156-315.13 Check Point Security Expert R76 (GAiA) Exam Set 1

Which of the following is a TRUE statement concerning contract verification?


Options are :

  • Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway. (Correct)
  • Your contract file is stored on the SmartConsole and downloaded to the Gateway
  • Your contract file is stored on the SmartConsole and downloaded to the SmartCenter Server.
  • Your contract file is stored on the User Center and fetched by the Gateway as needed.

Answer : Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway.

156-515.65 Check Point Certified Security Expert Plus Exam Set 2

You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?


Options are :

  • Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use the Log mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear. (Correct)
  • Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use Log mode to confirm that the suspicious connection does not reappear.
  • Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using Tools > Block Intruder menu. Use Active mode to confirm that the suspicious connection is dropped.

Answer : Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear.

When you add a resource service to a rule, which ONE of the following actions occur?


Options are :

  • VPN-1 Secure Client users attempting to connect to the object defined in the Destination column of the rule will receive a new Desktop Policy from the resource.
  • Users attempting to connect to the destination of the rule will be required to authenticate.
  • All packets matching the resource service rule are analyzed or authenticated, based on the resource properties. (Correct)
  • All packets matching that rule are either encrypted or decrypted by the defined resource.
  • All packets that match the resource in the rule will be dropped.

Answer : All packets matching the resource service rule are analyzed or authenticated, based on the resource properties.

What is a requirement for setting up Management High Availability?


Options are :

  • All SmartCenter Servers must reside in the same Local Area Network (LAN).
  • All SmartCenter Servers must have the BIOS release.
  • You can only have one Secondary SmartCenter Server.
  • All SmartCenter Servers must have the same amount of memory
  • All SmartCenter Servers must have the same operating system. (Correct)

Answer : All SmartCenter Servers must have the same operating system.

156-315.65 Check Point Security Administration NGX R65 Exam Set 7

If a SmartUpdate upgrade or distribution operation fails on SecurePlatform, how is the system recovered?


Options are :

  • The Administrator can only revert to a previously created snapshot (if there is one) with the command cprinstall snapshot . .
  • The Administrator must reinstall the last version via the command cprinstall revert .
  • The Administrator must remove the rpm packages manually, and reattempt the upgrade.
  • SecurePlatform will reboot and automatically revert to the last snapshot version prior to upgrade. (Correct)
  • Answer : SecurePlatform will reboot and automatically revert to the last snapshot version prior to upgrade.

    Regarding QoS guarantees and limits, which of the following statements is FALSE?


    Options are :

    • If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it.
    • A rule guarantee must not be less than the sum the guarantees defined in its sub-rules.
    • If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee. (Correct)
    • If both a rule limit and a per connection limit are defined for a rule, the per connection limit must not be greater than the rule limit.

    Answer : If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee.

    Your current stands alone VPN-1 NG with Application Intelligence (Al) R55 installation is running on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the VPN-1 Pro Gateway. An additional machine will serve as the SmartCenter Server. The new machine runs on a Windows Server 2003. You need to upgrade the NG with Al R55 SmartCenter Server configuration to VPN-1 NGX.How do you upgrade to VPN-1 NGX?


    Options are :

    • Copy the $FWDIR\conf and $FWDIR\lib files from the existing SecurePlatform machine. Create a tar.gzfile, and copy it to the Windows Server 2003. Use VPN-1 NGX CD on the existing SecurePlatform machine to do a new installation. Reboot. Run sysconfig and select VPN-1 Pro Gateway. Reboot. Use the NGX CD to install the primary SmartCenter Server on the Windows Server 2003. On the Windows Server 2003, run upgradeimport command to import $FWDIR\conf and $FWDIR\lib from the SecurePlatform machine.
    • Run the backup command in the existing SecurePlatform machine, to create a backup file. Copy the file to the Windows Server 2003. Uninstall all Check Point products on SecurePlatform by running rpm CPsuitE. R55 command. Reboot. Install new VPN-1 NGX on the existing SecurePlatform machine. Run sysconfig, select VPN-1 Pro Gateway, and reboot. Use VPN-1 NGX CD to install primary SmartCenter Server on the Windows Server 2003. Import the backup file.
    • Run backup command on the existing SecurePlatform machine to create a backup file. Copy the file to the Windows Server 2003. Uninstall the primary SmartCenter Server package from NG with Al R55 SecurePlatform using sysconfig. Reboot. Install the NGX primary SmartCenterServer and import the backup file. Open the NGX SmartUpdate, and select "upgrade all packages" on the NG with Al R55 Security Gateway.
    • Insert the NGX CD in the existing NGwithAI R55 SecurePlatform machine, and answer yes to backup the configuration. Copy the backup file to the Windows Server 2003. Continue the upgrade process. Reboot after upgrade is finished. After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and finish the sysconfig process. Reboot again. Use the NGX CD to install the primary SmartCenter on the Windows Server 2003. Import the backup file. (Correct)

    Answer : Insert the NGX CD in the existing NGwithAI R55 SecurePlatform machine, and answer yes to backup the configuration. Copy the backup file to the Windows Server 2003. Continue the upgrade process. Reboot after upgrade is finished. After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and finish the sysconfig process. Reboot again. Use the NGX CD to install the primary SmartCenter on the Windows Server 2003. Import the backup file.

    Check Point Certified Security Administrator Set 5

    How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_Ato end point Net_B, through an NGX Security Gateway?


    Options are :

    • Net_A/Net_B/sip and sip_any/accept
    • Net_A/Net_B/sip/accept (Correct)
    • Net_A/Net_BM3lP/accept
    • Net_A/Net_B/VolP_any/accept

    Answer : Net_A/Net_B/sip/accept

    Which of the following QoS rule action properties is an Advanced action type, only available in Traditional mode?


    Options are :

    • Rule limit
    • Rule weight
    • Guarantee Allocation (Correct)
    • Rule guarantee
    • Apply rule only to encrypted traffic

    Answer : Guarantee Allocation

    What action can be run from SmartUpdate NGX R65?


    Options are :

    • upgrade_export
    • remote_uninstall_verifier
    • cpinfo (Correct)
    • mds_backup

    Answer : cpinfo

    Check Point Certified Security Expert Exam Set 8

    You are running the license_upgrade tool on your SecurePlatform Gateway. Which of the following can you NOT do with the upgrade tool?


    Options are :

    • Perform the actual license-upgrade process
    • View the status of currently installed licenses.
    • Simulate the license-upgrade process.
    • View the licenses in the SmartUpdate License Repository. (Correct)

    Answer : View the licenses in the SmartUpdate License Repository.

    What happens in relation to the CRL cache after a cpstop;spstart has been initiated?


    Options are :

    • The gateway retrieves a new CRL on startup, then discards the old CRL as invalid.
    • The gateway continues to use the old CRL even if it is not valid, until a new CRL is cached
    • The gateway issues a crl_zap on startup, which empties the cache and forces Certificate retrieval.
    • The gateway continues to use the old CRL, as long as it is valid. (Correct)

    Answer : The gateway continues to use the old CRL, as long as it is valid.

    DShield is a Check Point feature used to block which of the following threats?


    Options are :

    • Cross Site Scripting
    • SQL injection
    • DDOS (Correct)
    • Buffer overflows
    • Trojan horses

    Answer : DDOS

    156-315.65 Check Point Security Administration NGX R65 Exam Set 2

    Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?


    Options are :

    • FTP
    • rlogin (Correct)
    • Telnet
    • SMTP
    • HTTP

    Answer : rlogin

    Which VPN Community object is used to configure VPN routing within the SmartDashboard?


    Options are :

    • Remote Access
    • Mesh
    • Star (Correct)
    • Map

    Answer : Star

    Concerning these products: SecurePlatform, VPN-1 Pro Gateway, UserAuthority Server, Nokia OS, UTM-1, Eventia Reporter, and Performance Pack, which statement is TRUE?


    Options are :

    • All but the UTM-1 can be upgraded to VPN-1 NGX R65 with SmartUpdate.
    • All can be upgraded to VPN-1 NGX R65 with SmartUpdate. (Correct)
    • All but the Nokia OS can be upgraded to VPN-1 NGX R65 with SmartUpdate.
    • All but Performance Pack can be upgraded to VPN-1 NGX R65 with SmartUpdate.

    Answer : All can be upgraded to VPN-1 NGX R65 with SmartUpdate.

    156-315.71 Check Point Security Expert R71 Practical Exam Set 3

    Which of the following commands shows full synchronization status?


    Options are :

    • cphaprob. i list (Correct)
    • fwhastat
    • fw ctl pstat
    • cphastop
    • cphaprob. a if

    Answer : cphaprob. i list

    You are running a VPN-1 NG with Application Intelligence R54 SecurePlatform VPN-1 Pro Gateway. The Gateway also serves as a Policy Server. When you run patch add cd from the NGX CD, what does this command allow you to upgrade?


    Options are :

    • All products, except the Policy Server
    • Only the patch utility is upgraded using this command
    • Only the OS
    • Only VPN-1 Pro Security Gateway
    • Both the operating system (OS) and all Check Point products (Correct)

    Answer : Both the operating system (OS) and all Check Point products

    Your current VPN-1 NG with Application Intelligence (Al) R55 stand alone VPN-1 Pro Gateway and SmartCenter Server run on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with Al R55 SmartCenter Server configuration, including such items as Internal Certificate Authority files, databases, and Security Policies. How do you request a new license for this VPN-1 NGX upgrade?


    Options are :

    • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address. Request a new central license for the NGX VPN-1 Pro Gateway.
    • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address. Request a new local license for the NGX VPN-1 Pro Gateway.
    • Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address. (Correct)
    • Request a new VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway.

    Answer : Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address.

    156-315.77 Check Point Certified Security Expert Exam Set 2

    What is the behavior of ClusterXL in a High Availability environment?


    Options are :

    • The active member responds to the virtual IP address.nd both members pass traffic when using their physical addresses.
    • The active member responds to the virtual IP address.nd is the only member that passes traffic E. The passive member responds to the virtual IP address, and both members route traffic when using their physical addresses. (Correct)
    • Both members respond to the virtual IP address, but only the active member is able to pass traffic.
    • Both members respond to the virtual IP address, and both members pass traffic when using their physical addresses.

    Answer : The active member responds to the virtual IP address.nd is the only member that passes traffic E. The passive member responds to the virtual IP address, and both members route traffic when using their physical addresses.

    If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:


    Options are :

    • The standard six-packet IKE Phase 2 exchange is replaced by athreepacket exchange.
    • The standardthreepacket IKE Phase 2 exchange is replaced by a six-packet exchange.
    • The standard six-packet IKE Phase 1 exchange is replaced by atwelvepacket exchange.
    • The standardthreepacket IKE Phase 1 exchange is replaced by a six-packet exchange.
    • The standard six-packet IKE Phase 1 exchange is replaced by athreepacket exchange. (Correct)

    Answer : The standard six-packet IKE Phase 1 exchange is replaced by athreepacket exchange.

    When upgrading to NGX R65, which Check Point products do not require a license upgrade to be current?


    Options are :

    • VPN-1 NGX (R60) and later (Correct)
    • VPN-1 NG with Application Intelligence (R54) and later
    • None, all versions require a license upgrade
    • VPN-1 NGX (R64) and later

    Answer : VPN-1 NGX (R60) and later

    156-315.65 Check Point Security Administration NGX R65 Exam Set 2

    You are using SmartUpdate to fetch data and perform a remote upgrade of an NGX Security Gateway. Which of the following statements is FALSE?


    Options are :

    • A remote installation can be performed without the SVN Foundation package installed on a remote NG with Application Intelligence Security Gateway (Correct)
    • SmartUpdate can query license information running locally on the VPN-1 Gateway
    • If SmartDashboard is open during package upload and upgrade, the upgrade will fail.
    • SmartUpdate can query the SmartCenter Server and VPN-1 Gateway for product information

    Answer : A remote installation can be performed without the SVN Foundation package installed on a remote NG with Application Intelligence Security Gateway

    What action CANNOT be run from SmartUpdate NGX R65?


    Options are :

    • Reboot gateway
    • Get all Gateway Data
    • Fetch sync status (Correct)
    • Preinstall verifier

    Answer : Fetch sync status

    You want to upgrade a SecurePlatform NG with Application Intelligence (Al) R55 Gateway to SecurePlatform NGX R60 via SmartUpdate. Which package is needed in the repository before upgrading?


    Options are :

    • SecurePlatform NGX R60 (Correct)
    • VPN-1 and Firewall-1
    • SVN Foundation 3 E. VPN-1 Pro/Express NGXR60
    • SVN Foundation and VPN-1 Express/Pro

    Answer : SecurePlatform NGX R60

    156-315.77 Check Point Certified Security Expert Exam Set 4

    Your network traffic requires preferential treatment by other routers on the network, in addition to the QoS Module, which Check Point QoS feature should you use?


    Options are :

    • Low Latency Queuing
    • Limits
    • Guarantees
    • Differentiated Services (Correct)
    • Weighted Fair Queuing

    Answer : Differentiated Services

    Cody is notified by blacklist.org that his site has been reported as a spam relay, due to his SMTP Server being unprotected. Cody decides to implement an SMTP Security Server, to prevent the server from being a spam relay. Which of the following is the most efficient configuration method?


    Options are :

    • Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate domain. (Correct)
    • Configure the SMTP Security Server to perform MX resolving.
    • Configure the SMTP Security Server to apply a generic "from" address to all outgoing mail
    • Configure the SMTP Security Server to work with an OPSEC based product, for content checking.
    • Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.

    Answer : Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate domain.

    Greg is creating rules and objects to control VoIP traffic in his organization, through a VPN-1 NGX Security Gateway. Greg creates VoIP Domain SIP objects to represent each of his organization's three SIP gateways. Greg then creates a simple group to contain the VoIP Domain SIP objects. When Greg attempts to add the VoIP Domain SIP objects to the group, they are not listed. What is the problem?


    Options are :

    • The VoIP Domain SIP object's name contains restricted characters.
    • VoIP Domain SIP objects cannot be placed in simple groups. (Correct)
    • The installed VoIP gateways specify host objects.
    • The related end points domain specifies an address range.
    • The VoIP gateway object must be added to the group, before the VoIP Domain SIP object is eligible to be added to the group.

    Answer : VoIP Domain SIP objects cannot be placed in simple groups.

    Check Point Certified Security Administrator Set 5

    Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs?


    Options are :

    • DES Key Reset
    • Phase 3 Key Revocation
    • SHA1 Hash Completion
    • Perfect Forward Secrecy (Correct)
    • MD5 Hash Completion

    Answer : Perfect Forward Secrecy

    What port is used for communication to the UserCenter with SmartUpdate?


    Options are :

    • CPMI
    • HTTPS (Correct)
    • TCP 8080
    • HTTP

    Answer : HTTPS

    Comment / Suggestion Section
    Point our Mistakes and Post Your Suggestions