You
are reviewing SmartView Tracker entries, and see a Connection Rejection
on a Check Point QoS rule. What causes the Connection Rejection?
Options are :
- The guarantee of one of the rule's suB. rules exceeds the guarantee in the rule itself.
- The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections.
(Correct)
- No QOS rule exists to match the rejected traffic.
- Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.
- The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements.
Answer : The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections.
156-315.13 Check Point Security Expert R76(GAiA) Exam Set 7
In
a Load Sharing Unicastmode scenario, the internal-cluster IP address is
10.4.8.3. The internal interfaces on two members are 10.4.8.1 and
10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies.
The following is the ARP table from the internal Windows host
10.4.8.108: c:> arp According to the output, which member is the
Pivot?
Options are :
- 10.4.8.2
(Correct)
- 10.4.8.108
- 10.4.8.1
- 10.4.8.3
Answer : 10.4.8.2
Jerry
is concerned that a denial-oF. service (DoS) attack may affect his VPN
Communities. He decides to implement IKE DoS protection. Jerry needs to
minimize the performance impact of implementing this new protection.
Which of the following configurations is MOST appropriate for Jerry?
Options are :
- Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".
(Correct)
- Set Support IKE Dos Protection from identified source, and Support IKE DoS protection from unidentified source to "Puzzles".
- Set Support IKE DoS protection from identified source to "Stateless", and Support IKE DoS protection from unidentified source to "None".
- Set Support IKE DoS protection from identified source to "Stateless," and Support IKE DoS protection from unidentified source to "Puzzles".
- Set Support IKE DoS protection from identified source to "Puzzles", and Support IKE DoS protection from unidentified source to "Stateless".
Answer : Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".
What
is the command to upgrade a Secure Platform NG with Application
Intelligence (Al) R55 Smart Center Server to VPN-1 NGX using a CD?
Options are :
- patch add cd
(Correct)
- cppkg add
- cd patch add
- patch add
- fwm upgrade_tool
Answer : patch add cd
156-315.71 Check Point Security Expert R71 Practice Exam Set 7
Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?
Options are :
- Telnet
- SMTP
(Correct)
- FTP
- rlogin
- HTTP
Answer : SMTP
VPN-1
NGX includes a resource mechanism for working with the Common Internet
File System (CIFS). However, this service only provides a limited level
of actions for CIFS security. Which of the following services is NOT
provided by a CIFS resource?
Options are :
- Block Remote Registry Access
- Allow MS print shares
(Correct)
- Log access shares
- Log mapped shares
Answer : Allow MS print shares
The
following diagram illustrates how a VPN-1 SecureClient user tries to
establish a VPN with hosts in the external_net and internal_net from the
Internet. How is the Security Gateway VPN Domain created?
Options are :
- Internal Gateway VPN Domain = internal_net; External Gateway VPN Domain = internal_net + external_net
- Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net
(Correct)
- Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = external_net + internal gateway object
- Internal Gateway VPN Domain = internal_net; External VPN Domain = external net + external gateway object + internal_net.
Answer : Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net
Check Point Certified Security Expert Exam Set 7
How
can you prevent delay-sensitive applications, such as video and voice
traffic, from being dropped due to long queues when using a Check Point
QoS solution?
Options are :
- DiffServrule
- Weighted Fair Queuing
- guaranteed per VoIP rule
- guaranteed per connection
- Low latency class
(Correct)
Answer : Low latency class
Your
primary SmartCenter Server is installed on a SecurePlatform Pro
machine, which is also a VPN-1 Pro Gateway. You want to implement
Management High Availability (HA). You have a spare machine to configure
as the secondary SmartCenter Server. How do you configure the new
machine to be the standby SmartCenter Server, without making any changes
to the existing primary SmartCenter Server? (Changes can include
uninstalling and reinstalling.)
Options are :
- You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.
(Correct)
- The secondary Server cannot be installed on a SecurePlatform Pro machine alone.
- Install the secondary Server on the spare machine. Add the new machine to the same network as the primary Server.
- The new machine cannot be installed as the Internal Certificate Authority on its own.
Answer : You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.
Rachel
is the Security Administrator for a university. The university's FTP
servers have old hardware and software. Certain FTP commands cause the
FTP servers to malfunction. Upgrading the FTP servers is not an option
at this time. Which of the following options will allow Rachel to
control which FTP commands pass through the Security Gateway protecting
the FTP servers?
Options are :
- Web Intelligence > Application Layer > FTP Settings
- Rule Base > Action Field > Properties
- SmartDefense > Application Intelligence > FTP Security Server
(Correct)
- FTP Service Object > Advanced > Blocked FTP Commands
- Global Properties > Security Server > Allowed FTP Commands
Answer : SmartDefense > Application Intelligence > FTP Security Server
156-315.71 Check Point Security Expert R71 Practical Exam Set 4
What can be said about RSA algorithms? Select all that apply.
Options are :
- RSA’s key length is variable.
(Correct)
- RSA is faster to compute than DES
- Short keys can be used for RSA efficiency.
(Correct)
- Long keys can be used in RSA for enhances security
(Correct)
Answer : RSA’s key length is variable.
Short keys can be used for RSA efficiency.
Long keys can be used in RSA for enhances security
Check Point Certified Security Expert Exam Set 5
VPN access control would fall under which VPN component?
Options are :
- Management
- Security
(Correct)
- QoS
- Performance
Answer : Security
Which of the following can be said about numbered VPN Tunnel Interfaces (VTIs)?
Options are :
- VTIs cannot use an already existing physical-interface IP address
- VTIs cannot share IP addresses
- VTIs are assigned only local addresses, not remote addresses
(Correct)
- VTIs are only supported on Nokia IPSO
Answer : VTIs are assigned only local addresses, not remote addresses
In ClusterXL, which of the following processes are defined by default as critical devices?
Options are :
- fwd.proc
- fw.d
- cphad
(Correct)
- fwm
Answer : cphad
156-315.77 Check Point Certified Security Expert Exam Set 19
Which of the following SSL Network Extender server-side prerequisites are correct? Select all that apply.
Options are :
- The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access Community.
(Correct)
- The VPN1-Gateway must be configured to work with Visitor Mode
(Correct)
- To use Integrity Clientless Security (ICS), you must install the ICS server or configuration tool.
- There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender users.
(Correct)
Answer : The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access Community.
The VPN1-Gateway must be configured to work with Visitor Mode
There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender users.
A
VPN Tunnel Interface (VTI) is defined on SecurePlatform Pro as: vpn
shell interface add numbered 10.10.0.1 10.10.0.2 Helsinki.cp What do you
know about this VTI?
Options are :
- The peer Security Gateway’s name is “Helsinki.cp”
(Correct)
- 10.10.0.1 is the local Gateway’s internal interface, and 10.10.0.2 is the internal interface of the remote Gateway
- The VTI name is “Helsinki.cp”
- The local Gateway’s object name is “Helsinki.cp”
Answer : The peer Security Gateway’s name is “Helsinki.cp”
Which of the following does IPSec use during IPSec key negotiation?
Options are :
- Diffie-Hellman exchange
(Correct)
- IPSec SA
- RSA Exchange
- ISAKMP SA
Answer : Diffie-Hellman exchange
156-315.77 Check Point Certified Security Expert Exam Set 17
Which of the following is a supported Sticky Decision function of Sticky Connections for Load Sharing?
Options are :
- Support for all VPN deployments (except those with third-party VPN peers)
- Support for Performance Pack acceleration
(Correct)
- Support for SecureClient/SecuRemote/SSL Network Extended encrypted connections.
- Multi-connection support for VPN-1 cluster members
Answer : Support for Performance Pack acceleration
Which of the following provides a unique user ID for a digital Certificate?
Options are :
- User-message digest
(Correct)
- User e-mail
- Username
- User organization
Answer : User-message digest
Which
of the following are valid reasons for beginning with a fresh
installation VPN-1 NGX R65, instead of upgrading a previous version to
VPN-1 NGX R65? Select all that apply.
Options are :
- You want to keep your Check Point configuration.
- You see a more logical way to organize your rules and objects
(Correct)
- Objects and rules’ naming conventions have changed over time.
(Correct)
- Your Security Policy includes rules and objects whose purpose you do not know.
(Correct)
Answer : You see a more logical way to organize your rules and objects
Objects and rules’ naming conventions have changed over time.
Your Security Policy includes rules and objects whose purpose you do not know.
156-315.77 Check Point Certified Security Expert Exam Set 4
What is the most typical type of configuration for VPNs with several externally managed Gateways?
Options are :
- mesh community
- SAT community
- domain community
- star community
(Correct)
- Hybrid community
Answer : star community
Exhibit:You
study the Advanced Properties exhibit carefully. What settings can you
change to reduce the encryption overhead and improve performance for
your mesh VPN Community?
Options are :
- Check the box “Use aggressive mode”
- Change the setting “Use Diffie-Hellman group:” to “Group 5 (1536 bit)”
- Change the box “Use Perfect Forward Secrecy”
- Change the “Renegotiate IPsec security associations every 3600 seconds” to 7200
(Correct)
Answer : Change the “Renegotiate IPsec security associations every 3600 seconds” to 7200
Which of the following are valid PKI architectures?
Options are :
- Bridge architecture
- Gateway architecture
(Correct)
- Hierarchical architecture
(Correct)
- mesh architecture
(Correct)
Answer : Gateway architecture
Hierarchical architecture
mesh architecture
156-315.77 Check Point Certified Security Expert Exam Set 3
VPN traffic control would fall under which VPN component?
Options are :
- Performance
- QoS
(Correct)
- Management
- Security
Answer : QoS
In cryptography, the Rivest, Shamir, Adelman (RSA) scheme has which of the following? Select all that apply.
Options are :
- An asymmetric-cipher system
(Correct)
- A public-key encryption-algorithm system
(Correct)
- A symmetric-cipher system
- A secret-key encryption-algorithm system
Answer : An asymmetric-cipher system
A public-key encryption-algorithm system
After
installing VPN-1 Pro NGQ R65, you discover that one port on your Intel
Quad NIC on the Security Gateway is not fetched by a get topology
request. What is the most likely cause and solution?
Options are :
- The NIC is faulty. Replace it and reinstall.
- Your NIC driver is installed but was not recognized. Apply the latest SecurePlatform R65 Hotfix Accumulator (HFA).
- Make sure the driver for you particular NIC is available, and reinstall. You will be prompted for the driver.
- If an interface is not configured, it is not recognized. Assign an IP and subnet mask using the Web UI,
(Correct)
Answer : If an interface is not configured, it is not recognized. Assign an IP and subnet mask using the Web UI,
Check Point Certified Security Expert Exam Set 6
Public keys and digital certificates provide which of the following? Select three
Options are :
- Authentication
(Correct)
- Data integrity
(Correct)
- Availability
- nonrepudiation
(Correct)
Answer : Authentication
Data integrity
nonrepudiation
Which of the following happen when using Pivot Mode in ClusterXL? Select all that apply.
Options are :
- The Security Gateway analyzes the packet and forwards it to the Pivot.
- The Pivot forwards the packet to the appropriate cluster member
(Correct)
- The packet is forwarded through the same physical interface from which it originally came, not on the sync interface.
(Correct)
- The Pivot’s Load Sharing decision function decides which cluster member should handle the packet.
(Correct)
Answer : The Pivot forwards the packet to the appropriate cluster member
The packet is forwarded through the same physical interface from which it originally came, not on the sync interface.
The Pivot’s Load Sharing decision function decides which cluster member should handle the packet.
The following configuration is for VPN-1 NGX 65. :Is this configuration correct for Management High Availability (HA)?
Options are :
- No, the SmartCenter Servers must be installed on the same operating system.
(Correct)
- No, the SmartCenter Servers must reside on the same network.
- No, the SmartCenter Servers do not have the same number of NICs.
- No, a NGX 65 SmartCenter Server cannot run on Red Hat Linux 7.3.
Answer : No, the SmartCenter Servers must be installed on the same operating system.
156-315.77 Check Point Certified Security Expert Exam Set 8
How should Check Point packages be uninstalled?
Options are :
- In any order as long as all packages are removed
- In the opposite order in which the installation wrapper initially installed them.
(Correct)
- In the same order in which the installation wrapper initially installed from.
- In any order, CPsuite must be the last package uninstalled
Answer : In the opposite order in which the installation wrapper initially installed them.