156-215.77 Check Point Certified Security Administrator Exam Set 1

The Captive Portal tool:


Options are :

  • Is only used for guest user authentication.
  • Allows access to users already identified.
  • Acquires identities from unidentified users.
  • Is deployed from the Identity Awareness page in the Global Properties settings.

Answer : Acquires identities from unidentified users.

156-215.77 Check Point Certified Security Administrator Exam Set 2

Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?


Options are :

  • Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.
  • Peers authenticate using certificates or preshared secrets.
  • The DH public keys are exchanged.
  • Symmetric IPsec keys are generated

Answer : Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.

You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard?


Options are :

  • All users
  • LDAP Account Unit Group
  • A group with generic user
  • Internal user Group

Answer : A group with generic user

If you are experiencing LDAP issues, which of the following should you check?


Options are :

  • Connectivity between the R77 Gateway and LDAP server
  • Secure Internal Communications (SIC)
  • Domain name resolution
  • Overlapping VPN Domains

Answer : Connectivity between the R77 Gateway and LDAP server

156-215.77 Check Point Certified Security Administrator Exam Set 3

You want to reset SIC between smberlin and sgosaka.In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig, choose Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was successfully initialized and jumps back to the cpconfig menu. When trying to establish a connection, instead of a working connection, you receive this error message:What is the reason for this behavior?


Options are :

  • The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility.
  • . You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose Basic Setup > Initialize).
  • The Gateway was not rebooted, which is necessary to change the SIC key
  • The activation key contains letters that are on different keys on localized keyboards. Therefore, the activation can not be typed in a matching fashion.

Answer : The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility.

The INSPECT engine inserts itself into the kernel between which two OSI model layers?


Options are :

  • Session and Transport
  • Presentation and Application
  • Datalink and Network
  • Physical and Data

Answer : Datalink and Network

The User Directory Software Blade is used to integrate which of the following with Security Gateway R77?


Options are :

  • UserAuthority server
  • RADIUS server
  • LDAP server
  • Account Management Client server

Answer : LDAP server

156-215.77 Check Point Certified Security Administrator Exam Set 4

The SIC certificate is stored in the directory _______________.


Options are :

  • $CPDIR/conf
  • $FWDIR/database
  • $FWDIR/conf
  • $CPDIR/registry

Answer : $CPDIR/conf

Which of the following is NOT true for Clientless VPN?


Options are :

  • Secure communication is provided between clients and servers that support HTTP.
  • User Authentication is supported.
  • The Gateway accepts any encryption method that is proposed by the client and supported in the VPN.
  • The Gateway can enforce the use of strong encryption.

Answer : Secure communication is provided between clients and servers that support HTTP.

Which SmartConsole component can Administrators use to track changes to the Rule Base?


Options are :

  • SmartView Monitor
  • WebUI
  • SmartView Tracker
  • SmartReporter

Answer : SmartView Tracker

156-215.77 Check Point Certified Security Administrator Exam Set 5

All R77 Security Servers can perform authentication with the exception of one.Which of the Security Servers can NOT perform authentication?


Options are :

  • RLOGIN
  • FTP
  • HTTP
  • SMTP

Answer : SMTP

Certificates for Security Gateways are created during a simple initialization from _____________.


Options are :

  • SmartDashboard
  • SmartUpdate
  • sysconfig
  • The ICA management tool

Answer : SmartDashboard

Users with Identity Awareness Agent installed on their machines login with __________, so that when the user logs into the domain, that information is also used to meet Identity Awareness credential requests.


Options are :

  • SecureClient
  • Key-logging
  • ICA Certificates
  • Single Sign-On

Answer : Single Sign-On

156-215.77 Check Point Certified Security Administrator Exam Set 6

Which type of R77 Security Server does not provide User Authentication?


Options are :

  • FTP Security Server
  • HTTP Security Server
  • HTTPS Security Server
  • SMTP Security Server

Answer : SMTP Security Server

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?


Options are :

  • All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.
  • Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.
  • All is fine and can be used as is.
  • The two algorithms do not have the same key length and so don’t work together. You will get the error …. No proposal chosen….

Answer : Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.

Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?


Options are :

  • This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
  • You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.
  • Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.
  • This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.

Answer : Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

156-215.77 Check Point Certified Security Administrator Exam Set 1

Which of the below is the MOST correct process to reset SIC from SmartDashboard?


Options are :

  • Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key.
  • Run cpconfig, and select Secure Internal Communication > Change One Time Password.
  • Run cpconfig, and click Reset
  • Click Communication > Reset on the Gateway object, and type a new activation key.

Answer : Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key.

Which of these attributes would be critical for a site-to-site VPN?


Options are :

  • Centralized management
  • Scalability to accommodate user groups
  • Strong data encryption
  • Strong authentication

Answer : Strong data encryption

UDP packets are delivered if they are ___________.


Options are :

  • bypassing the kernel by the forwarding layer of ClusterXL
  • a stateful ACK to a valid SYN-SYN/ACK on the inverse UDP ports and IP
  • referenced in the SAM related dynamic tables
  • a valid response to an allowed request on the inverse UDP ports and IP

Answer : a valid response to an allowed request on the inverse UDP ports and IP

156-215.77 Check Point Certified Security Administrator Exam Set 2

Which of the following commands can be used to remove site-to-site IPsec Security Association (SA)?


Options are :

  • vpn debug ipsec
  • vpn ipsec
  • fw ipsec tu
  • vpn tu

Answer : vpn tu

Which do you configure to give remote access VPN users a local IP address?


Options are :

  • Encryption domain pool
  • NAT pool
  • Authentication pool
  • Office mode IP pool

Answer : Office mode IP pool

What type of traffic can be re-directed to the Captive Portal?


Options are :

  • HTTP
  • FTP
  • All of the above
  • SMTP

Answer : HTTP

156-215.77 Check Point Certified Security Administrator Exam Set 3

Which of the following is NOT a valid option when configuring access for Captive Portal?


Options are :

  • From the Internet
  • Through internal interfaces
  • According to the Firewall Policy
  • Through all interfaces

Answer : From the Internet

Which of the following methods is NOT used by Identity Awareness to catalog identities?


Options are :

  • Identity Agent
  • GPO
  • Captive Portal
  • AD Query

Answer : GPO

When using an encryption algorithm, which is generally considered the best encryption method?


Options are :

  • AES-256
  • Triple DES
  • DES
  • CAST cipher

Answer : AES-256

156-215.77 Check Point Certified Security Administrator Exam Set 4

John is the Security Administrator in his company. He installs a new R77 Security Management Server and a new R77 Gateway. He now wants to establish SIC between them. After entering the activation key, he gets the following message in SmartDashboard - “Trust established?”SIC still does not seem to work because the policy won’t install and interface fetching does not work. What might be a reason for this?


Options are :

  • The Gateway’s time is several days or weeks in the future and the SIC certificate is not yet valid.
  • It always works when the trust is established
  • SIC does not function over the network.
  • This must be a human error

Answer : The Gateway’s time is several days or weeks in the future and the SIC certificate is not yet valid.

What is the purpose of an Identity Agent?


Options are :

  • Audit a user’s access, and send that data to a log server
  • Manual entry of user credentials for LDAP authentication
  • Disable Single Sign On
  • Provide user and machine identity to a gateway

Answer : Provide user and machine identity to a gateway

Which of the following are authentication methods that Security Gateway R77 uses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.


Options are :

  • User, Proxied, Session
  • User, Client, Session
  • Connection, User, Client
  • Proxied, User, Dynamic, Session

Answer : User, Client, Session

156-215.77 Check Point Certified Security Administrator Exam Set 5

Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway’s side with the command cpconfig and put in the same activation key in the Gateway’s object on the Security Management Server. Unfortunately, SIC can not be established. What is a possible reason for the problem?


Options are :

  • The old Gateway object should have been deleted and recreated.
  • The installed policy blocks the communication.
  • Joe forgot to reboot the Gateway.
  • Joe forgot to exit from cpconfig.

Answer : Joe forgot to exit from cpconfig.

Which of the following is an authentication method used by Identity Awareness?


Options are :

  • PKI
  • RSA
  • Captive Portal
  • SSL

Answer : Captive Portal

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions