156-315.65 Check Point Security Administration NGX R65 Exam Set 1

Steve tries to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have the option to see the Directional Match. Steve sees the following screen. What is the problem?


Options are :

  • Steve must enable VPN Directional Match on the gateway object's VPN tab.
  • Steve must enable a dynamiC. routing protocol, such as OSPF, on the Gateways.
  • Steve must enable Advanced Routing on each Security Gateway.
  • Steve must enable VPN Directional Match on the VPN Advanced screen, in Global properties. (Correct)
  • Steve must enable directional_match(true) in the objects_5_0.C file on SmartCenter Server.

Answer : Steve must enable VPN Directional Match on the VPN Advanced screen, in Global properties.

156-215.13 Check Point Certified Security Administrator Exam Set 4

You are configuring the VoIP Domain object for an H.323 environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use? )


Options are :

  • Call Agent
  • Gatekeeper (Correct)
  • Call Manager
  • Proxy
  • Transmission Router

Answer : Gatekeeper

Which component functions as the Internal Certificate Authority for VPN-1 NGX?


Options are :

  • SmartCenterServer (Correct)
  • SmartLSM
  • Policy Server
  • VPN-1 Certificate Manager
  • Security Gateway

Answer : SmartCenterServer

Which Security Servers can perform Content Security tasks, but CANNOT perform authentication tasks?


Options are :

  • FTP
  • HTTP
  • Telnet
  • SMTP (Correct)

Answer : SMTP

Check Point Certified Security Expert Exam Set 5

You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway, bound for all sitE. to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?


Options are :

  • lnternal_clear > Communities
  • Communities > Communities
  • lnternal_clear > External_Clear
  • internal clear>All communities (Correct)
  • internal_clear > AII_GwToGw

Answer : internal clear>All communities

You want to block corporatE. internal-net and localnet from accessing Web sites containing inappropriate content. You are using WebTrends for URL filtering. You have disabled VPN1 Control connections in the Global properties. Review the diagram and the Security Policies for GW_A and GW_B in the exhibit provided. Corporate users and localnet users receive message "Web cannot be displayed". In SmartView Tracker, you see the connections are dropped with message "content security is not reachable". What is the problem, and how do you fix it?


Options are :

  • The connection from GW_A to the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_A's Policy to allow source GW_A, destination WebTrends server, service TCP port 18182, and action accept. (Correct)
  • The connection from GW_B to the WebTrend server is not allowed in the Policy. Fix: Add a rule in GW_B's Policy with Source GW_B, destination WebTrends server, service TCP port 18182, and action accept.
  • The connection from GW_Ato the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_B's Policy with source WebTrends server, destination GW_A, service TCP port 18182, and action accept.
  • The connection from GW_B to the internal WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_A's Policy to allow source WebTrends Server, destination GW_B, service TCP port 18182, and action accept.
  • The connection from GW_A to the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_B's Policy with source GW_A, destination: WebTrends server, service TCP port 18182, and action accept.

Answer : The connection from GW_A to the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_A's Policy to allow source GW_A, destination WebTrends server, service TCP port 18182, and action accept.

Which of the following actions is most likely to improve the performance of Check Point QoS?


Options are :

  • Install Checkpoint QoS only on the external interfaces of the QoS Module. (Correct)
  • Put the most frequently used rules at the bottom of the QoS Rule Base.
  • Turn "per rule limits" into "per connection limits".
  • Turn "per rule guarantees" into "per connection guarantees".
  • Define weights in the Default Rule in multiples of 10.

Answer : Install Checkpoint QoS only on the external interfaces of the QoS Module.

156-515.65 Check Point Certified Security Expert Plus Exam Set 2

Where can a Security Administrator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS bandwidth?


Options are :

  • Advanced Action options in each QoS rule
  • $CPDIR/conf/qos_props.pf
  • QoS Class objects
  • Check Point gateway object properties
  • Global Properties (Correct)

Answer : Global Properties

Stephanie wants to reduce the encryption overhead and improve performance for her mesh VPN Community. The Advanced VPN Properties screen below displays adjusted page settings:What can Stephanie do to achieve her goal?


Options are :

  • Check the box "Use Perfect Forward Secrecy".
  • Change the setting "Use DiffiE. Hellman group" to "Group 5 (1536 bit)".
  • Check the box "Support IP compression" (Correct)
  • Check the box "Use aggressive mode".
  • Reduce the setting "Renegotiate IKE security associations every" to "720".

Answer : Check the box "Support IP compression"

Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN1 SecureClient users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security Gateway. How do you configure VPN routing in this star VPN Community?


Options are :

  • To the center; or through the center to other satellites, then to the Internet and other VPN targets (Correct)
  • To the Internet and other targets only
  • To the center and other satellites, through the center
  • To the center only

Answer : To the center; or through the center to other satellites, then to the Internet and other VPN targets

156-315.77 Check Point Certified Security Expert Exam Set 5

You set up a mesh VPN Community, so your internal networks can access your partner's network, and vice versa. Your Security Policy encrypts only FTP and HTTP traffic through a VPN tunnel. All other traffic among your internal and partner networks is sent in clear text. How do you configure the VPN Community?


Options are :

  • Disable "accept all encrypted traffic" in the Community, and add FTP and HTTP services to the Security Policy, with that Community object in the VPN field. (Correct)
  • Disable "accept all encrypted traffic", and put FTP and HTTP in the Excluded services in the Community object. Add a rule in the Security Policy for services FTP and http, with the Community object in the VPN field.
  • Put FTP and HTTP in the Excluded services in the Community object. Then add a rule in the Security Policy to allow Any as the service, with the Community object in the VPN field.
  • Enable "accept all encrypted traffic", but put FTP and HTTP in the Excluded services in the Community. Add a rule in the Security Policy, with services FTP and http, and the Community object in the VPN field.

Answer : Disable "accept all encrypted traffic" in the Community, and add FTP and HTTP services to the Security Policy, with that Community object in the VPN field.

What type of packet does a VPN-1 SecureClient send to its Policy Server, to report its Secure Configuration Verification status?


Options are :

  • UDP keep alive (Correct)
  • ICMP Destination Unreachable
  • IKE Key Exchange
  • TCP keep alive
  • ICMP Port Unreachable

Answer : UDP keep alive

You have two Nokia Appliances: one IP530 and one IP380. Both Appliances have IPSO 3.9 and VPN-1 Pro NGX installed in a distributed deployment. Can they be members of a gateway cluster?


Options are :

  • Yes, as long as they have the same IPSO version and the same VPN-1 Pro version (Correct)
  • No, because the appliances must be of the same model (Both should be IP530 or IP380.)
  • Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not
  • No, because the Gateway versions must not be the same on both security gateways
  • No, because members of a security gateway cluster must be installed as stanD. alone deployments

Answer : Yes, as long as they have the same IPSO version and the same VPN-1 Pro version

Check Point Certified Security Administrator Set 5

Jacob is using a mesh VPN Community to create a sitE. to-site VPN. The VPN properties in this mesh Community display in this graphic:Which of the following statements is TRUE?


Options are :

  • If Jacob changes the setting, "Perform key exchange encryption with" from "3DES" to "DES", he will enhance the VPN Community's security and reduce encryption overhead.
  • If Jacob changes the setting "Perform IPSec data encryption with" from "AES-128" to "3DES", he will increase the encryption overhead. (Correct)
  • Jacob must change the datA. integrity settings for this VPN Community. MD5 is incompatible with AES.
  • Jacob's VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1 NGX supports.

Answer : If Jacob changes the setting "Perform IPSec data encryption with" from "AES-128" to "3DES", he will increase the encryption overhead.

You are configuring the VoIP Domain object for a Skinny Client Control Protocol (SCCP) environment protected by VPN-1 NGX. Which VoIP Domain object type can you use?


Options are :

  • CallManager (Correct)
  • Gatekeeper
  • Transmission Router
  • Gateway
  • Proxy

Answer : CallManager

How does a standby SmartCenter Server receive logs from all Security Gateways, when an active SmartCenter Server fails over?


Options are :

  • The remote Gateways must set up SIC with the secondary SmartCenter Server, for logging.
  • On the Log Servers screen (from the Logs and Masters tree on the gateway object's General Properties screen), add the secondary SmartCenter Server object as the additional log server. Reinstall the Security Policy. (Correct)
  • Establish Secure Internal Communications (SIC) between the primary and secondary Servers. The secondary Server can then receive logs from the Gateways, when the active Server fails over.
  • Create a Check Point host object to represent the standby SmartCenter Server. Then select "Secondary SmartCenter Server" and Log Server", from the list of Check Point Products on the General properties screen.
  • The secondary Server's host name and IP address must be added to the Masters file, on the remote Gateways.

Answer : On the Log Servers screen (from the Logs and Masters tree on the gateway object's General Properties screen), add the secondary SmartCenter Server object as the additional log server. Reinstall the Security Policy.

Check Point Certified Security Expert Exam Set 6

Problems sometimes occur when distributing IPSec packets to a few machines in a Load Sharing Multicast mode cluster, even though the machines have the same source and destination IP addresses. What is the best Load Sharing method for preventing this type of problem?


Options are :

  • Load Sharing based on SPIs and ports only
  • Load Sharing based on SPIs only
  • Load Sharing based on IP addresses only
  • Load Sharing based on IP addresses and ports (Correct)
  • Load Sharing based on IP addresses, ports, and serial peripheral interfaces (SPI)

Answer : Load Sharing based on IP addresses and ports

You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule. What causes the Connection Rejection?


Options are :

  • The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements.
  • No QOS rule exists to match the rejected traffic.
  • Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.
  • The guarantee of one of the rule's suB. rules exceeds the guarantee in the rule itself.
  • The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections. (Correct)

Answer : The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections.

You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?


Options are :

  • Direct and Call Setup
  • Call Setup and Call Control
  • Direct (Correct)
  • Call Setup

Answer : Direct

156-315.77 Check Point Certified Security Expert Exam Set 3

The following is cphaprob state command output from a Cluster XL New mode High Availability member When member 192.168.1.2 fails over and restarts, which member will become active?


Options are :

  • Both members' state will be standby
  • Both members' state will be active
  • 192.168.1 1 (Correct)
  • 192.168.1.2

Answer : 192.168.1 1

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use four machines with the following configurations: Cluster Member 1: OS: SecurePlatform, NICs: QuadCard, memory: 256 MB, Security Gateway version: VPN-1 NGX Cluster Member 2: OS: SecurePlatform, NICs: four Intel 3Com, memory: 512 MB, Security Gateway version: VPN-1 NGX Cluster Member 3: OS: SecurePlatform, NICs: four other manufacturers, memory: 128 MB, Security Gateway version: VPN-1 NGX SmartCenter Pro Server: MS Windows Server 2003, NIC: Intel NIC (one), Security Gateway and primary SmartCenter Server installed version: VPN-1 NGX Are these machines correctly configured for a ClusterXL deployment?


Options are :

  • Yes, these machines are configured correctly for a ClusterXL deployment. (Correct)
  • No, the SmartCenter Pro Server has only one NIC.
  • No, the SmartCenter Pro Server is not using the same operating system as the cluster members.
  • No, Cluster Member 3 does not have the required memory.

Answer : Yes, these machines are configured correctly for a ClusterXL deployment.

In a Management High Availability (HA) configuration, you can configure synchronization to occur automatically, when: 1 The Security Policy is installed. 2.The Security Policy is saved. 3.The Security Administrator logs in to the secondary SmartCenter Server, and changes its status to active. 4.A scheduled event occurs. 5.The user database is installed. Select the BEST response for the synchronization sequence. Choose one.


Options are :

  • 1,2,3
  • 1,2,5
  • 1,3,4
  • 1,2,3,4
  • 1,2,4 (Correct)

Answer : 1,2,4

Check Point Certified Security Administrator Set 1

You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Create a new logical-server object, to represent your partner's CA.
  • Manually import your partner's Access Control List.
  • Manually import your partner's Certificate Revocation List.
  • Exchange exported CAkeys and use them to create a new server object, to represent your partner's Certificate Authority (CA) (Correct)
  • Exchange a shared secret, before importing Certificates.

Answer : Exchange exported CAkeys and use them to create a new server object, to represent your partner's Certificate Authority (CA)

A cluster contains two members, with external interfaces 172.28.108.1 and 172.28.108.2. The internal interfaces are 10.4.8.1 and 10.4.8.2. The external cluster's IP address is 172.28.108.3, and the internal cluster's IP address is 10.4.8.3. The synchronization interfaces are 192.168.1.1 and 192.168.1.2. The Security Administrator discovers State Synchronization is not working properly, cphaprob if command output displays as follows:What is causing the State Synchronization problem?


Options are :

  • The synchronization interface on the cluster member object's Topology tab is enabled with "Cluster Interface". Disable this interface.
  • Another cluster is using 192.168.1.3 as one of the unprotected interfaces.
  • Interfaces 192.168.1.1 and 192.168.1.2 have defined 192.168.1.3 as a suB. interface
  • The synchronization network has a cluster, with IP address 192.168.1.3 defined in the gateway-cluster object. Remove the 192.168.1.3 VIP interface from the cluster topology. (Correct)

Answer : The synchronization network has a cluster, with IP address 192.168.1.3 defined in the gateway-cluster object. Remove the 192.168.1.3 VIP interface from the cluster topology.

Robert has configured a Common Internet File System (CIFS) resource to allow access to the public partition of his company's file server, on \\erisco\goldenapple\files\public. Robert receives reports that users are unable to access the shared partition, unless they use the file server's IP address. Which of the following is a possible cause?


Options are :

  • The CIFS resource is not configured to use Windows name resolution. (Correct)
  • Null CIFS sessions are blocked.
  • Remote registry access is blocked.
  • Mapped shares do not allow administrative locks.
  • Access violations are not logged.

Answer : The CIFS resource is not configured to use Windows name resolution.

Check Point Certified Security Expert Exam Set 9

You are preparing to deploy a VPN-1 Pro Gateway for VPN-1 NGX. You have five systems to choose from for the new Gateway, and you must conform to the following requirements: Operating-system vendor's license agreement Check Point's license agreement Minimum operating-system hardware specification Minimum Gateway hardware specification Gateway installed on a supported operating system (OS) Which machine meets ALL of the following requirements?


Options are :

  • Processor: 1.67 GHz RAM: 128 MB Hard disk: 5 GB OS: FreeBSD
  • Processor: 2.0 GHz RAM: 512MB Hard disk: 10 GB OS: Windows ME
  • Processor: 1.1 GHz RAM: 512MB Hard disk: 10 GB OS: Windows 2000 Workstation
  • Processor: 1.5 GHz RAM: 256 MB Hard disk: 20 GB OS: Red Hat Linux 8.0
  • Processor 2.2 GHz RAM: 256 MB Hard disk: 20 GB OS: Windows 2000 Server (Correct)

Answer : Processor 2.2 GHz RAM: 256 MB Hard disk: 20 GB OS: Windows 2000 Server

Which Check Point QoS feature is used to dynamically allocate relative portions of available bandwidth?


Options are :

  • Differentiated Services
  • Guarantees
  • Limits
  • Low Latency Queuing
  • Weighted Fair Queuing (Correct)

Answer : Weighted Fair Queuing

Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings: Use CVP Allow CVP server to modify content Return data after content is approved He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic. Wayne sees HTTP traffic going to those problematic sites is not prohibited. What could cause this behavior?


Options are :

  • The Security Server is not communicating with the CVP server.
  • The Security Server Rule is after the general HTTP Accept Rule. (Correct)
  • The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.
  • The Security Server is not configured correctly.

Answer : The Security Server Rule is after the general HTTP Accept Rule.

156-315.77 Check Point Certified Security Expert Exam Set 8

You have a production implementation of Management High Availability, at version VPN-1 NG with Application Intelligence R55. You must upgrade your two Smart Center Servers to VPN-1 NGX. What is the correct procedure?


Options are :

  • 1. Perform an advanced upgrade on the primary SmartCenter Server. 2. Configure the primary SmartCenter Server host object to version VPN-1 NGX. 3. Synchronize the primary with the secondary SmartCenter Server. 4. Upgrade the secondary SmartCenter Server. 5. Configure the secondary SmartCenter Server host object to version VPN-1 NGX. 6. Synchronize the Servers again.
  • 1. Synchronize the two SmartCenter Servers. 2. Upgrade the secondary SmartCenter Server. 3. Upgrade the primary SmartCenter Server. 4. Configure both SmartCenter Server host objects version to VPN-1 NGX. 5. Synchronize the Servers again.
  • 1. Synchronize the two SmartCenter Servers. 2. Perform an advanced upgrade on the primary SmartCenter Server. 3. Upgrade the secondary SmartCenter Server. 4. Configure both SmartCenter Server host objects to version VPN-1 NGX. 5. Synchronize the Servers again. (Correct)
  • 1. Synchronize the two SmartCenter Servers. 2. Perform an advanced upgrade on the primary SmartCenter Server. 3. Configure the primary SmartCenter Server host object to version VPN-1 NGX. 4. Synchronize the two Servers again. 5. Upgrade the secondary SmartCenter Server. 6. Configure the secondary SmartCenter Server host object to version VPN-1 NGX. 7. Synchronize the Servers again.

Answer : 1. Synchronize the two SmartCenter Servers. 2. Perform an advanced upgrade on the primary SmartCenter Server. 3. Upgrade the secondary SmartCenter Server. 4. Configure both SmartCenter Server host objects to version VPN-1 NGX. 5. Synchronize the Servers again.

How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?


Options are :

  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)". (Correct)
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for ALL peers and users".
  • Run the command vpn tu on the SmartCenter Server, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for a given user (Client)".

Answer : Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)".

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions