156-215.75 Check Point Certified Security Administrator Exam Set 7

A marketing firm's networking team is trying to troubleshoot user complaints regarding access to audio-streaming material from the Internet. The networking team asks you to check the object and rule configuration settings for the perimeter Security Gateway. Which SmartConsole application should you use to check these objects and rules?


Options are :

  • SmartView Monitor
  • SmartView Status
  • SmartDashboard
  • SmartView Tracker

Answer : SmartDashboard

156-215.75 Check Point Certified Security Administrator Exam Set 8

The fw monitor utility would be best to troubleshoot which of the following problems?


Options are :

  • A statically NATed Web server behind a Security Gateway cannot be reached from the Internet.
  • A user in the user database is corrupt.
  • An error occurs when editing a network object in SmartDashboard
  • You get an invalid ID error in SmartView Tracker for phase 2 IKE key negotiations.

Answer : A statically NATed Web server behind a Security Gateway cannot be reached from the Internet.

The fw stat -l command includes all of the following except:


Options are :

  • The number of packets that have been inspected
  • The number of packets that have been dropped
  • The number of times the policy has been installed
  • The date and time of the policy that is installed.

Answer : The number of times the policy has been installed

Which statement below describes the most correct strategy for implementing a Rule Base?


Options are :

  • Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down.
  • Place a network-traffic rule above the administrator access rule.
  • Add the Stealth Rule before the last rule
  • Umit grouping to rules regarding specific access.

Answer : Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down.

156-215.77 Check Point Certified Security Administrator Exam Set 1

Which of the following is NOT useful to verify whether or NOT a Security Policy is active on a Gateway?


Options are :

  • fw ctl get string active_secpol
  • Check the name of Security Policy of the appropriate Gateway in Smart Monitor
  • Cpstat fw – f policy
  • fw stat

Answer : fw ctl get string active_secpol

Your shipping company uses a custom application to update the shipping distribution database. The custom application includes a service used only to notify remote sites that the distribution database is malfunctioning. The perimeter Security Gateway’s Rule Base includes a rule to accept this traffic. Since you are responsible for multiple sites, you want notification by a text message to your cellular phone, whenever traffic is accepted on this rule. Which of the following would work BEST for your purpose?


Options are :

  • SmartView Monitor Threshold
  • Logging implied rules
  • SNMP trap
  • User-defined alert script

Answer : User-defined alert script

Which command allows verification of the Security Policy name and install date on a Security Gateway?


Options are :

  • fwver-p
  • fw stat -l
  • fw ctl pstat -policy
  • fw show policy

Answer : fw stat -l

156-215.77 Check Point Certified Security Administrator Exam Set 2

You have configured Automatic Static NAT on an internal host-node object. You clear the box Translate destination on client site from Global Properties / NAT. Assuming all other NAT settings in Global Properties are selected, what else must be configured so that a host on the Internet can initiate an inbound connection to this host?


Options are :

  • A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface.
  • No extra configuration is needed
  • The NAT IP address must be added to the anti-spoofing group of the external gateway interface
  • A proxy ARP entry, to ensure packets destined for the public IP address will reach the Security Gateway’s external interface.

Answer : A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface.

You are a Security Administrator who has installed Security Gateway R75 on your network. You need to allow a specific IP address range for a partner site to access your intranet Web server. To limit the partner's access for HTTP and FTP only, you did the following: 1. Created manual Static NAT rules for the Web server. 2. Created the following settings in the Global Properties’ Network Address Translation screen 3 Allow bi-directional NAT* 4 Translate destination on client side Do you above settings limit the partner’s access?


Options are :

  • No. The first setting is only applicable to automatic NAT rules. The second setting is necessary to make sure there are no conflicts between NAT and anti-spoofing.
  • Yes, Both of these settings are only application to automatically NAT rules.
  • No, The first setting is not applicable. The second setting will reduce performance, by translating traffic in the kernel nearest the intranet server.
  • Yes, This will ensure that traffic only matches the specific rule configured for this traffic, and that the Gateway translates the traffic after accepting the packet.

Answer : No. The first setting is only applicable to automatic NAT rules. The second setting is necessary to make sure there are no conflicts between NAT and anti-spoofing.

A client has created a new Gateway object that will be managed at a remote location. When the client attempts to install the Security Policy to the new Gateway object, the object does not appear in the Install On check box. What should you look for?


Options are :

  • Anti-spoofing not configured on the interfaces on the Gateway object.
  • A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.
  • Secure Internal Communications (SIC) not configured for the object
  • A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.

Answer : A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.

156-215.77 Check Point Certified Security Administrator Exam Set 3

Which of the following is NOT a valid selection for tracking and controlling packets in R75?


Options are :

  • Session Auth
  • Hold
  • Reject
  • Accep

Answer : Hold

Which answers are TRUE? Automatic Static NAT CANNOT be used when: i) NAT decision is based on the destination port ii) Source and Destination IP both have to be translated iii) The NAT rule should only be installed on a dedicated Gateway only iv) NAT should be performed on the server side


Options are :

  • only (i)
  • (i), and (ii)
  • (ii) and (iv)
  • (i), (ii), and (iii)

Answer : only (i)

In SmartDashboard, Translate destination on client side is checked in Global Properties. When Network Address Translation is used:


Options are :

  • VLAN tagging cannot be defined for any hosts protected by the Gateway
  • The Security Gateway's ARP file must be modified.
  • It is not necessary to add a static route to the Gateway's routing table.
  • It is necessary to add a static route to the Gateway's routing table

Answer : It is not necessary to add a static route to the Gateway's routing table.

156-215.77 Check Point Certified Security Administrator Exam Set 4

You have installed a R75 Security Gateway on SecurePlatform. To manage the Gateway from the enterprise Security Management Server, you create a new Gateway object and Security Policy. When you install the new Policy from the Policy menu, the Gateway object does not appear in the Install Policy window as a target. What is the problem?


Options are :

  • The new Gateway's temporary license has expired.
  • The Gateway object is not specified in the first policy rule column Install On.
  • The object was created with Node > Gateway
  • No Masters file is created for the new Gateway.

Answer : The object was created with Node > Gateway

You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the order of the rules if both methods are used together? Give the best answer.


Options are :

  • The Administrator decides on the order of the rules by shifting the corresponding rules up and down.
  • The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range
  • The position of the rules depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others.
  • The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range

Answer : The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range

How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy?


Options are :

  • SNMP trap alert script
  • Pop-up alert script
  • User-defined alert script
  • Custom scripts cannot be executed through alert scripts

Answer : User-defined alert script

156-215.77 Check Point Certified Security Administrator Exam Set 5

Which of the following is a viable consideration when determining Rule Base order?


Options are :

  • Grouping IPS rules with dynamic drop rules
  • Placing more restrictive rules before more permissive rules
  • Grouping authentication rules with QOS rules
  • Grouping reject and drop rules after the Cleanup Rule

Answer : Placing more restrictive rules before more permissive rules

Secure Internal Communications (SIC) is completely NAT-tolerant because it is based on:


Options are :

  • MAC addresses
  • IP addresses.
  • SIC names.
  • SIC is not NAT-tolerant.

Answer : SIC names.

You are a Security Administrator using one Security Management Server managing three different firewalls. One of the firewalls does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is a possible cause?


Options are :

  • The firewall is not listed in the Policy Installation Targets screen for this policy package.
  • The license for this specific firewall has expired.
  • The firewall has failed to sync with the Security Management Server for 60 minutes.
  • The firewall object has been created but SIC has not yet been established.

Answer : The firewall is not listed in the Policy Installation Targets screen for this policy package.

156-215.77 Check Point Certified Security Administrator Exam Set 6

When you add a resource object to a rule, which of the following occurs?


Options are :

  • All packets matching that rule are either encrypted or decrypted by the defined resource.
  • All packets matching the resource service are analyzed through an application-layer proxy.
  • Users attempting to connect to the destination of the rule will be required to authenticate.
  • All packets that match the resource will be dropped

Answer : All packets matching the resource service are analyzed through an application-layer proxy.

What is the default setting when you use NAT?


Options are :

  • Manual NAT
  • Client-side NAT
  • Server-side NAT
  • Hide NAT

Answer : Client-side NAT

156-215.77 Check Point Certified Security Administrator Exam Set 1

A Hide NAT rule has been created which includes a source address group of ten (10) networks and three (3) other group objects (containing 4, 5, and 6 host objects respectively). Assuming all addresses are non-repetitive, how many effective rules have you created?


Options are :

  • 2
  • 13
  • 25
  • 1

Answer : 25

You can include External commands in SmartView Tracker by the menu Tools > Custom Commands.The Security Management Server is running under SecurePlatform, and the GUI is on a system running Microsoft Windows. How do you run the command traceroute on an IP address?


Options are :

  • Go to the menu Tools > Custom Commands and configure the Windows command tracert.exe to the list.
  • There is no possibility to expand the three pre-defined options Ping, Whois, and Nslookup.
  • Use the program GUIdbedit to add the command traceroute to the Security Management Server properties.
  • Go to the menu, Tools > Custom Commands and configure the Linux command traceroute to the list.

Answer : Go to the menu Tools > Custom Commands and configure the Windows command tracert.exe to the list.

Which R75 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway?


Options are :

  • SmartView Server
  • None, SmartConsole applications only communicate with the Security Management Server
  • SmartView Tracker
  • SmartUpdate

Answer : SmartView Tracker

156-215.77 Check Point Certified Security Administrator Exam Set 2

Which of the following can be found in cpinfo from an enforcement point?


Options are :

  • Everything NOT contained in the file r2info
  • The complete file objects_5_0. c
  • VPN keys for all established connections to all enforcement points
  • Policy file information specific to this enforcement point

Answer : Policy file information specific to this enforcement point

In SmartView Tracker, which rule shows when a packet is dropped due to anti-spoofing?


Options are :

  • Cleanup Rule
  • Blank field under Rule Number
  • Rule 0
  • Rule 1

Answer : Rule 0

In SmartDashboard, you configure 45 MB as the required free hard-disk space to accommodate logs. What can you do to keep old log files, when free space falls below 45 MB?


Options are :

  • Do nothing. Old logs are deleted, until free space is restored.
  • Do nothing. The Security Management Server automatically copies old logs to a backup server before purging.
  • Use the fwm logexport command to export the old log files to another location.
  • Configure a script to run fw logswitch and SCP the output file to a separate file server.

Answer : Configure a script to run fw logswitch and SCP the output file to a separate file server.

156-215.77 Check Point Certified Security Administrator Exam Set 3

You are responsible for the configuration of MegaCorp's Check Point Firewall. You need to allow two NAT rules to match a connection. Is it possible? Give the BEST answer


Options are :

  • Yes, it is possible to have two NAT rules which match a connection, but only in using Manual NAT (bidirectional NAT)
  • Yes, there are always as many active NAT rules as there are connections.
  • No, it is not possible to have more one NAT rule matching a connection. When the firewall receives a packet belonging to a concentration, it compares it against the first rule in the Rule Base, then the second rule, and so on When it finds a rule that matches, it stops checking and applies that rule.
  • Yes, it is possible to have two NAT rules which match a connection, but only when using Automatic NAT (bidirectional NAT).

Answer : Yes, it is possible to have two NAT rules which match a connection, but only when using Automatic NAT (bidirectional NAT).

Each grocery store in a regional chain is protected by a Security Gateway. The informationtechnology audit department wants a report including: The name of the Security Policy installed on each remote Security Gateway. The date and time the Security Policy was installed.General performance statistics (CPU Use, average CPU time, active real memory, etc) Which one SmartConsole application can you use to gather all this information?


Options are :

  • SmartView Monitor
  • SmartDashboard
  • SmartUpdate
  • SmartView Tracker

Answer : SmartView Monitor

Where can an administrator specify the notification action to be taken by the firewall in the event that available disk space drops below 15%?


Options are :

  • Real Time Monitor / Gateway Settings / Status Monitor
  • SmartView Tracker / Audit Tab / Gateway Counters
  • SmartView Monitor / Gateway Status / Threshold Settings
  • This can only be monitored by a user-defined script.

Answer : SmartView Monitor / Gateway Status / Threshold Settings

156-215.77 Check Point Certified Security Administrator Exam Set 4

Comment / Suggestion Section