156-215.75 Check Point Certified Security Administrator Exam Set 8

You administer a large, geographically distributed network. The Internet connection at a remote site failed during the weekend, and the Security Gateway logged locally for over 48 hours. It is possible that the logs may have consumed most of the free space on the Gateway's hard disk. Which SmartConsole application displays the percent of free harddisk space on the remote Security Gateway?


Options are :

  • This information can only be viewed with fw ctl pstat command from the CLI
  • SmartView Tracker
  • SmartView Monitor (Correct)
  • Eventia Analyzer

Answer : SmartView Monitor

How do you use SmartView Monitor to compile traffic statistics for your company's Internet activity during production hours?


Options are :

  • Configure a suspicious activity rule which triggers an alert when HTTP traffic pass through gateway
  • View total packets passed through the security gateway
  • Select the Tunnels view, and generate a report on the statistics
  • Use the Traffic Counters settings and SmartView Monitor to generate a graph showing the total HTTP traffic for the day. (Correct)

Answer : Use the Traffic Counters settings and SmartView Monitor to generate a graph showing the total HTTP traffic for the day.

What are the results of the commanD. fw sam [Target IP Address]?


Options are :

  • Connections from the specified target are blocked without the need to change the Security Policy.
  • Connections to and from the specified target are blocked with the need to change the Security Policy.
  • Connections to and from the specified target are blocked without the need to change the Security Policy. (Correct)
  • Connections to the specified target are blocked without the need to change the Security Policy.

Answer : Connections to and from the specified target are blocked without the need to change the Security Policy.

Where are automatic NAT rules added to the Rule Base?


Options are :

  • Before last
  • Middle
  • Last
  • First (Correct)

Answer : First

156-315.77 Check Point Certified Security Expert Exam Set 9

Which SmartView Tracker mode allows you to read the SMTP e-mail body sent from the Chief Executive Officer (CEO) of a company?


Options are :

  • Display Payload View
  • Display Capture Action
  • Network and Endpoint Tab
  • This is not a SmartView Tracker feature. (Correct)

Answer : This is not a SmartView Tracker feature.

How do you define a service object for a TCP port range?


Options are :

  • Manage Services / New Other, provide name and define protocol: 17, Range: x-y
  • Manage Services / New Group, provide name and add all service ports for range individually to the group object
  • Manage Services / New Other, provide name and define protocol: x-y
  • Manage Services / New TCP, provide name and define port: x-y (Correct)

Answer : Manage Services / New TCP, provide name and define port: x-y

What information is found in the SmartView Tracker Management log?


Options are :

  • SIC revoke certificate event (Correct)
  • Destination IP address
  • Number of concurrent IKE negotiations
  • Most accessed Rule Base rule

Answer : SIC revoke certificate event

156-215.77 Check Point Certified Security Administrator Exam Set 5

Where can an administrator configure the notification action in the event of a policy install time change?


Options are :

  • SmartDashboard / Security Gateway Object / Advanced Properties Tab
  • SmartDashboard / Policy Package Manager
  • SmartView Tracker / Audit Log
  • SmartView Monitor / Gateways / Thresholds Settings (Correct)

Answer : SmartView Monitor / Gateways / Thresholds Settings

What is the purpose of a Stealth Rule?


Options are :

  • To drop all traffic to the management server that is not explicitly permitted
  • To prevent users from connecting directly to the gateway (Correct)
  • To permit implied rules
  • To permit management traffic

Answer : To prevent users from connecting directly to the gateway

An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through your R70 Security Gateway to a partner site. A rule for GRE traffic is configured for ACCEPT/LOG. Although the keep-alive packets are being sent every 1 minute, a search through the SmartView Tracker logs for GRE traffic only shows one entry for the whole day (early in the morning after a Policy install).Your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets on the 1-minute interval.If GRE encapsulation is turned off on the router, SmartView Tracker shows a log entry for the UDP keep-alive packet every minute.Which of the following is the BEST explanation for this behavior?


Options are :

  • The Log Server log unification process unifies all log entries from the Security Gateway on a specific connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout, thus each keep-alive packet is considered part of the original logged connection at the beginning of the day. (Correct)
  • The setting Log does not capture this level of details for GRE Set the rule tracking a action to audit since certain types of traffic can only tracked this way.
  • The Log Server is failing to log GRE traffic property because it is VPN traffic. Disable all VPN configurations to the partner site to enable proper logging.
  • The log unification process is using a LUUID (Log Unification Unique Identification) that has become corrupt. Because it is encrypted, the R75 Security Gateway cannot distinguish betweenGRE sessions. This is a known issue with the GRE. Use IPSEC instead of the non GRE protocol for encapsulation.

Answer : The Log Server log unification process unifies all log entries from the Security Gateway on a specific connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout, thus each keep-alive packet is considered part of the original logged connection at the beginning of the day.

156-315.77 Check Point Certified Security Expert Exam Set 5

You find a suspicious connection from a problematic host. You decide that you want to block everything from that whole network, not just the problematic host. You want to block this for an hour while you investigate further, but you do not want to add any rules to the Rule Base. How do you achieve this?


Options are :

  • Select block intruder from the tools menu in SmartView Tracker.
  • Add a “temporary” rule using SmartDashboard and select hide rule.
  • Use dbedit to script the addition of a rule directly into the Rule Bases_5_0. fws configuration file.
  • Create a Suspicious Activity Rule in SmartView Monitor (Correct)

Answer : Create a Suspicious Activity Rule in SmartView Monitor

You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the:


Options are :

  • Last policy that was installed
  • Default filter
  • Standard policy
  • Initial policy (Correct)

Answer : Initial policy

You have blocked an IP address via the Block Intruder feature of SmartView Tracker. How can you view the blocked addresses?


Options are :

  • Run f wm blockedview.
  • In SmartView Monitor, select the Blocked Intruder option from the query tree view
  • In SmartView Monitor, select Suspicious Activity Rules from the Tools menu and select the relevant Security Gateway from the list. (Correct)
  • In SmartView Tracker, click the Active tab. and the actively blocked connections displays

Answer : In SmartView Monitor, select Suspicious Activity Rules from the Tools menu and select the relevant Security Gateway from the list.

Check Point Certified Security Expert Exam Set 8

Which SmartConsole tool would you use to see the last policy pushed in the audit log?


Options are :

  • None, SmartConsole applications only communicate with the Security Management Server.
  • SmartView Tracker (Correct)
  • SmartView Status
  • SmartView Server

Answer : SmartView Tracker

SmartView Tracker logs the following Security Administrator activities, EXCEPT:


Options are :

  • Administrator login and logout
  • Object creation, deletion, and editing
  • Rule Base changes
  • Tracking SLA compliance (Correct)

Answer : Tracking SLA compliance

A security audit has determined that your unpatched Web application server is accessing a SQL server. You believe that you have enabled the proper IPS setting but would like to verify this using SmartView Tracker. Which of the following entries confirms that this information is being blocked against attack?


Options are :

  • ASCII Only Response Header detecteD.SQL
  • Fingerprint Scrambling: Changed [SQL] to [Perl]
  • HTTP response spoofing: remove signature [SQL Server]
  • Concealed HTTP response [SQL Server]. (Error Code WSE0160003) (Correct)

Answer : Concealed HTTP response [SQL Server]. (Error Code WSE0160003)

Check Point Certified Security Administrator Set 5

Where are custom queries stored in R75 SmartView Tracker?


Options are :

  • On the SmartView Tracker PC local file system shared by all users of that local PC.
  • On the Security Management Server tied to the GUI client IP.
  • On the Security Management Server tied to the Administrator User Database login name. (Correct)
  • On the SmartView Tracker PC local file system under the user's profile.

Answer : On the Security Management Server tied to the Administrator User Database login name.

Where is the best place to find information about connections between two machines?


Options are :

  • On a Security Management Server, using SmartView Tracker (Correct)
  • All options are valid.
  • On a Security Gateway using the command fw log.
  • On a Security Gateway Console interface; it gives you detailed access to log files and state table information

Answer : On a Security Management Server, using SmartView Tracker

One of your remote Security Gateway's suddenly stops sending logs, and you cannot install the Security Policy on the Gateway. All other remote Security Gateways are logging normally to the Security Management Server, and Policy installation is not affected. When you click the Test SIC status button in the problematic Gateway object you receive an error message. What is the problem?


Options are :

  • There is no connection between the Security Management Server and the remote Gateway. Rules or routing may block the connection. (Correct)
  • The time on the Security Management Server's clock has changed, which invalidates the remote Gateway's Certificate.
  • The Internal Certificate Authority for the Security Management Server object has been removed from objects_5_0.C.
  • The remote Gateway's IP address has changed, which invalidates the SIC Certificate.

Answer : There is no connection between the Security Management Server and the remote Gateway. Rules or routing may block the connection.

Check Point Certified Security Expert Exam Set 4

To check the Rule Base, some rules can be hidden so they do not distract the administrator from the unhidden rules. Assume that only rules accepting HTTP or SSH will be shown. How do you accomplish this?


Options are :

  • Ask your reseller to get a ticket for Check Point SmartUse and deliver him the cpinfo file of the Security Management Server.
  • This cannot be configured since two selections (Service, Action) are not possible.
  • In SmartDashboard, right-click in the column field Service and select Query Column. Then, put the services HTTP and SSH in the list. Do the same in the field Action and select Accept here.
  • In SmartDashboard menu, select Search / Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH") and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND. (Correct)

Answer : In SmartDashboard menu, select Search / Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH") and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND.

Which port must be allowed to pass through enforcement points in order to allow packet logging to operate correctly?


Options are :

  • 514
  • 257 (Correct)
  • 256
  • 258

Answer : 257

You are the Security Administrator for MegaCorp and are enjoying your holiday. One day, you receive a call that some connectivity problems have occurred. Before the holiday, you configured the access from the holiday hotel to your Management Portal. You can see and analyze various objects. Which objects can you create?


Options are :

  • Security rules only
  • None. SmartPortal access is read-only. (Correct)
  • Network objects and services
  • Network objects, services and internal users

Answer : None. SmartPortal access is read-only.

Check Point Certified Security Expert Exam Set 2

What happens when you select File > Export from the SmartView Tracker menu?


Options are :

  • Logs in fw.log are exported to a file that can be opened by Microsoft Excel. (Correct)
  • Current logs are exported to a new *.log file.
  • Exported log entries are not viewable in SmartView Tracker
  • Exported log entries are deleted from fw.log.

Answer : Logs in fw.log are exported to a file that can be opened by Microsoft Excel.

What CANNOT be configured for existing connections during a policy install?


Options are :

  • Reset all connections (Correct)
  • Re-match connections
  • Keep all connections
  • Keep data connections

Answer : Reset all connections

True or False: SmartView Monitor can be used to create alerts on a specified Gateway.


Options are :

  • True, by choosing the Gateway and selecting System Information.
  • False, an alert cannot be created for a specified Gateway.
  • True, by right-clicking on the Gateway and selecting Configure Thresholds. (Correct)
  • False, alerts can only be set in SmartDashboard Global Properties.

Answer : True, by right-clicking on the Gateway and selecting Configure Thresholds.

156-315.71 Check Point Security Expert R71 Practical Exam Set 5

You receive a notification that long-lasting Telnet connections to a mainframe are dropped after an hour of inactivity. Reviewing SmartView Tracker shows the packet is dropped with the error: "Unknown established connection"How do you resolve this problem without causing other security issues? Choose the BEST answer.


Options are :

  • Increase the service-based session timeout of the default Telnet service to 24-hours.
  • Increase the TCP session timeout under Global Properties > Stateful Inspection.
  • Ask the mainframe users to reconnect every time this error occurs.
  • Create a new TCP service object on port 23 called Telnet-mainframe. Define a servicebased session Timeout of 24-hours. Use this new object only in the rule that allows the Telnet connections to the mainframe. (Correct)

Answer : Create a new TCP service object on port 23 called Telnet-mainframe. Define a servicebased session Timeout of 24-hours. Use this new object only in the rule that allows the Telnet connections to the mainframe.

By default, when you click File > Switch Active File in SmartView Tracker, the Security Management Server:


Options are :

  • Purges the current log file and starts the new log file.
  • Saves the current log file, names the log file by date and time, and starts a new log file. (Correct)
  • Purges the current log file, and prompts you for the new log’s mode.
  • Prompts you to enter a filename, and then saves the log file.

Answer : Saves the current log file, names the log file by date and time, and starts a new log file.

You are Security Administrator for a large call center. The management team is concerned that employees may be installing and attempting to use peer-to-peer file-sharing utilities, during their lunch breaks. The call center's network is protected by an internal Security Gateway, configured to drop peer-to-peer file-sharing traffic. Which option do you use to determine the number of packets dropped by each Gateway?


Options are :

  • SmartView Tracker
  • SmartView Status
  • SmartDashboard
  • SmartView Monitor (Correct)

Answer : SmartView Monitor

156-215.75 Check Point Certified Security Administrator Exam Set 4

What information is found in the SmartView Tracker Management log?


Options are :

  • Destination IP address
  • Policy Package rule modification date/time stamp (Correct)
  • Most accessed Rule Base rule
  • Historical reports log

Answer : Policy Package rule modification date/time stamp

You are working with three other Security Administrators. Which SmartConsole component can be used to monitor changes to rules or object properties made by the other administrators?


Options are :

  • SmartView Tracker (Correct)
  • Eventia Tracker
  • Eventia Monitor
  • SmartView Monitor

Answer : SmartView Tracker

You have detected a possible intruder listed in SmartView Tracker's active pane. What is the fastest method to block this intruder from accessing your network indefinitely?


Options are :

  • Modify the Rule Base to drop these connections from the network.
  • In SmartView Tracker, select Tools / Block Intruder (Correct)
  • In SmartDashbourd, select IPS / Network Security Denial of Service
  • In SmartView Monitor, select Tool / Suspicious Activity Rules.

Answer : In SmartView Tracker, select Tools / Block Intruder

Check Point Certified Security Expert Exam Set 11

You want to display log entries containing information from a specific column in the SmartView Tracker. If you want to see ONLY those entries, what steps would you take?


Options are :

  • Right-click column, Edit Filter / Specific / Add / OK (Correct)
  • Right-click column, Search…/ Add string / Apply Filter
  • Left-click column, Search / Add string / Apply Filter
  • Left-click column, Specific / Add / Apply Filter

Answer : Right-click column, Edit Filter / Specific / Add / OK

Which R75 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway?


Options are :

  • SmartUpdate
  • SmartView Status
  • SmartView Monitor (Correct)
  • None, SmartConsole applications only communicate with the Security Management Server.

Answer : SmartView Monitor

You just installed a new Web server in the DMZ that must be reachable from the Internet. You create a manual Static NAT rule as follows: "web_public_IP" is the node object that represents the public IP address of the new Web server. "web_private_IP" is the node object that represents the new Web site's private IP address. You enable all settings from Global Properties > NAT.When you try to browse the Web server from the Internet you see the error "page cannot be displayed". Which of the following is NOT a possible reason?


Options are :

  • There is no route defined on the Security Gateway for the public IP address to the private IP address of the Web server.
  • There is no Security Policy defined that allows HTTP traffic to the protected Web server.
  • There is no ARP table entry for the public IP address of the protected Web server.
  • There is no NAT rule translating the source IP address of packets coming from the protected Web server. (Correct)

Answer : There is no NAT rule translating the source IP address of packets coming from the protected Web server.

156-315.77 Check Point Certified Security Expert Exam Set 15

How do you configure an alert in SmartView Monitor?


Options are :

  • By right-clicking on the Gateway, and selecting System Information.
  • By choosing the Gateway, and Configure Thresholds. (Correct)
  • By right-clicking on the Gateway, and selecting Properties.
  • An alert cannot be configured in SmartView Monitor.

Answer : By choosing the Gateway, and Configure Thresholds.

Which of the following explanations best describes the command fw logswitch [-h target] [+ | -] [oldlog]?


Options are :

  • Control Kernel
  • Display protocol Hosts
  • Display a remote machine’s log-file list.
  • Create a new Log file. The old log has moved (Correct)

Answer : Create a new Log file. The old log has moved

Nancy has lost SIC communication with her Security Gateway and she needs to reestablish SIC. What would be the correct order of steps needed to perform this task? 1) Create a new activation key on the Security Gateway, then exit cpconfig. 2) Click the Communication tab on the Security Gateway object, and then click Reset. 3) Run the cpconfig tool, and then select Secure Internal Communication to reset. 4) Input the new activation key in the Security Gateway object, and then click initialize 5) Run the cpconfig tool, then select source Internal Communication to reset.


Options are :

  • 2, 3, 1, 4 (Correct)
  • 3, 1, 4, 2
  • 2, 5, 1, 4
  • 5, 4, 1, 2

Answer : 2, 3, 1, 4

156-115 Check Point Certified Security Master Practice Test Set 7

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions