156-215.77 Check Point Certified Security Administrator Exam Set 5

When translation occurs using automatic Hide NAT, what also happens?


Options are :

  • The source port is modified.
  • The destination is modified.
  • Nothing happens.
  • The destination port is modified.

Answer : The source port is modified.

Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of antispoofing settings.What is causing this?


Options are :

  • Routing is not configured correctly.
  • Translate destination on client side is not checked in Global Properties under Manual NAT Rules.
  • Allow bi-directional NAT is not checked in Global Properties.
  • Manual NAT rules are not configured correctly.

Answer : Translate destination on client side is not checked in Global Properties under Manual NAT Rules.

After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti-spoofing protections. Which of the following is the MOST LIKELY cause?


Options are :

  • The Global Properties setting Translate destination on client side is unchecked. But the topology on the external interface is set to Others +. Change topology to External.
  • The Global Properties setting Translate destination on client side is checked. But the topology on the external interface is set to External. Change topology to Others +.
  • The Global Properties setting Translate destination on client side is checked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties setting Translate destination on client side.
  • The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side.

Answer : The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side.

156-215.77 Check Point Certified Security Administrator Exam Set 6

Which of these Security Policy changes optimize Security Gateway performance?


Options are :

  • Using groups within groups in the manual NAT Rule Base.
  • Putting the least-used rule at the top of the Rule Base.
  • Use Automatic NAT rules instead of Manual NAT rules whenever possible.
  • Using domain objects in rules when possible.

Answer : Use Automatic NAT rules instead of Manual NAT rules whenever possible.

Which of the following commands can provide the most complete restoration of a R77 configuration?


Options are :

  • upgrade_import
  • cpconfig
  • cpinfo -recover
  • fwm dbimport -p

Answer : upgrade_import

Which NAT option applicable for Automatic NAT applies to Manual NAT as well?


Options are :

  • Translate destination on client-side
  • Enable IP Pool NAT
  • Allow bi-directional NAT
  • Automatic ARP configuration

Answer : Translate destination on client-side

156-215.77 Check Point Certified Security Administrator Exam Set 1

Your company is running Security Management Server R77 on GAiA, which has been migrated through each version starting from Check Point 4.1.How do you add a new administrator account?


Options are :

  • Using SmartDashboard or cpconfig
  • Using the Web console on GAiA under Product configuration, select Administrators
  • Using SmartDashboard, under Users, select Add New Administrator
  • Using cpconfig on the Security Management Server, choose Administrators

Answer : Using SmartDashboard, under Users, select Add New Administrator

Static NAT connections, by default, translate on which firewall kernel inspection point?


Options are :

  • Post-inbound
  • Outbound
  • Eitherbound
  • Inbound

Answer : Inbound

A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway. With the default settings in place for NAT, the initiating packet will translate the _________.


Options are :

  • destination on server side
  • source on server side
  • destination on client side
  • source on client side

Answer : destination on client side

156-215.77 Check Point Certified Security Administrator Exam Set 2

Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet?


Options are :

  • Configure Automatic Hide NAT on network 10.10.20.0/24 and then edit the Service column in the NAT Rule Base on the automatic rule.
  • Configure three Manual Static NAT rules for network 10.10.20.0/24, one for each service.
  • Configure Automatic Static NAT on network 10.10.20.0/24
  • Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.

Answer : Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.

You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since the log files are also needed.What action do you need to take regarding timeout?


Options are :

  • No action is needed because cpshell has a timeout of one hour by default.
  • Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.
  • Log in as admin, switch to expert mode, set the timeout to one hour with the command, idle 60, then start cpinfo.
  • Log in as the default user expert and start cpinfo.

Answer : Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.

Which Check Point address translation method allows an administrator to use fewer ISPassigned IP addresses than the number of internal hosts requiring Internet connectivity?


Options are :

  • Dynamic Destination
  • Static Destination
  • Hide
  • Static Source

Answer : Hide

156-215.77 Check Point Certified Security Administrator Exam Set 3

In SmartDashboard, Translate destination on client side is checked in Global Properties. When Network Address Translation is used:


Options are :

  • VLAN tagging cannot be defined for any hosts protected by the Gateway
  • It is not necessary to add a static route to the Gateway’s routing table.
  • The Security Gateway’s ARP file must be modified.
  • It is necessary to add a static route to the Gateway’s routing table.

Answer : It is not necessary to add a static route to the Gateway’s routing table.

An internal host initiates a session to the Google.com website and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of __________


Options are :

  • None of these
  • client side NAT
  • source NAT
  • destination NAT

Answer : source NAT

Which of the following methods will provide the most complete backup of an R77 configuration?


Options are :

  • Database Revision Control
  • Policy Package Management
  • Copying the directories $FWDIR\conf and $CPDIR\conf to another server
  • Execute command upgrade_export

Answer : Execute command upgrade_export

156-215.77 Check Point Certified Security Administrator Exam Set 4

Which of the following statements BEST describes Check Point’s Hide Network Address Translation method?


Options are :

  • One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation
  • Translates many destination IP addresses into one destination IP address
  • Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation
  • Translates many source IP addresses into one source IP address

Answer : Translates many source IP addresses into one source IP address

Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong password three times. His account is locked.What can be done to unlock Peter’s account? Give the BEST answer.


Options are :

  • It is not possible to unlock Peter’s account. You have to install the firewall once again or abstain from Peter’s help.
  • You can unlock Peter’s account by using the command fwm unlock_admin -u Peter on the Security Gateway.
  • You can unlock Peter’s account by using the command fwm unlock_admin -u Peter on the Security Management Server
  • You can unlock Peter’s account by using the command fwm lock_admin -u Peter on the Security Management Server.

Answer : You can unlock Peter’s account by using the command fwm lock_admin -u Peter on the Security Management Server.

Which command allows Security Policy name and install date verification on a Security Gateway?


Options are :

  • fw ctl pstat -policy
  • fw show policy
  • fw stat -l
  • fw ver -p

Answer : fw stat -l

156-215.77 Check Point Certified Security Administrator Exam Set 5

Which of the following is a hash algorithm?


Options are :

  • 3DES
  • DES
  • IDEA
  • MD5

Answer : MD5

The customer has a small Check Point installation which includes one Windows 7 workstation as the SmartConsole, one GAiA device working as Security Management Server, and a third server running SecurePlatform as Security Gateway. This is an example of a(n):


Options are :

  • Unsupported configuration
  • Stand-Alone Installation
  • Hybrid Installation
  • Distributed Installation

Answer : Distributed Installation

The customer has a small Check Point installation which includes one Windows 2008 server as SmartConsole and Security Management Server with a second server running GAiA as Security Gateway. This is an example of a(n):


Options are :

  • Stand-Alone Installation.
  • Distributed Installation.
  • Hybrid Installation.
  • Unsupported configuration.

Answer : Distributed Installation.

156-215.77 Check Point Certified Security Administrator Exam Set 6

When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?


Options are :

  • SecureClient
  • Security Gateway
  • None, Security Management Server would be installed by itself.
  • SmartConsole

Answer : Security Gateway

How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy?


Options are :

  • Pop-up alert script
  • Custom scripts cannot be executed through alert scripts.
  • SNMP trap alert script
  • User-defined alert script

Answer : User-defined alert script

Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources’ servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?


Options are :

  • A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On.
  • In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.
  • A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install on Target.
  • When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target.

Answer : In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.

156-215.77 Check Point Certified Security Administrator Exam Set 1

Your bank’s distributed R77 installation has Security Gateways up for renewal.Which SmartConsole application will tell you which Security Gateways have licenses that will expire within the next 30 days?


Options are :

  • SmartView Tracker
  • SmartUpdate
  • SmartPortal
  • SmartDashboard

Answer : SmartUpdate

Which feature or command provides the easiest path for Security Administrators to revert to earlier versions of the same Security Policy and objects configuration?


Options are :

  • dbexport/dbimport
  • upgrade_export/upgrade_import
  • Database Revision Control
  • Policy Package management

Answer : Database Revision Control

You are about to test some rule and object changes suggested in an R77 news group.Which backup solution should you use to ensure the easiest restoration of your Security Policy to its previous configuration after testing the changes?


Options are :

  • GAiA backup utilities
  • upgrade_export command
  • Database Revision Control
  • Manual copies of the directory $FWDIR/conf

Answer : Database Revision Control

156-215.77 Check Point Certified Security Administrator Exam Set 2

Which component functions as the Internal Certificate Authority for R77?


Options are :

  • Policy Server
  • SmartLSM
  • Security Gateway
  • Management Server

Answer : Management Server

You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for this configuration. You then delete two existing users and add a new user group. You modify one rule and add two new rules to the Rule Base. You save the Security Policy and create database version 2. After awhile, you decide to roll back to version 1 to use the Rule Base, but you want to keep your user database.How can you do this?


Options are :

  • Restore the entire database, except the user database, and then create the new user and user group.
  • Run fwm_dbexport to export the user database. Select restore the entire database in the Database Revision screen. Then, run fwm_dbimport.
  • Restore the entire database, except the user database.
  • Run fwm dbexport -l filename. Restore the database. Then, run fwm dbimport -l filename to import the users.

Answer : Restore the entire database, except the user database.

A digital signature:


Options are :

  • Automatically exchanges shared keys.
  • Provides a secure key exchange mechanism over the Internet.
  • Decrypts data to its original form.
  • Guarantees the authenticity and integrity of a message.

Answer : Guarantees the authenticity and integrity of a message.

156-215.77 Check Point Certified Security Administrator Exam Set 3

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions