156-215.75 Check Point Certified Security Administrator Exam Set 4

You need to plan the company's new security system. The company needs a very high level of security and also high performance and high throughput for their applications. You need to turn on most of the integrated IPS checks while maintaining high throughput. What would be the BEST solution for this scenario?


Options are :

  • Bad luck, both together can not be achieved.
  • The IPS system does not affect the firewall performance and CoreXL is not needed in this scenario.
  • The IPS does not run when CoreXL is enabled.
  • You need to buy a strong multi-core machine and run R70 or later on SecurePlatform with CoreXL technology enabled. (Correct)

Answer : You need to buy a strong multi-core machine and run R70 or later on SecurePlatform with CoreXL technology enabled.

What is the desired outcome when running the command cpinfo -z -o cpinfo.out?


Options are :

  • Send output to a file called cpinfo.out in usable format for the CP InfoView utility.
  • Send output to a file called cpinfo.out without address resolution
  • Send output to a file called cpinfo.out in compressed format. (Correct)
  • Send output to a file called cpinfo.out and provide a screen print at the same time.

Answer : Send output to a file called cpinfo.out in compressed format.

Peter is your new Security Administrator. On his first working day, he is very nervous and sets the wrong password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST answer.


Options are :

  • You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Management Server.
  • You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Gateway.
  • It is not possible to unlock Peter's account. You have to install the firewall once again or abstain from Peter's help.
  • You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security Management Server. (Correct)

Answer : You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security Management Server.

156-215.75 Check Point Certified Security Administrator Exam Set 5

Which command would provide the most comprehensive diagnostic information to Check Point Technical Support?


Options are :

  • netstat > date.netstat.txt
  • diag
  • cpstat > date.cpatat.txt
  • cpinfo -o date.cpinfo.txt (Correct)

Answer : cpinfo -o date.cpinfo.txt

A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is enabled in the Global Properties. A client on the Internet initiates a session to the Web Server. On the initiating packet, NAT occurs on which inspection point?


Options are :

  • O
  • o
  • i
  • I (Correct)

Answer : I

How can I verify the policy version locally installed on the Firewall?


Options are :

  • fw ver -k
  • fw ctl iflist
  • fw stat (Correct)
  • fw ver

Answer : fw stat

156-215.75 Check Point Certified Security Administrator Exam Set 6

Which operating systems are supported by a Check Point Security Gateway on an open server?


Options are :

  • Check Point SecurePlatform and Microsoft Windows (Correct)
  • Microsoft Windows, Red Hat Enterprise Linux, Sun Solaris, IPSO
  • Sun Solaris, Red Hat Enterprise Linux, Check Point SecurePlatform, IPSO, Microsoft Windows
  • Check Point SecurePlatform, IPSO, Sun Solaris, Microsoft Windows

Answer : Check Point SecurePlatform and Microsoft Windows

What is the officially accepted diagnostic tool for IP appliance support?


Options are :

  • Ipsinfo
  • Uag-diag
  • cpinfo
  • CST (Correct)

Answer : CST

You want to generate a cpinfo file via CLI on a system running SecurePlatform. This will take about 40 minutes since the log files are also needed. What action do you need to take regarding timeout?


Options are :

  • Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo. (Correct)
  • Log in as the default user expert and start cpinfo.
  • Log in as admin, switch to expert mode, set the timeout to one hour with the command, idle 60, then start cpinto.
  • No action is needed because cpshell has a timeout of one hour by default

Answer : Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.

156-215.75 Check Point Certified Security Administrator Exam Set 7

Your R75 primary Security Management Server is installed on SecurePlatform. You plan to schedule the Security Management Server to run fw logswitch automatically every 48 hours. How do you create this schedule?


Options are :

  • Create a time object, and add 48 hours as the interval. Select that time object's Global Properties > Logs and Masters window, to schedule a logswitch.
  • Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object's Logs and Masters window, enable Schedule log switch, and select the Time object. (Correct)
  • On a SecurePlatform Security Management Server, this can only be accomplished by configuring the fw logswitch command via the cron utility
  • Create a time object, and add 48 hours as the interval. Open the Security Gateway object's Logs and Masters window, enable Schedule log switch, and select the Time object.

Answer : Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object's Logs and Masters window, enable Schedule log switch, and select the Time object.

Certificates for Security Gateways are created during a simple initialization from______.


Options are :

  • SmartUpdate
  • SmartDashboard (Correct)
  • The ICA management tool.
  • sysconfig

Answer : SmartDashboard

156-215.75 Check Point Certified Security Administrator Exam Set 8

A ____________ rule is designed to log and drop all other communication that does not match another rule.


Options are :

  • Cleanup (Correct)
  • Stealth
  • Anti-Spoofing
  • Reject

Answer : Cleanup

What are the two basic rules which should be used by all Security Administrators?


Options are :

  • Cleanup and Stealth rules (Correct)
  • Administrator Access and Stealth rules
  • Cleanup and Administrator Access rules
  • Network Traffic and Stealth rules

Answer : Cleanup and Stealth rules

Which command enables IP forwarding on IPSO?


Options are :

  • ipsofwd on admin (Correct)
  • echo 0 > /proc/sys/net/ipv4/ip_forward
  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • clish -c set routing active enable

Answer : ipsofwd on admin

156-215.77 Check Point Certified Security Administrator Exam Set 1

Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?


Options are :

  • Port Address Translation
  • Static Destination Address Translation (Correct)
  • Hide Address Translation
  • Dynamic Source Address Translation

Answer : Static Destination Address Translation

Which of the following statements BEST describes Check Point's Hide Network Address Translation method?


Options are :

  • Translates many destination IP addresses into one destination IP address
  • One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation
  • Translates many source IP addresses into one source IP address (Correct)
  • Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation

Answer : Translates many source IP addresses into one source IP address

How does the Get Address button, found on the Host Node Object > General Properties page retrieve the address?


Options are :

  • Name resolution (hosts file, DNS, cache) (Correct)
  • Route Table
  • Address resolution (ARP. RARP)
  • SNMP Get

Answer : Name resolution (hosts file, DNS, cache)

156-215.77 Check Point Certified Security Administrator Exam Set 2

The fw monitor utility is used to troubleshoot which of the following problems?


Options are :

  • Log Consolidation Engine
  • Phase two key negotiation
  • Address translation (Correct)
  • User data base corruption

Answer : Address translation

In a distributed management environment, the administrator has removed all default check boxes from the Policy / Global Properties / Firewall tab. In order for the Security Gateway to send logs to the Security Management Server, an explicit rule must be created to allow the Security Gateway to communicate to the Security Management Server on port ______.


Options are :

  • 256
  • 257 (Correct)
  • 900
  • 259

Answer : 257

An internal host initiates a session to and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of __________.


Options are :

  • source NAT (Correct)
  • client side NAT
  • None of these
  • destination NAT

Answer : source NAT

156-215.77 Check Point Certified Security Administrator Exam Set 3

You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the external interface of the firewall and the Internet.What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?


Options are :

  • Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.
  • Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.
  • Place a static host route on the firewall for the valid IP address to the internal Web server.
  • Place a static ARP entry on the ISP router for the valid IP address to the firewall’s external address. (Correct)

Answer : Place a static ARP entry on the ISP router for the valid IP address to the firewall’s external address.

Which item below in a Security Policy would be enforced first?


Options are :

  • IP spoofing/IP options (Correct)
  • Administrator-defined Rule Base
  • Security Policy "First" rule
  • Network Address Translation

Answer : IP spoofing/IP options

Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway's side with the cpconfig command and put in the same activation key in the Gateway's object on the Security Management Server Unfortunately SIC cannot be established. What is a possible reason for the problem?


Options are :

  • Joe forgot to reboot the Gateway.
  • Joe forgot to exit from cpconfig. (Correct)
  • The old Gateway object should have been deleted and recreated
  • The installed policy blocks the communication.

Answer : Joe forgot to exit from cpconfig.

156-215.77 Check Point Certified Security Administrator Exam Set 4

Looking at an fw monitor capture in Wireshark, the initiating packet in Hide NAT translates on________.


Options are :

  • i
  • o
  • I
  • O (Correct)

Answer : O

Which of these security policy changes optimize Security Gateway performance?


Options are :

  • Putting the least-used rule at the top of the Rule Base
  • Using groups within groups in the manual NAT Rule Base
  • Using domain objects in rules when possible
  • Use Automatic NAT rules instead of Manual NAT rules whenever possible (Correct)

Answer : Use Automatic NAT rules instead of Manual NAT rules whenever possible

Which Check Point address translation method allows an administrator to use fewer ISPassigned IP addresses than the number of internal hosts requiring Internet connectivity?


Options are :

  • Static Destination
  • Dynamic Destination
  • Static Source
  • Hide (Correct)

Answer : Hide

156-215.77 Check Point Certified Security Administrator Exam Set 5

The button Get Address, found on the Host Node Object > General Properties page, will retrieve what?


Options are :

  • The domain name
  • The IP address (Correct)
  • The fully qualified domain name
  • The Mac address

Answer : The IP address

You installed Security Management Server on a computer using SecurePlatform in the MegaCorp home office. You use IP address 10.1.1.1. You also installed the Security Gateway on a second SecurePlatform computer, which you plan to ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC certificates to the Gateway before shipping it? 1) Run cpconfig on the gateway, set secure internal communication, enter the activation key and reconfirm. 2) Initialize internal certificate authority (ICA) on the security Management server. 3) Confirm the gateway object with the host name and IP address for the remote site. 4) Click the communication button in the gateway object’s general screen, enter the activation key, and click initialize and ok. 5) Install the security policy.


Options are :

  • 2, 3, 4, 5, 1
  • 2, 1, 3, 4, 5
  • 1, 3, 2, 4, 5 (Correct)
  • 2, 3, 4, 1, 5

Answer : 1, 3, 2, 4, 5

NAT can be implemented on which of the following lists of objects?


Options are :

  • Host, Network (Correct)
  • Network, Dynamic Object
  • Host, User
  • Domain, Network

Answer : Host, Network

156-215.77 Check Point Certified Security Administrator Exam Set 6

You have included the Cleanup Rule in your Rule Base. Where in the Rule Base should the Accept ICMP Requests implied rule have no effect?


Options are :

  • After Stealth Rule
  • Before Last
  • Last (Correct)
  • First

Answer : Last

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now