156-315.13 Check Point Security Expert R76(GAiA) Exam Set 9

How can you verify that SecureXL is running?


Options are :

  • securexl stat
  • fw ver
  • cpstat os
  • fwaccel stat (Correct)

Answer : fwaccel stat

156-215.70 Check Point Certified Security Administrator Exam Set 9

Which type of routing relies on a VPN Tunnel Interface (VTI) to route traffic?


Options are :

  • Host-based VPN
  • Domain-based VPN
  • Route-based VPN (Correct)
  • Subnet-based VPN

Answer : Route-based VPN

If you need strong protection for the encryption of user data, what option would be the BEST choice?


Options are :

  • Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol. (Correct)
  • When you need strong encryption, IPsec is not the best choice. SSL VPN's are a better choice.
  • Use Diffie-Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in Quick Mode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.
  • Disable Diffie-Hellman by using stronger certificate based key-derivation. Use AES-256 bit on all encrypted channels and add PFS to QuickMode. Use double encryption by implementing AH and ESP as protocols.

Answer : Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.

MEP VPN's use the Proprietary Probing Protocol to send special UDP RDP packets to port ____ to discover if an IP is accessible.


Options are :

  • 201
  • 259 (Correct)
  • 256
  • 264

Answer : 259

156-315.71 Check Point Security Expert R71 Practical Exam Set 4

If both domain-based and route-based VPN's are configured, which will take precedence?


Options are :

  • Must be chosen/configured manually by the Administrator in the Policy > Global Properties
  • Must be chosen/configured manually by the Administrator in the VPN community object
  • Route-based
  • Domain-based (Correct)

Answer : Domain-based

At what router prompt would you save your OSPF configuration?


Options are :

  • localhost.localdomain(config-router-ospf)#
  • localhost.localdomain(config)#
  • localhost.localdomain# (Correct)
  • localhost.localdomain(config-if)#

Answer : localhost.localdomain#

Which statement is TRUE for route-based VPN's?


Options are :

  • Route-based VPN's replace domain-based VPN's.
  • Route-based VPN's are a form of partial overlap VPN Domain.
  • Dynamic-routing protocols are not required. (Correct)
  • IP Pool NAT must be configured on each Gateway.

Answer : Dynamic-routing protocols are not required.

156-215.71 Check Point Certified Security Administrator Exam Set 3

How do you enable SecureXL (command line) on GAiA?


Options are :

  • fw accel on
  • fwaccel on (Correct)
  • fwsecurexl on
  • fw securexl on

Answer : fwaccel on

What is the router command to save your OSPF configuration?


Options are :

  • write config
  • write mem (Correct)
  • save
  • save memory

Answer : write mem

To verify SecureXL statistics you would use the command ________?


Options are :

  • fw ctl pstat
  • fwaccel stats (Correct)
  • cphaprob stat
  • fw ctl pstat

Answer : fwaccel stats

156-315.77 Check Point Certified Security Expert Exam Set 8

VTIs are assigned only local addresses, not remote addresses


Options are :

  • 1, 2, and 4
  • 2 and 3
  • 1, 2, 3 and 4 (Correct)
  • 1, 3, and 4

Answer : 1, 2, 3 and 4

Which operating system(s) support(s) unnumbered VPN Tunnel Interfaces (VTIs) for routebased VPN's?


Options are :

  • Red Hat Linux
  • SecurePlatform for NGX and higher
  • Solaris 9 and higher
  • IPSO 3.9 and higher (Correct)

Answer : IPSO 3.9 and higher

What is the command to show OSPF adjacencies?


Options are :

  • show ospf interface
  • show running-config
  • show ospf summary-address
  • show ip ospf neighbor (Correct)

Answer : show ip ospf neighbor

156-215.77 Check Point Certified Security Administrator Test Set 2

Which of the following statements is TRUE concerning MEP VPN's?


Options are :

  • State synchronization between Security Gateways is NOT required. (Correct)
  • MEP Security Gateways cannot be managed by separate Management Servers.
  • he VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.
  • MEP VPN's are restricted to the location of the gateways.

Answer : State synchronization between Security Gateways is NOT required.

What is used to validate a digital certificate?


Options are :

  • CRL (Correct)
  • IPsec
  • S/MIME
  • PKCS

Answer : CRL

In CoreXL, what process is responsible for processing incoming traffic from the network interfaces, securely accelerating authorized packets, and distributing non-accelerated packets among kernel instances?


Options are :

  • SND (Secure Network Distributor) (Correct)
  • NAD (Network Accelerator Daemon)
  • SNP (System Networking Process)
  • SSD (Secure System Distributor)

Answer : SND (Secure Network Distributor)

156-315.77 Check Point Certified Security Expert Exam Set 1

A VPN Tunnel Interface (VTI) is defined on SecurePlatform Pro as: vpn shell interface add numbered 10.10.0.1 10.10.0.2 madrid.cp What do you know about this VTI?


Options are :

  • 10.10.0.1 is the local Gateway's internal interface, and 10.10.0.2 is the internal interface of the remote Gateway.
  • The peer Security Gateway's name is madrid.cp (Correct)
  • The local Gateway's object name is madrid.cp
  • The VTI name is madrid.cp.

Answer : The peer Security Gateway's name is madrid.cp

Frank is concerned with performance and wants to configure the affinities settings. His gateway does not have the Performance Pack running. What would Frank need to perform in order configure those settings?


Options are :

  • Run fw affinity and change the settings.
  • Edit affinity.conf and change the settings.
  • Run sim affinity and change the settings.
  • Edit $FWDIR/conf/fwaffinity.conf and change the settings. (Correct)

Answer : Edit $FWDIR/conf/fwaffinity.conf and change the settings.

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot share IP addresses
  • VTIs can use an already existing physical-interface IP address
  • VTIs are supported on SecurePlatform Pro (Correct)
  • VTIs are assigned only local addresses, not remote addresses

Answer : VTIs are supported on SecurePlatform Pro

Check Point Certified Security Expert Exam Set 8

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs are only supported on SecurePlatform
  • Local IP addresses are not configured, remote IP addresses are configured
  • VTI specific additional local and remote IP addresses are not configured (Correct)
  • VTIs cannot be assigned a proxy interface

Answer : VTI specific additional local and remote IP addresses are not configured

A SmartProvisioning Gateway could be a member of which VPN communities? (i) Center In Star Topology (ii) Satellite in Star Topology (iii) Carter in Remote Access Community (iv) Meshed Community


Options are :

  • (ii) only
  • (ii) and (iii) (Correct)
  • (i), (ii) and (iii)
  • All

Answer : (ii) and (iii)

Due to some recent performance issues, you are asked to add additional processors to your firewall. If you already have CoreXL enabled, how are you able to increase Kernel instances?


Options are :

  • Use cpconfig to reconfigure CoreXL. (Correct)
  • Once CoreXL is installed you cannot enable additional Kernel instances without reinstallingR76.
  • In SmartUpdate, right-click on Firewall Object and choose Add Kernel Instances.
  • Kernel instances are automatically added after process installed and no additional configuration is needed.

Answer : Use cpconfig to reconfigure CoreXL.

156-315.71 Check Point Security Expert R71 Practical Exam Set 2

The CoreXL SND (Secure Network Distributor) is responsible for:


Options are :

  • changing routes to distribute the load across multiple firewalls
  • accelerating VPN traffic
  • distributing non-accelerated packets among kernel instances (Correct)
  • shutting down cores when they are not needed

Answer : distributing non-accelerated packets among kernel instances

Which of the following is NOT accelerated by SecureXL?


Options are :

  • HTTPS
  • SSH
  • FTP (Correct)
  • Telnet

Answer : FTP

What type of object may be explicitly defined as a MEP VPN?


Options are :

  • Mesh VPN Community
  • Star VPN Community (Correct)
  • Any VPN Community
  • Remote Access VPN Community

Answer : Star VPN Community

Check Point Certified Security Administrator Set 5

You have three Gateways in a mesh community. Each gateway's VPN Domain is their internal network as defined on the Topology tab setting All IP Addresses behind Gateway based on Topology information.You want to test the route-based VPN, so you created VTIs among the Gateways and created static route entries for the VTIs. However, when you test the VPN, you find out the VPN still go through the regular domain IPsec tunnels instead of the routed VTI tunnels.What is the problem and how do you make the VPN use the VTI tunnels?


Options are :

  • Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway's VPN Domain (Correct)
  • Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route entries to insure that they are correctly pointing to the VTI gateway IP.
  • Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, remove the Gateways out of the mesh community and replace with a star community
  • Route-based VTI takes precedence over the Domain VPN. To make the VPN go through VTI, use dynamic-routing protocol like OSPF or BGP to route the VTI address to the peer instead of static routes

Answer : Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway's VPN Domain

Which of the following statements is TRUE concerning MEP VPN's?


Options are :

  • MEP VPN's are restricted to the location of the gateways.
  • The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.
  • MEP Security Gateways can be managed by separate Management Servers. (Correct)
  • State synchronization between Secruity Gateways is required.

Answer : MEP Security Gateways can be managed by separate Management Servers.

Which of the following services will cause SecureXL templates to be disabled?


Options are :

  • LDAP
  • HTTPS
  • FTP (Correct)
  • TELNET

Answer : FTP

156-315.77 Check Point Certified Security Expert Exam Set 8

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:


Options are :

  • Assign links to specific VPN communities.
  • Use links based on Day/Time.
  • Probe links for availability. (Correct)
  • Use links based on authentication method.

Answer : Probe links for availability.

Review the following list of actions that Security Gateway R76 can take when it controls packets. The Policy Package has been configured for Simplified Mode VPN. Select the response below that includes the available actions:


Options are :

  • Accept, Reject, Encrypt, Drop
  • Accept, Hold, Reject, Proxy
  • Accept, Drop, Encrypt, Session Auth
  • Accept, Drop, Reject, Client Auth (Correct)

Answer : Accept, Drop, Reject, Client Auth

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions