156-215.77 Check Point Certified Security Administrator Exam Set 2

When using AD Query to authenticate users for Identity Awareness, identity data is received seamlessly from the Microsoft Active Directory (AD). What is NOT a recommended usage of this method?


Options are :

  • Leveraging identity in the application control blade
  • Identity-based auditing and logging
  • Identity-based enforcement for non-AD users (non-Windows and guest users) (Correct)
  • Basic identity enforcement in the internal network

Answer : Identity-based enforcement for non-AD users (non-Windows and guest users)

156-315.77 Check Point Certified Security Expert Exam Set 3

Security Gateway R77 supports User Authentication for which of the following services? Select the response below that contains the MOST correct list of supported services.


Options are :

  • SMTP, FTP, HTTP, TELNET
  • SMTP, FTP, TELNET
  • FTP, HTTP, TELNET (Correct)
  • FTP, TELNET

Answer : FTP, HTTP, TELNET

If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange?


Options are :

  • 3
  • 6 (Correct)
  • 9
  • 2

Answer : 6

How many packets does the IKE exchange use for Phase 1 Main Mode?


Options are :

  • 6 (Correct)
  • 12
  • 3
  • 1

Answer : 6

156-315.77 Check Point Certified Security Expert Exam Set 3

For which service is it NOT possible to configure user authentication?


Options are :

  • Telnet
  • SSH (Correct)
  • FTP
  • HTTPS

Answer : SSH

How many packets are required for IKE Phase 2?


Options are :

  • 6
  • 12
  • 3 (Correct)
  • 2

Answer : 3

Complete this statement from the options provided. Using Captive Portal, unidentified users may be either; blocked, allowed to enter required credentials, or required to download the _____________.


Options are :

  • Identity Awareness Agent (Correct)
  • Full Endpoint Client
  • ICA Certificate
  • SecureClient

Answer : Identity Awareness Agent

156-315.65 Check Point Security Administration NGX R65 Exam Set 2

Captive Portal is a __________ that allows the gateway to request login information from the user.


Options are :

  • LDAP server add-on
  • Pre-configured and customizable web-based tool (Correct)
  • Separately licensed feature
  • Transparent network inspection tool

Answer : Pre-configured and customizable web-based tool

Why are certificates preferred over pre-shared keys in an IPsec VPN?


Options are :

  • Weak performancE. PSK takes more time to encrypt than Diffie-Hellman.
  • Weak Security: PSK are static and can be brute-forced. (Correct)
  • Weak scalability: PSKs need to be set on each and every Gateway
  • Weak security: PSKs can only have 112 bit length.

Answer : Weak Security: PSK are static and can be brute-forced.

With the User Directory Software Blade, you can create R77 user definitions on a(n) _________ Server.


Options are :

  • Radius
  • NT Domain
  • LDAP (Correct)
  • SecureID

Answer : LDAP

156-215.77 Check Point Certified Security Administrator Exam Set 4

Where do you configure Anti-spoofing?


Options are :

  • Management Server object configuration
  • Gateway object configuration (Correct)
  • Global Properties
  • SPLAT/Gaia configuration

Answer : Gateway object configuration

How many packets does the IKE exchange use for Phase 1 Aggressive Mode?


Options are :

  • 3 (Correct)
  • 12
  • 1
  • 6

Answer : 3

Which of the following actions do NOT take place in IKE Phase 1?


Options are :

  • Each side generates a session key from its private key and the peer’s public key
  • Peers agree on integrity method.
  • Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key. (Correct)
  • Peers agree on encryption method

Answer : Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key.

156-315.77 Check Point Certified Security Expert Exam Set 6

Your company has two headquarters, one in London, one in New York. Each of the headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:


Options are :

  • One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the “mesh center Gateways? option checked; all London branch offices defined in one satellite window; but, all New York branch offices defined in another satellite window.
  • Three mesh Communities: one for London headquarters and its branches; one for New York headquarters and its branches; and one for London and New York headquarters.
  • Two mesh and one star Community: Each mesh Community is set up for each site between headquarters their branches. The star Community has New York as the center and London as its satellite.
  • Two star communities and one mesh: A star community for each city with headquarters as center, and branches as satellites. Then one mesh community for the two headquarters (Correct)

Answer : Two star communities and one mesh: A star community for each city with headquarters as center, and branches as satellites. Then one mesh community for the two headquarters

Your company has two headquarters, one in London, and one in New York. Each office includes several branch offices. The branch offices need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities for this company? VPN Communities comprised of:


Options are :

  • Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways. (Correct)
  • One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the mesh center Gateways option checked; all London branch offices defined in one satellite window, but, all New York branch offices defined in another satellite window.
  • Three mesh Communities: One for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.
  • Two mesh and one star Community: One mesh Community is set up for each of the headquarters and its branch offices. The star Community is configured with London as the center of the Community and New York is the satellite.

Answer : Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways.

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Manually import your partner’s Certificate Revocation List.
  • Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA). (Correct)
  • Create a new logical-server object to represent your partner’s CA.
  • Manually import your partner’s Access Control List.

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA).

156-315.77 Check Point Certified Security Expert Exam Set 1

The Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO). What is not a recommended usage of this method?


Options are :

  • Leveraging identity for Data Center protection
  • Identity based enforcement for non-AD users (non-Windows and guest users) (Correct)
  • When accuracy in detecting identity is crucial
  • Protecting highly sensitive servers

Answer : Identity based enforcement for non-AD users (non-Windows and guest users)

You would use the Hide Rule feature to:


Options are :

  • Make rules invisible to incoming packets.
  • View only a few rules without the distraction of others. (Correct)
  • Hide rules from a SYN/ACK attack.
  • Hide rules from read-only administrators.

Answer : View only a few rules without the distraction of others.

156-315.77 Check Point Certified Security Expert Exam Set 5

Spoofing is a method of:


Options are :

  • Detecting people using false or wrong authentication logins.
  • Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
  • Hiding your firewall from unauthorized users.
  • Making packets appear as if they come from an authorized IP address. (Correct)

Answer : Making packets appear as if they come from an authorized IP address.

You are a Security Administrator using one Security Management Server managing three different firewalls. One firewall does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is a possible cause?


Options are :

  • The firewall has failed to sync with the Security Management Server for 60 minutes.
  • The firewall object has been created but SIC has not yet been established.
  • The license for this specific firewall has expired.
  • The firewall is not listed in the Policy Installation Targets screen for this policy package. (Correct)

Answer : The firewall is not listed in the Policy Installation Targets screen for this policy package.

Which Security Gateway R77 configuration setting forces the Client Authentication authorization time-out to refresh, each time a new user is authenticated? The:


Options are :

  • Refreshable Timeout setting, in Client Authentication Action Properties > Limits (Correct)
  • IPS > Application Intelligence > Client Authentication > Refresh User Timeout option enabled.
  • Time properties, adjusted on the user objects for each user, in the Client Authentication rule Source.
  • Global Properties > Authentication parameters, adjusted to allow for Regular Client Refreshment.

Answer : Refreshable Timeout setting, in Client Authentication Action Properties > Limits

156-215.75 Check Point Certified Security Administrator Exam Set 2

Which of the following describes the default behavior of an R77 Security Gateway?


Options are :

  • Traffic is filtered using controlled port scanning.
  • Traffic not explicitly permitted is dropped. (Correct)
  • All traffic is expressly permitted via explicit rules.
  • P protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.

Answer : Traffic not explicitly permitted is dropped.

The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember?


Options are :

  • The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server. (Correct)
  • Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
  • You can limit the authentication attempts in the User Properties’ Authentication tab.
  • You can only use the rule for Telnet, FTP, SMTP, and rlogin services

Answer : The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server.

When you use the Global Properties’ default settings on R77, which type of traffic will be dropped if NO explicit rule allows the traffic?


Options are :

  • Firewall logging and ICA key-exchange information
  • Outgoing traffic originating from the Security Gateway
  • RIP traffic (Correct)
  • SmartUpdate connections

Answer : RIP traffic

156-315.77 Check Point Certified Security Expert Exam Set 18

Which of the following is a viable consideration when determining Rule Base order?


Options are :

  • Placing more restrictive rules before more permissive rules (Correct)
  • Grouping reject and drop rules after the Cleanup Rule
  • Grouping IPS rules with dynamic drop rules
  • Grouping authentication rules with QOS rules

Answer : Placing more restrictive rules before more permissive rules

Which of the following is a viable consideration when determining Rule Base order?


Options are :

  • Grouping rules by date of creation
  • Grouping IPS rules with dynamic drop rules
  • Placing frequently accessed rules before less frequently accessed rules (Correct)
  • Adding SAM rules at the top of the Rule Base

Answer : Placing frequently accessed rules before less frequently accessed rules

Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.


Options are :

  • Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties.
  • Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit. (Correct)
  • Configure a server object for the LDAP Account Unit, and create an LDAP resource object.
  • Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object.

Answer : Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.

156-215.77 Check Point Certified Security Administrator Exam Set 6

You cannot use SmartDashboard’s User Directory features to connect to the LDAP server. What should you investigate? 1) Verify you have read-only permissions as administrator for the operating system. 2)Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP server. 3)Check that the login Distinguished Name configured has root permission (or at least write permission Administrative access) in the LDAP Server's access control configuration.


Options are :

  • 1 and 3
  • 1 and 2
  • 2 and 3 (Correct)
  • 1, 2, and 3

Answer : 2 and 3

What is the Manual Client Authentication TELNET port?


Options are :

  • 23
  • 900
  • 259 (Correct)
  • 264

Answer : 259

A client has created a new Gateway object that will be managed at a remote location. When the client attempts to install the Security Policy to the new Gateway object, the object does not appear in the Install On check box. What should you look for?


Options are :

  • A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object. (Correct)
  • A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.
  • Secure Internal Communications (SIC) not configured for the object.
  • Anti-spoofing not configured on the interfaces on the Gateway object.

Answer : A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.

Check Point Certified Security Expert Exam Set 7

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions