156-315.13 Check Point Security Expert R76(GAiA) Exam Set 10

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs are only supported on IPSO
  • VTIs are assigned only local addresses, not remote addresses
  • VTIs cannot use an already existing physical-interface IP address (Correct)
  • VTIs cannot share IP addresses

Answer : VTIs cannot use an already existing physical-interface IP address

156-315.77 Check Point Certified Security Expert Exam Set 4

How do you verify a VPN Tunnel Interface (VTI) is configured properly?


Options are :

  • vpn shell show detailed
  • vpn shell display interface detailed
  • vpn shell display detailed
  • vpn shell show interface detailed (Correct)

Answer : vpn shell show interface detailed

What process manages the dynamic routing protocols (OSPF, RIP, etc.) on SecurePlatform Pro?


Options are :

  • Routerd
  • There's no separate process, but the Linux default router can take care of that.
  • Arouted
  • Gated (Correct)

Answer : Gated

Which of the following statements is TRUE concerning MEP VPN's?


Options are :

  • MEP VPN's are restricted to the location of the gateways.
  • State synchronization betweened Secruity Gateways is required.
  • The VPN Client selects which Security Gateway takes over, should the first connection fail. (Correct)
  • MEP Security Gateways cannot be managed by separate Management Servers.

Answer : The VPN Client selects which Security Gateway takes over, should the first connection fail.

Check Point Certified Security Administrator Set 1

You have installed SecurePlatform R76 as Security Gateway operating system. As company requirements changed, you need the VTI features of R76. What should you do?


Options are :

  • Only IPSO 3.9 supports VTI feature, so you have to replace your Security Gateway with Nokia appliances.
  • In SmartDashboard click on the OS drop down menu and choose SecurePlatform Pro. You have to reboot the Security Gateway in order for the change to take effect.
  • You have to re-install your Security Gateway with SecurePlatform ProR76, as SecurePlatformR76does not support VTIs.
  • Type pro enable on your Security Gateway and reboot it. (Correct)

Answer : Type pro enable on your Security Gateway and reboot it.

If the number of kernel instances for CoreXL shown is 6, how many cores are in the physical machine?


Options are :

  • 4
  • 6
  • 8 (Correct)
  • 12

Answer : 8

Which of these is a type of acceleration in SecureXL?


Options are :

  • QoS
  • connection rate (Correct)
  • FTP
  • GRE

Answer : connection rate

Check Point Certified Security Administrator Set 5

You are concerned that the processor for your firewall running NGX R71 SecurePlatform may be overloaded. What file would you view to determine the speed of your processor(s)?


Options are :

  • cat /proc/cpuinfo (Correct)
  • cat /var/opt/CPsuite-R71/fw1/conf/cpuinfo
  • cat /etc/sysconfig/cpuinfo
  • cat /etc/cpuinfo

Answer : cat /proc/cpuinfo

VPN routing can also be configured by editing which file?


Options are :

  • $FWDIR\conf\vpn_route.conf (Correct)
  • $FWDIR\VPN\route_conf.c
  • $FWDIR\bin\vpn_route.conf
  • $FWDIR\conf\vpn_route.c

Answer : $FWDIR\conf\vpn_route.conf

Your customer complains of the weak performance of his systems. He has heard that Connection Templates accelerate traffic. How do you explain to the customer about template restrictions and how to verify that they are enabled?


Options are :

  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command fwacel templates.
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command fwaccel stat. (Correct)
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command fw ctl templates.
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command fw ctl templates.

Answer : To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command fwaccel stat.

Check Point Certified Security Expert Exam Set 6

How can you disable SecureXL via the command line (it does not need to survive a reboot)?


Options are :

  • fw ctl accel off
  • fwaccel off (Correct)
  • cphaprob off
  • securexl off

Answer : fwaccel off

Which of the following statements is FALSE regarding OSPF configuration on SecurePlatform Pro?


Options are :

  • router ospf 1 creates an OSPF routing instance and this process ID should be the same on all Gateways. (Correct)
  • router ospf 1 creates the Router ID for the Security Gateway and should be the same ID for all Gateways.
  • router ospf 1 creates an OSPF routing instance and this process ID should be different for each Security Gateway.
  • router ospf 1 creates the Router ID for the Security Gateway and should be different for all Gateways.

Answer : router ospf 1 creates an OSPF routing instance and this process ID should be the same on all Gateways.

What is the command to enter the router shell?


Options are :

  • router (Correct)
  • routerd
  • clirouter
  • gated

Answer : router

Check Point Certified Security Expert Exam Set 4

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:


Options are :

  • Prohibit Dynamic DNS
  • Assign links to specific VPN communities.
  • Use links based on services. (Correct)
  • Assign links to use Dynamic DNS.

Answer : Use links based on services.

After Travis added new processing cores on his server, CoreXL did not use them. What would be the most plausible reason why? Travis did not:


Options are :

  • Edit the Gateway Properties and increase the number of CPU cores.
  • Run cpconfig to increase the kernel instances. (Correct)
  • Run cpconfig to increase the number of CPU cores
  • Edit the Gateway Properties and increase the kernel instances.

Answer : Run cpconfig to increase the kernel instances.

Which of the following statements is TRUE concerning MEP VPN's?


Options are :

  • State synchronization between Secruity Gateways is required.
  • The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.
  • MEP Security Gateways cannot be managed by separate Management Servers.
  • MEP VPN's are not restricted to the location of the gateways. (Correct)

Answer : MEP VPN's are not restricted to the location of the gateways.

156-215.77 Check Point Certified Security Administrator Exam Set 2

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs can only be physical, not loopback.
  • VTIs must be assigned a proxy interface. (Correct)
  • VTIs are only supported on SecurePlatform.
  • Local IP addresses are not configured, remote IP addresses are configured.

Answer : VTIs must be assigned a proxy interface.

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:


Options are :

  • Use Load Sharing to distribute VPN traffic. (Correct)
  • Assign links to use Dynamic DNS.
  • Use links based on authentication method.
  • Use links based on Day/Time.

Answer : Use Load Sharing to distribute VPN traffic.

Which statement defines Public Key Infrastructure? Security is provided:


Options are :

  • by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.
  • by Certificate Authorities, digital certificates, and public key encryption. (Correct)
  • by authentication.
  • via both private and public keys, without the use of digital Certificates.

Answer : by Certificate Authorities, digital certificates, and public key encryption.

156-315.77 Check Point Certified Security Expert Exam Set 2

Which of the following is NOT a restriction for connection template generation?


Options are :

  • ISN Spoofing
  • UDP services with no protocol type or source port mentioned in advanced properties (Correct)
  • VPN Connections
  • SYN Defender

Answer : UDP services with no protocol type or source port mentioned in advanced properties

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:


Options are :

  • Assign links to use Dynamic DNS.
  • Use links based on Day/Time.
  • Assign links to specific VPN communities.
  • Set up links for Remote Access. (Correct)

Answer : Set up links for Remote Access.

Which of the following is NOT supported by CoreXL?


Options are :

  • IPV4
  • SmartView Tracker
  • Route-based VPN (Correct)
  • IPS

Answer : Route-based VPN

156-315.77 Check Point Certified Security Expert Exam Set 1

Your organization maintains several IKE VPN's. Executives in your organization want to know which mechanism Security Gateway R76 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?


Options are :

  • Certificate Revocation Lists
  • Application Intelligence
  • Digital signatures (Correct)
  • Key-exchange protocols

Answer : Digital signatures

Which of the following operating systems support numbered VTI's?


Options are :

  • SecurePlatform Pro (Correct)
  • Solaris
  • IPSO 4.0 +
  • Windows Server 2008

Answer : SecurePlatform Pro

You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?


Options are :

  • Internal_clear > External_Clear
  • internal_clear > All_communities (Correct)
  • Communities > Communities
  • internal_clear > All_GwToGw

Answer : internal_clear > All_communities

156-315.71 Check Point Security Expert R71 Practical Exam Set 1

When configuring a Permanent Tunnel between two gateways in a Meshed VPN community, in what object is the tunnel managed?


Options are :

  • Security Management Server
  • Only the local Security Gateway object
  • VPN Community object (Correct)
  • Each participating Security Gateway object

Answer : VPN Community object

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Create a new logical-server object to represent your partner's CA.
  • Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA). (Correct)
  • Manually import your partner's Access Control List
  • Manually import your partner's Certificate Revocation List.

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA).

Which of the following platforms does NOT support SecureXL?


Options are :

  • IP Appliance
  • Power-1 Appliance
  • UNIX (Correct)
  • UTM-1 Appliance

Answer : UNIX

Check Point Certified Security Expert Exam Set 8

QUESTION NO: 229 You need to publish GAiA routes using the OSPF routing protocol. What is the correct command structure, once entering the route command, to implement OSPF successfully?


Options are :

  • ip route ospf ospf network1 ospf network2
  • Use DBedit utility to either the objects_5_0.c file
  • Run cpconfig utility to enable ospf routing
  • Enable Configure terminal Router ospf [id] Network [network] [wildmask] area [id] (Correct)

Answer : Enable Configure terminal Router ospf [id] Network [network] [wildmask] area [id]

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot be assigned a proxy interface.
  • Local IP addresses are not configured, remote IP addresses are configured.
  • VTIs can only be physical, not loopback.
  • They are only supported on the IPSO Operating System. (Correct)

Answer : They are only supported on the IPSO Operating System.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions