You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule. What causes the Connection Rejection?

Options are :

• The guarantee of one of the rule's suB. rules exceeds the guarantee in the rule itself.
• The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections. (Correct)
• No QOS rule exists to match the rejected traffic.
• Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.
• The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements.

Answer : The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections.

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 7

In a Load Sharing Unicastmode scenario, the internal-cluster IP address is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies. The following is the ARP table from the internal Windows host 10.4.8.108: c:> arp According to the output, which member is the Pivot?

Options are :

• 10.4.8.2 (Correct)
• 10.4.8.108
• 10.4.8.1
• 10.4.8.3

Answer : 10.4.8.2

Jerry is concerned that a denial-oF. service (DoS) attack may affect his VPN Communities. He decides to implement IKE DoS protection. Jerry needs to minimize the performance impact of implementing this new protection. Which of the following configurations is MOST appropriate for Jerry?

Options are :

• Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless". (Correct)
• Set Support IKE Dos Protection from identified source, and Support IKE DoS protection from unidentified source to "Puzzles".
• Set Support IKE DoS protection from identified source to "Stateless", and Support IKE DoS protection from unidentified source to "None".
• Set Support IKE DoS protection from identified source to "Stateless," and Support IKE DoS protection from unidentified source to "Puzzles".
• Set Support IKE DoS protection from identified source to "Puzzles", and Support IKE DoS protection from unidentified source to "Stateless".

Answer : Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".

What is the command to upgrade a Secure Platform NG with Application Intelligence (Al) R55 Smart Center Server to VPN-1 NGX using a CD?

Options are :

• patch add cd (Correct)
• cppkg add
• cd patch add
• patch add
• fwm upgrade_tool

Answer : patch add cd

156-315.71 Check Point Security Expert R71 Practice Exam Set 7

Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?

Options are :

• Telnet
• SMTP (Correct)
• FTP
• rlogin
• HTTP

Answer : SMTP

VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS). However, this service only provides a limited level of actions for CIFS security. Which of the following services is NOT provided by a CIFS resource?

Options are :

• Block Remote Registry Access
• Allow MS print shares (Correct)
• Log access shares
• Log mapped shares

Answer : Allow MS print shares

The following diagram illustrates how a VPN-1 SecureClient user tries to establish a VPN with hosts in the external_net and internal_net from the Internet. How is the Security Gateway VPN Domain created?

Options are :

• Internal Gateway VPN Domain = internal_net; External Gateway VPN Domain = internal_net + external_net
• Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net (Correct)
• Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = external_net + internal gateway object
• Internal Gateway VPN Domain = internal_net; External VPN Domain = external net + external gateway object + internal_net.

Answer : Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net

Check Point Certified Security Expert Exam Set 7

How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped due to long queues when using a Check Point QoS solution?

Options are :

• DiffServrule
• Weighted Fair Queuing
• guaranteed per VoIP rule
• guaranteed per connection
• Low latency class (Correct)

Answer : Low latency class

Your primary SmartCenter Server is installed on a SecurePlatform Pro machine, which is also a VPN-1 Pro Gateway. You want to implement Management High Availability (HA). You have a spare machine to configure as the secondary SmartCenter Server. How do you configure the new machine to be the standby SmartCenter Server, without making any changes to the existing primary SmartCenter Server? (Changes can include uninstalling and reinstalling.)

Options are :

• You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway. (Correct)
• The secondary Server cannot be installed on a SecurePlatform Pro machine alone.
• Install the secondary Server on the spare machine. Add the new machine to the same network as the primary Server.
• The new machine cannot be installed as the Internal Certificate Authority on its own.

Answer : You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.

Rachel is the Security Administrator for a university. The university's FTP servers have old hardware and software. Certain FTP commands cause the FTP servers to malfunction. Upgrading the FTP servers is not an option at this time. Which of the following options will allow Rachel to control which FTP commands pass through the Security Gateway protecting the FTP servers?

Options are :

• Web Intelligence > Application Layer > FTP Settings
• Rule Base > Action Field > Properties
• SmartDefense > Application Intelligence > FTP Security Server (Correct)
• FTP Service Object > Advanced > Blocked FTP Commands
• Global Properties > Security Server > Allowed FTP Commands

Answer : SmartDefense > Application Intelligence > FTP Security Server

156-315.71 Check Point Security Expert R71 Practical Exam Set 4

What can be said about RSA algorithms? Select all that apply.

Options are :

• RSA’s key length is variable. (Correct)
• RSA is faster to compute than DES
• Short keys can be used for RSA efficiency. (Correct)
• Long keys can be used in RSA for enhances security (Correct)

Answer : RSA’s key length is variable. Short keys can be used for RSA efficiency. Long keys can be used in RSA for enhances security

Check Point Certified Security Expert Exam Set 5

VPN access control would fall under which VPN component?

Options are :

• Management
• Security (Correct)
• QoS
• Performance

Answer : Security

Which of the following can be said about numbered VPN Tunnel Interfaces (VTIs)?

Options are :

• VTIs cannot use an already existing physical-interface IP address
• VTIs cannot share IP addresses
• VTIs are assigned only local addresses, not remote addresses (Correct)
• VTIs are only supported on Nokia IPSO

Answer : VTIs are assigned only local addresses, not remote addresses

In ClusterXL, which of the following processes are defined by default as critical devices?

Options are :

• fwd.proc
• fw.d
• cphad (Correct)
• fwm

Answer : cphad

156-315.77 Check Point Certified Security Expert Exam Set 19

Which of the following SSL Network Extender server-side prerequisites are correct? Select all that apply.

Options are :

• The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access Community. (Correct)
• The VPN1-Gateway must be configured to work with Visitor Mode (Correct)
• To use Integrity Clientless Security (ICS), you must install the ICS server or configuration tool.
• There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender users. (Correct)

Answer : The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access Community. The VPN1-Gateway must be configured to work with Visitor Mode There are distinctly separate access rules required for SecureClient users vs. SSL Network Extender users.

A VPN Tunnel Interface (VTI) is defined on SecurePlatform Pro as: vpn shell interface add numbered 10.10.0.1 10.10.0.2 Helsinki.cp What do you know about this VTI?

Options are :

• The peer Security Gateway’s name is “Helsinki.cp” (Correct)
• 10.10.0.1 is the local Gateway’s internal interface, and 10.10.0.2 is the internal interface of the remote Gateway
• The VTI name is “Helsinki.cp”
• The local Gateway’s object name is “Helsinki.cp”

Answer : The peer Security Gateway’s name is “Helsinki.cp”

Which of the following does IPSec use during IPSec key negotiation?

Options are :

• Diffie-Hellman exchange (Correct)
• IPSec SA
• RSA Exchange
• ISAKMP SA

Answer : Diffie-Hellman exchange

156-315.77 Check Point Certified Security Expert Exam Set 17

Which of the following is a supported Sticky Decision function of Sticky Connections for Load Sharing?

Options are :

• Support for all VPN deployments (except those with third-party VPN peers)
• Support for Performance Pack acceleration (Correct)
• Support for SecureClient/SecuRemote/SSL Network Extended encrypted connections.
• Multi-connection support for VPN-1 cluster members

Answer : Support for Performance Pack acceleration

Which of the following provides a unique user ID for a digital Certificate?

Options are :

• User-message digest (Correct)
• User e-mail
• Username
• User organization

Answer : User-message digest

Which of the following are valid reasons for beginning with a fresh installation VPN-1 NGX R65, instead of upgrading a previous version to VPN-1 NGX R65? Select all that apply.

Options are :

• You want to keep your Check Point configuration.
• You see a more logical way to organize your rules and objects (Correct)
• Objects and rules’ naming conventions have changed over time. (Correct)
• Your Security Policy includes rules and objects whose purpose you do not know. (Correct)

Answer : You see a more logical way to organize your rules and objects Objects and rules’ naming conventions have changed over time. Your Security Policy includes rules and objects whose purpose you do not know.

156-315.77 Check Point Certified Security Expert Exam Set 4

What is the most typical type of configuration for VPNs with several externally managed Gateways?

Options are :

• mesh community
• SAT community
• domain community
• star community (Correct)
• Hybrid community

Answer : star community

Exhibit:You study the Advanced Properties exhibit carefully. What settings can you change to reduce the encryption overhead and improve performance for your mesh VPN Community?

Options are :

• Check the box “Use aggressive mode”
• Change the setting “Use Diffie-Hellman group:” to “Group 5 (1536 bit)”
• Change the box “Use Perfect Forward Secrecy”
• Change the “Renegotiate IPsec security associations every 3600 seconds” to 7200 (Correct)

Answer : Change the “Renegotiate IPsec security associations every 3600 seconds” to 7200

Which of the following are valid PKI architectures?

Options are :

• Bridge architecture
• Gateway architecture (Correct)
• Hierarchical architecture (Correct)
• mesh architecture (Correct)

Answer : Gateway architecture Hierarchical architecture mesh architecture

156-315.77 Check Point Certified Security Expert Exam Set 3

VPN traffic control would fall under which VPN component?

Options are :

• Performance
• QoS (Correct)
• Management
• Security

Answer : QoS

In cryptography, the Rivest, Shamir, Adelman (RSA) scheme has which of the following? Select all that apply.

Options are :

• An asymmetric-cipher system (Correct)
• A public-key encryption-algorithm system (Correct)
• A symmetric-cipher system
• A secret-key encryption-algorithm system

Answer : An asymmetric-cipher system A public-key encryption-algorithm system

After installing VPN-1 Pro NGQ R65, you discover that one port on your Intel Quad NIC on the Security Gateway is not fetched by a get topology request. What is the most likely cause and solution?

Options are :

• The NIC is faulty. Replace it and reinstall.
• Your NIC driver is installed but was not recognized. Apply the latest SecurePlatform R65 Hotfix Accumulator (HFA).
• Make sure the driver for you particular NIC is available, and reinstall. You will be prompted for the driver.
• If an interface is not configured, it is not recognized. Assign an IP and subnet mask using the Web UI, (Correct)

Answer : If an interface is not configured, it is not recognized. Assign an IP and subnet mask using the Web UI,

Check Point Certified Security Expert Exam Set 6

Public keys and digital certificates provide which of the following? Select three

Options are :

• Authentication (Correct)
• Data integrity (Correct)
• Availability
• nonrepudiation (Correct)

Answer : Authentication Data integrity nonrepudiation

Which of the following happen when using Pivot Mode in ClusterXL? Select all that apply.

Options are :

• The Security Gateway analyzes the packet and forwards it to the Pivot.
• The Pivot forwards the packet to the appropriate cluster member (Correct)
• The packet is forwarded through the same physical interface from which it originally came, not on the sync interface. (Correct)
• The Pivot’s Load Sharing decision function decides which cluster member should handle the packet. (Correct)

Answer : The Pivot forwards the packet to the appropriate cluster member The packet is forwarded through the same physical interface from which it originally came, not on the sync interface. The Pivot’s Load Sharing decision function decides which cluster member should handle the packet.

The following configuration is for VPN-1 NGX 65. :Is this configuration correct for Management High Availability (HA)?

Options are :

• No, the SmartCenter Servers must be installed on the same operating system. (Correct)
• No, the SmartCenter Servers must reside on the same network.
• No, the SmartCenter Servers do not have the same number of NICs.
• No, a NGX 65 SmartCenter Server cannot run on Red Hat Linux 7.3.

Answer : No, the SmartCenter Servers must be installed on the same operating system.

156-315.77 Check Point Certified Security Expert Exam Set 8

How should Check Point packages be uninstalled?

Options are :

• In any order as long as all packages are removed
• In the opposite order in which the installation wrapper initially installed them. (Correct)
• In the same order in which the installation wrapper initially installed from.
• In any order, CPsuite must be the last package uninstalled

Answer : In the opposite order in which the installation wrapper initially installed them.

Recommended Readings

• 156-315.77 Check Point Certified Security Expert Exam Set 2
• 156-315.77 Check Point Certified Security Expert Exam Set 13
• Check Point Certified Security Administrator Set 3
• 156-315.77 Check Point Certified Security Expert Exam Set 10
• 156-215.70 Check Point Certified Security Administrator Exam Set 8
• 156-315.65 Check Point Security Administration NGX R65 Exam Set 4
• 156-315.13 Check Point Security Expert R76(GAiA) Exam Set 2
• 156-315.77 Check Point Certified Security Expert Exam Set 5
• 156-315.77 Check Point Certified Security Expert Exam Set 3
• 156-215.77 Check Point Certified Security Administrator Exam Set 3
• 156-315.65 Check Point Security Administration NGX R65 Exam Set 7