

  • Rules Database
  • SmartUpdate repository
  • Objects Database
  • User Database (Correct)

Answer : User Database

Check Point Certified Security Administrator Set 3

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions